The General Oversight Coordination (CGF) of Brazil's National Data Protection Authority (ANPD) identified signs of irregularities in the use of facial recognition systems for ticket sales and access control at 23 soccer clubs. The investigation found failures in transparency and in the protection of data belonging to children and adolescents, as required by Brazil's General Data Protection Law (LGPD).
In light of the potential violations, the CGF ordered the initiation of oversight proceedings and issued a preventive measure requiring the clubs, within 20 business days, to publish clear information about biometric enrollment and use on their ticket sales platforms. Additionally, the clubs must submit Personal Data Protection Impact Reports (RIPD) and justify how the processing of biometric data from minors serves the best interests of children and adolescents.
The adoption of biometric systems stems from compliance with the General Sports Law (Law 14,597/2023 – LGE), which mandates biometric enrollment for fans over 16 years old at stadiums with a capacity of more than 20,000 people. As a result, several clubs have implemented facial recognition at stadium entrances and require prior enrollment when purchasing tickets.
While the LGPD does not prohibit the use of biometric data, such processing involves sensitive personal data, which demands stricter compliance with the law. Responsible parties must implement adequate security and transparency measures to prevent risks to fans.
Source: ANPD
This post was summarized from the original decision using ChatGPT version 4o, with human review.