Facial biometrics in the field

The National Football Day is celebrated on 07/19. A national passion, target of billions of dollars in investment and fierce historical disputes, the sport is entering a new reality that is already beginning to affect fans of some of Brazil’s main football teams: the mandatory requirement of facial biometrics registration for ticket purchases and access to stadiums.

This necessity stems from the General Sports Law (Law No. 14,597/2023), which defined that, within a maximum period of up to two years from the law’s entry into force – which occurred at the end of May this year – sports arenas with a capacity for more than 20,000 people must implement image monitoring systems at turnstiles and biometric identification for spectators over 16 years old.

This new obligation aims to identify individuals of interest to justice and public safety, as well as to promote actions to combat illicit activities committed during sporting events. Furthermore, the application of facial recognition technology seeks, for example, to verify whether the ticket purchaser has open arrest warrants or is prohibited from attending the games, all linked to the National Plan for a Culture of Peace in Sports.

Given this new reality, it is necessary to observe a series of legal obligations and provisions by clubs and arena/stadium administrators. This is because, in addition to all obligations related to the consumer relationship with spectators, the General Personal Data Protection Law (Law 13,709/2018) (‘LGPD’) must also be observed, which grants greater protection to sensitive personal data [1], such as the facial biometrics henceforth required for ticket purchase and access to sports venues.

In view of the LGPD’s applicability to the matter, the National Data Protection Authority (ANPD) published Technical Note No. 5/2025/FIS/CGF/ANPD [2] in February, which assessed the processing of fans’ biometric data by football clubs. The note concluded, at the time, that a large part of the clubs were not yet compliant with data protection legislation, especially regarding transparency and the fulfillment of data subject rights.

The Authority also expressed a series of concerns regarding the implementation of facial recognition technologies in stadiums, including the fact that fans will be exposed to the massive capture of their personal data and its reuse for purposes other than those for which they were initially collected.

In this regard, the ANPD indicated the need for clubs to prepare a Personal Data Protection Impact Assessment (DPIA), considering the hypothetical large-scale and high-risk processing.

Furthermore, concern was highlighted regarding the sharing of personal data with third parties, whether private entities (such as ticket sales companies) or public entities (such as police bodies and judicial authorities), as well as in relation to potential discriminatory treatment.

The scenario is quite complex and generates a series of necessary and inescapable discussions. In this sense, it is important to highlight some of the main points of attention to be observed proportionately by football clubs that have adopted, or will adopt, facial recognition for access to their games, as well as other companies involved in the sector:

• Attention to the Principle of Transparency: Football clubs, when processing the personal data of their fans, must ensure that they have access to information about the processing of their data, both in relation to the biometric registration and the facial biometric identification procedures on game days.Analyzing the websites of the clubs cited by the ANPD in its technical note, it was noted that some, despite already using facial recognition in their stadiums and carrying out initial updates to their programs, still do not adequately provide information to the data subjects regarding the processing of biometric data, such as processing purposes, sharing scenarios, among others.

 

• Identification of Processing Agents: The LGPD defines the existence of two processing agents in its text: controllers, who are responsible for decisions regarding the processing of personal data, and processors, who carry out the processing of personal data on behalf of the controllers. Furthermore, in some scenarios, the processing flow may involve two controllers, who may be joint or singular controllers, a situation in which they share the existing responsibility. It is important to highlight that, in most cases, in order to operationalize the fans’ facial recognition flow, clubs and stadium administrators partner with ticketing companies. In this context, and considering the presence of several companies that will carry out the processing of fans’ personal and sensitive personal data (clubs, ticketing companies, administrators, among others), it is essential that clubs correctly identify the position of each party, as well as define, through contractual instruments, the responsibilities and obligations of each, identifying and mitigating risks, and more rigorously selecting their partners.

 

• Sharing Data with Third Parties: Given the entire flow related to the facial recognition of fans and spectators, there may be sharing of personal data with third parties, such as ticketing companies and the Public Authority itself. In these scenarios, clubs must ensure that the purposes of such sharing are lawful and based on personal data protection legislation. Furthermore, as already highlighted, data subjects must be aware of such sharing. It is important to emphasize that, specifically in relation to the sharing of personal data with the Public Authority, the ANPD expressed the understanding that ‘the sharing of fans’ personal data with public security agencies, for the exclusive purposes of public security and activities of investigation and repression of criminal offenses, is incompatible with the specific purposes of personal data processing resulting from compliance with the legal obligations imposed by the General Sports Law (…)‘. Thus, it is essential that clubs pay special attention to this type of sharing, evaluating other suitable and adequate instruments for eventual different processing, adjusting processing scenarios and other applicable regulations.

 

• Definition of Processing Purposes: Among the obligations arising from the LGPD to be observed during spectator facial recognition procedures, the need to define the purposes for which the data will be used stands out. Regarding the purposes, it is important to highlight that the entire personal data processing activity must have a determined purpose. That is, personal data cannot be processed without knowing exactly the objective to be achieved with that processing. Furthermore, the purposes must be informed to the data subjects.

 

• Adoption of Robust Security Measures: Given the extensive processing of personal data by clubs, especially sensitive personal data, it is essential that clubs and stadiums adopt technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination. Examples of measures to be adopted include: robust data access controls, implementation of reliable encryption systems, conducting vulnerability tests, assigning adequate access permissions, continuous monitoring of user activities, application of technical and organizational measures to prevent unauthorized removal of personal data, and execution of customized and recurring training for involved teams, among others.

 

• Non-discrimination: The use of facial recognition technologies raises relevant concerns about possible discriminatory effects, mainly in relation to certain vulnerable social groups, in view of potential errors in the identification processes, derived from the use of algorithms with discriminatory biases and outdated databases, resulting in limitations to the fundamental rights and guarantees of the data subjects. Thus, it is essential that clubs pay extra attention to the databases used, checking their method of constitution and making updates when necessary.

In view of all the above, and even though some clubs have already taken steps to comply with the legislation, many are still inactive in the compliance process. If, on the one hand, it is understandable that club boards dedicate their efforts to their main product, which is the playing field, eventual violations related to personal data may generate significant financial losses for the clubs, partners, and other agents involved in this environment.

Furthermore, in a sport so popular and media-exposed in Brazil, adopting measures that mitigate the risks related to personal data processing can prevent enormous damage to the brand of the clubs, which are loved by millions of Brazilians.

---

[1] Sensitive personal data, according to the definition provided in Article 5 of the LGPD, is all ‘personal data concerning racial or ethnic origin, religious conviction, political opinion, affiliation to a union or organization of a religious, philosophical or political nature, data concerning health or sexual life, genetic or biometric data, when linked to a natural person;‘.

[2] The ANPD technical note pointed to the following football clubs as interested parties: Palmeiras, Flamengo, Vasco, Goiás, Fluminense, Bahia, Sport, Athletico Paranaense, Grêmio, Atlético Mineiro, Botafogo, Náutico, Guarani, Santos, Coritiba, Internacional, Remo, Paysandu, América-RN, Confiança, Fortaleza, Ceará, Cuiabá, São Paulo, Corinthians, América-MG, Avaí, Atlético-GO, Cruzeiro and Vitória.

AUTHOR

• Henrique Rocha
• Gabriel Arantes