What Counts as Sensitive Personal Data Under the LGPD
Article 5(II) of the LGPD (Lei Geral de Protecao de Dados, Law No. 13,709/2018) draws a hard line between ordinary personal data and a more protected category it calls sensitive personal data (dados pessoais sensiveis). The definition is exhaustive, not illustrative. Sensitive personal data means any information relating to a natural person's:
- Racial or ethnic origin
- Religious belief
- Political opinion
- Trade union membership
- Affiliation to a religious, philosophical, or political organisation
- Health or sexual life
- Genetic data
- Biometric data
This list mirrors much of what the GDPR calls "special categories of data" under Article 9, but the LGPD adds trade union membership and political or philosophical organisation affiliation as standalone categories. The practical effect is the same: if your website or application collects, stores, or processes any of these data types from individuals located in Brazil, a stricter legal regime applies.
Why the Distinction Matters
Sensitive data carries a higher risk of discrimination. A leaked medical record can affect insurance premiums. Exposed political opinions can lead to harassment. Biometric identifiers, once compromised, cannot be changed the way a password can. The LGPD recognises this asymmetry by imposing tighter controls on how sensitive data may be processed, who may process it, and on what legal grounds.
The Brazilian National Data Protection Authority (ANPD) has shown it takes these protections seriously. In January 2025, the ANPD ordered Tools for Humanity, the company behind the World ID (formerly Worldcoin) project, to stop offering cryptocurrency in exchange for iris scans collected from Brazilian citizens. The authority ruled that financial incentives could undermine the validity of consent for biometric data, which qualifies as sensitive under Article 5(II). The company faces daily fines of BRL 50,000 (roughly USD 8,800) if it resumes collection activities without addressing the ANPD's concerns.
The Legal Bases for Processing Sensitive Data (Article 11)
The LGPD provides ten legal bases for processing ordinary personal data under Article 7. For sensitive data, Article 11 narrows these considerably. Only two routes exist.
Route 1: Specific and prominent consent
The data subject (or their legal guardian) must consent specifically and prominently for defined purposes. "Specifically" means the consent cannot be bundled into a general terms-of-service acceptance. "Prominently" means it must stand out - a separate checkbox, a distinct section, or a highlighted clause that makes clear which sensitive data will be collected and why.
The ANPD's cookie guidance, published in October 2023, reinforces this point for the online context. Pre-ticked boxes do not constitute valid consent. Continuing to browse a page does not imply consent. When cookies collect data that could reveal sensitive information - say, a health-related browsing pattern or political affiliation - consent must meet Article 11's higher bar, not just the general requirements of Article 7.
Route 2: Processing without consent (limited exceptions)
Sensitive data may be processed without consent only when it is indispensable for one of these purposes:
| Exception | Typical scenario |
|---|---|
| Legal or regulatory obligation | Employer reports occupational health data to a regulator |
| Public administration executing public policies | Government agency processes health data for vaccination campaigns |
| Studies by a recognised research body | University anonymises health records for epidemiological research |
| Regular exercise of rights in judicial or arbitration proceedings | Party submits medical evidence in a court case |
| Protection of life or physical safety | Hospital accesses a patient's blood type in an emergency |
| Health protection by health professionals or authorities | Doctor processes patient records for diagnosis |
| Fraud prevention and data subject safety in electronic authentication | Bank uses biometric verification to confirm identity at login |
Three legal bases that are available for ordinary personal data under Article 7 are explicitly not available for sensitive data: legitimate interest, contract performance, and credit protection. This is a critical difference from the GDPR, where legitimate interest can sometimes justify processing special category data if the controller meets additional safeguards. Under the LGPD, there is no such flexibility.
Biometric Data: The ANPD's Enforcement Priority
Biometrics have become the ANPD's primary battleground for sensitive data enforcement. In mid-2024, the authority published its second Radar Tecnologico report, focused entirely on biometrics and facial recognition. The report flagged the growing deployment of facial recognition in airports, stadiums, and retail settings across Brazil, and warned that biometric templates stored as hash codes still qualify as sensitive personal data under the LGPD.
The ANPD's 2025-2026 Regulatory Agenda, published in December 2024, lists biometric data regulation as a Phase 1 priority. A public consultation on draft rules for biometric data processing opened in June 2025, covering fingerprints, facial recognition, voice patterns, and iris scans. The rules are expected to set minimum security standards for storage, limits on sharing, and specific compliance obligations for controllers.
For website owners, the biometric angle matters more than it might seem. If your site or app uses facial recognition for authentication, fingerprint-based login, or any form of biometric verification for users in Brazil, you are processing sensitive data under Article 11. The fraud-prevention exception (Article 11, II, g) may apply for authentication in electronic systems, but only if you respect the data subject's rights under Article 9 and only when the individual's fundamental rights do not prevail over the processing purpose.
