The National Data Protection Authority (ANPD) (Brazil's National Data Protection Authority) has launched a public input process on the processing of biometric data, seeking contributions from society to help regulate this category of sensitive data. The initiative follows enforcement proceedings opened against Tools for Humanity, the company behind the Worldcoin project, which attempted to collect Brazilian users' iris data in exchange for cryptocurrency. The ANPD had adopted a preventive measure suspending that activity, drawing on analyses from authorities in other countries as well as the Technological Radar report on biometrics and facial recognition.
The ANPD's initiative is grounded in the need to address the growing normalization of biometric mechanisms being deployed without adequate risk assessment or adherence to the principles of LGPD (Brazil's General Data Protection Law). Although biometric data has specific permitted processing scenarios — including identification and authentication — the general principles of the LGPD still apply, particularly the principle of necessity. Cases such as the use of biometric kiosks in shopping galleries and facial recognition systems in residential buildings illustrate this unregulated expansion of the technology.
The public consultation was structured around five thematic areas covering definitions and principles, data subject rights, and vulnerable groups, among others. Issues raised include active transparency requirements for data controllers, differentiated treatment of behavioral biometrics compared to traditional biometrics, criteria for applying the fraud prevention legal basis, technical and administrative security measures, and specific protections for children and adolescents. The ANPD aims to establish minimum risk assessment and monitoring parameters to ensure compliance with the LGPD.
The regulation also aims to address risks of discrimination and algorithmic bias — particularly against Black individuals — as well as security concerns related to the deployment of these mechanisms in commercial settings. The case involving the São Paulo Metro, which resulted in a R$ 500,000 award for collective moral damages due to the unauthorized collection of data for commercial purposes, illustrates the risks of such practices. The ANPD acknowledges that even where the LGPD's application is excluded for criminal prosecution purposes, the law's principles must still be observed — underscoring the importance of specific regulation for this sensitive data category.
This post was summarized from its original version with the use of AI, with human review.
With information from ANPD