Biometrics is no longer a futuristic feature. It's in our cell phones, security systems, building entrances, store checkouts, and even in student attendance control at public schools. Promising speed and security, this technology is advancing by leaps and bounds. But what seems like inevitable progress may also mask a dangerous challenge: the erosion of privacy.

What is biometrics and why is it a concern?

Biometrics is a technology that allows the identification or authentication of individuals based on unique and measurable characteristics of the human body (physical biometrics) or their behavior (behavioral biometrics). Unlike passwords or cards, which can be shared, lost, or replaced, biometric data is intrinsically linked to a person's identity and is, by definition, immutable and permanent. Common examples include fingerprints, facial recognition, iris scans, hand geometry, vascularization, voice, DNA, as well as behavioral characteristics such as gait, typing dynamics, signature, and facial expressions. This information is widely used in access control systems, bank authentication, social benefit programs, public surveillance, and in digital platforms and mobile applications.

However, despite its effectiveness and practicality, the use of biometrics raises significant ethical, legal, and technical concerns. One of the main points of concern is the irreversible nature of this data. Unlike passwords, which can be changed in case of a leak, an iris or fingerprint exposed in a security incident cannot be replaced. This means that a breach represents a lifelong risk to a person's identity. Furthermore, biometrics allows for the tracking of individuals remotely and often without their knowledge, as in the case of facial recognition by cameras installed in public spaces. This type of practice can lead to mass surveillance and the undermining of civil liberties and fundamental rights.

Another point of concern relates to algorithmic inequalities. Biometric systems, especially facial recognition systems, can exhibit performance biases, such as higher error rates among women, Black people, and other minorities. This is due to unbalanced training databases and can lead to algorithmic discrimination. Added to this is the risk of data misuse, such as its exploitation for purposes not disclosed to the data subject at the time of collection—for example, behavioral analysis, targeted marketing, or sharing with police and commercial databases without valid consent.

In the field of cybersecurity, the centralization of biometric data in large databases held by governments, financial institutions, and technology companies represents an attractive target for criminals, since any security breaches can compromise sensitive and unalterable information. Given this scenario, the General Data Protection Law (Law No. 13.709/2018) classifies biometrics as sensitive personal data, imposing strict requirements for its collection, use, and storage. Among the obligations are the need for specific and explicit consent, the clear and legitimate definition of the purpose, the adoption of technical and administrative information security measures, and the preparation of Data Protection Impact Assessments (DPIAs) in high-risk cases.

In short, while biometrics represents an important security and authentication tool, its use demands rigorous technical and legal criteria. When misused or lacking adequate governance, it can become a risk factor for privacy, human dignity, and individual freedom. Technological advancement, especially with the spread of artificial intelligence and algorithmic surveillance, makes the debate on biometrics increasingly urgent and essential to ensure fundamental rights in the digital environment.

Indiscriminate use in Brazil

The most recent study by ANPD revealed that several Brazilian states already use facial recognition and other forms of biometrics in schools, airports, public security systems, pharmacies, and even in retail. Cases like that of ViaQuatro, in which hidden cameras in subway advertising totems captured passengers' facial expressions to measure reactions to advertisements, provoked legal challenges and culminated in compensation for collective moral damages.

In other contexts, such as the Federal Government's +Secure boarding program, facial biometrics are already being integrated with data from Serpro (Brazilian Federal Data Processing Service) on domestic flights at Congonhas and Santos Dumont airports. And in the healthcare sector, iris biometric testing is being explored for the authentication of unconscious patients or those without documentation.

Football clubs and the new obligation to identify fans.

One sector particularly impacted by this evolution is sports. The new General Sports Law (Law No. 14.597/2023) and initiatives such as the Safe Stadium Bill (Bill No. 4.438/2020) They impose specific obligations on football clubs and organizing bodies regarding the biometric identification of fans.The idea is to curb practices such as racism, violence in stadiums, and the violation of court-ordered restrictions imposed on fans.

In these cases, facial biometrics emerges as the preferred alternative. The Brazilian Football Confederation (CBF), in fact, signed an agreement with the Ministry of Justice to enable a national facial recognition system in stadiums. The clubs, in turn, need to adapt their operations — from the image capture infrastructure to the adoption of technical and organizational measures required by the LGPD (Brazilian General Data Protection Law), such as the preparation of Personal Data Protection Impact Assessment Reports (PIPRs).

Furthermore, the legal basis for processing this sensitive data must be solid, including the analysis of legitimate interest, credit protection, or the execution of public policies when carried out in cooperation with the State. It's not enough to simply "install cameras"; it's necessary to consider data governance, information security, and transparency—otherwise, the clubs risk facing administrative and legal consequences.

Between innovation and covert surveillance

Between the promise of innovation and the risk of disguised surveillance, biometric systems have advanced under the guise of public safety and technological modernization. Increasingly, cities and public and private institutions are investing in facial recognition tools, iris scanning, and other forms of automated identification, arguing that they offer greater control, efficiency, and protection to the population. A prime example is the "Smart Sampa" program in the city of São Paulo, which plans to install up to 40 cameras with facial recognition throughout public spaces. Although announced as a security measure, the project has been criticized by experts and civil society organizations for its lack of transparency regarding the use, sharing, and protection of the collected data, especially that stored in databases shared between public agencies and companies.

In this context, biometrics ceases to be merely an authentication tool and takes on a central role in surveillance and social control policies. Technologies such as iris scanning, which offer a very high degree of accuracy in identifying individuals, have generated controversy in several countries. A recent case that gained international attention was that of the company Tools for Humanity, linked to the Worldcoin project, which collected biometric data from Brazilian citizens—especially iris images—in exchange for cryptocurrencies. The National Data Protection Authority (ANPD) understood that the practice violated principles of the General Data Protection Law, especially because it constituted vitiated consent, obtained through financial reward, which compromises freedom and spontaneity. Furthermore, the ANPD pointed out structural flaws in the processing of this data, such as the lack of clear information about the deletion of records, the absence of a designated data protection officer in Brazil, and the impossibility of effectively revoking consent.

This scenario raises a red flag: while biometrics is promoted as a symbol of progress and sophistication, it can also be used as a disguised mechanism of social control, especially in contexts where citizens lack full knowledge or control over how their data is collected, stored, and used. The absence of robust governance, transparency, and well-defined limits on the use of these technologies can transform protective measures into instruments of continuous surveillance, directly affecting the right to privacy and individual freedom. Therefore, it is essential that the use of biometric solutions, particularly when adopted by public entities, be accompanied by clear regulations, active oversight, and effective data protection guarantees—otherwise, a culture of surveillance incompatible with the principles of a democratic state governed by the rule of law will be established.

The role of regulation

Although the General Data Protection Law (LGPD) recognizes biometric data as sensitive, Brazil still lacks specific regulations on the use of video surveillance and technologies such as iris scanning. Bills such as PL 3.069/2022 and PL 2.338/2023 attempt to fill this gap, but are progressing slowly in the National Congress.
Meanwhile, countries like Italy and France have already imposed multimillion-dollar fines against companies for improper collection of facial images and ocular biometrics, as in the case of Clearview¹.

Biometrics and the future of identity

Biometrics is increasingly becoming a central element in the future of digital identity, and its adoption in passwordless systems is already a widespread reality. Technology giants like Apple, Google, and Microsoft have implemented solutions that replace traditional credentials with biometric authentication, using facial recognition, iris scanning, or fingerprinting. What was once just an additional security measure has become the primary criterion for accessing digital devices, applications, and services. This paradigm shift demands a new approach to protecting this data: treating it not only as technical information but as an extension of the individual's own identity. In this context, ensuring the integrity, confidentiality, and ethical use of biometrics becomes not only a legal obligation but an ethical imperative given the irreversible damage a breach can cause.

Even more complex is the arrival of so-called neurobiometrics, an emerging field involving technologies capable of mapping, recording, and interpreting neural signals emitted by the human brain. Brain-computer interfaces (BCIs), which initially developed for therapeutic purposes—such as assisting people with paralysis—are already being tested for commercial and potentially state applications. These interfaces are capable of capturing unique patterns of brain activity, creating a new frontier in individual identification based on deeply sensitive biometric data. The possibility of reading intentions, emotions, or cognitive patterns from brain activity opens up possibilities for uses that challenge fundamental principles such as informational self-determination and mental privacy.

In this scenario, the indiscriminate use of neurodata by companies or governments may represent an even more serious threat than traditional forms of biometrics. After all, it involves not only recognizing a face or an iris, but accessing and interpreting content directly linked to an individual's thoughts and internal processes. The absence of specific regulations on neurobiometrics, both in Brazil and in other jurisdictions, exacerbates the risks, requiring an urgent debate on the ethical and legal limits for the commercial and state exploitation of this data.

The evolution of biometrics as a global identity standard brings clear benefits in terms of convenience and security, but poses proportional challenges in terms of protecting fundamental rights. As biometric data replaces passwords and becomes universal access credentials, the responsibility grows to ensure that its collection, storage, and use are supported by principles of transparency, necessity, proportionality, and accountability. When it comes to human identity in its most intimate expression—be it a fingerprint, an iris, or a synapse—protection is more than prevention: it is respecting the limits of dignity and individual autonomy in an era of profound digital transformation.

Conclusion

Biometrics represents a significant advancement in terms of convenience and security, allowing for fast, accurate, and often invisible identity authentication. However, its adoption demands responsibility commensurate with the sensitivity of the data involved. When dealing with unique and immutable characteristics of the human body—such as the iris, face, or fingerprint—the improper exposure or misuse of this data can lead to serious and irreversible consequences. Unlike passwords, which can be changed, biometric data, once compromised, remains vulnerable for life.

Therefore, it is essential that the use of biometrics is always guided by principles of transparency, necessity, proportionality, and security. The collection of this data must have a clear and legitimate purpose, with an adequate legal basis and with the full knowledge of the data subject. The adoption of technical and administrative measures to prevent unauthorized access, leaks, or improper reuse is not only a good practice—it is a legal and ethical obligation.

In times of increasing digitalization and reliance on automated identification technologies, protecting biometric data is protecting human identity itself. The challenge is not to block progress, but to ensure that it occurs with respect for fundamental rights. Biometrics should be a tool at the service of freedom and dignity, not an instrument of control or exclusion. The future of digital identity will increasingly depend on our ability to balance innovation with responsibility.

Want to learn more about biometrics in football? Click here and learn more!