Sensitive Data and Cookies: Where the Lines Blur
Most cookies do not directly collect sensitive personal data. A session cookie or a language-preference cookie stores a string of characters, not a medical diagnosis. But the ANPD recognises that data collected through cookies can reveal sensitive information indirectly.
The Meta enforcement case in 2024 illustrates this risk. The ANPD suspended Meta's use of data from Facebook and Instagram posts to train generative AI models, partly because scraping public posts could expose information about users' political views, religious beliefs, health conditions, and sexual orientation - all sensitive categories under Article 5(II). The authority imposed a daily fine of BRL 50,000 for non-compliance and required Meta to implement opt-out mechanisms for Brazilian users before processing could resume.
If your website uses functional cookies, analytics trackers, or advertising pixels that build behavioural profiles capable of revealing sensitive attributes, you should treat the consent requirements as falling under Article 11, not the more lenient Article 7. The ANPD's cookie guidance is explicit: non-essential cookies that create behavioural profiles require consent, and where sensitive data is involved, that consent must be specific and separate.
How Sensitive Data Rules Compare: LGPD vs GDPR
Website owners who already comply with the GDPR might assume the LGPD's sensitive data regime is identical. It is not. Several differences matter in practice.
| Aspect | GDPR (Article 9) | LGPD (Article 11) |
|---|---|---|
| Term used | Special categories of data | Sensitive personal data (dados pessoais sensiveis) |
| Categories covered | Racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life/sexual orientation | Same as GDPR, plus affiliation to philosophical or political organisations as a standalone category |
| Legitimate interest as a basis | Possible with additional safeguards (Article 9(2) derogations) | Explicitly excluded for sensitive data |
| Contract performance as a basis | Available under certain conditions | Excluded for sensitive data |
| Fraud prevention basis | No specific standalone basis | Available (Article 11, II, g) for identity verification in electronic systems |
| Consent standard | Explicit consent | Specific and prominent consent for defined purposes |
| Breach notification deadline | 72 hours | 3 business days (per Resolution CD/ANPD No. 15, April 2024) |
| Maximum fine | EUR 20 million or 4% global revenue | 2% of revenue in Brazil, capped at BRL 50 million per infraction |
The fraud-prevention basis under Article 11(II)(g) is a notable addition. It allows controllers to use biometric or other sensitive data for identity verification in electronic registration processes without consent, provided the processing respects data subject rights and does not override fundamental freedoms. This carve-out is relevant for banks, fintech companies, and any platform that uses biometric login for Brazilian users.
Penalties for Getting Sensitive Data Wrong
Article 52 of the LGPD sets out the penalty framework. Fines can reach 2% of gross revenue in Brazil (excluding taxes), capped at BRL 50 million per infraction. Daily fines apply for ongoing violations, subject to the same cap. But monetary penalties are only part of the picture.
The ANPD can order a public disclosure of the infraction, block the personal data involved until the issue is resolved, or erase the data entirely. In the most severe cases, it can suspend database operations for up to six months or prohibit processing activities altogether. The Meta and Tools for Humanity cases demonstrate that the ANPD is willing to use operational suspensions as a first response, even before formal fines are calculated.
Sensitive data violations tend to attract harsher scrutiny. The ANPD's 2025-2026 enforcement priorities explicitly target AI and biometrics, children's data (which often overlaps with sensitive categories), and healthcare data processing. Audits of 15 healthcare institutions in 2024 found that 40% lacked encryption or breach response plans, resulting in total fines of approximately BRL 12 million.
Practical Steps for Website Owners
Complying with Article 11 does not require a legal team the size of Meta's. A few targeted actions cover most risk scenarios for websites that serve Brazilian visitors.
1. Audit what you collect
Run a cookie scan and review every data point your site collects from Brazilian users. Pay attention to third-party scripts: advertising pixels, analytics tools, and social media widgets can collect data that reveals sensitive attributes without your direct involvement. If a third-party tracker builds profiles that could expose health interests, political leanings, or religious activity, you are still the controller under the LGPD.
2. Separate consent for sensitive categories
If your site collects biometric data (facial recognition login, voice verification) or any other sensitive category, your consent banner must include a distinct, highlighted consent mechanism for that processing. A single "Accept all cookies" button does not meet Article 11's requirement for specific and prominent consent.
3. Document your legal basis
For each type of sensitive data you process, record which Article 11 basis applies. If you rely on consent, keep auditable proof that the consent was free, informed, unambiguous, specific, and prominently obtained. If you rely on one of the no-consent exceptions, document why the processing is indispensable - not merely convenient - for the stated purpose.
4. Prepare for breach notification
Resolution CD/ANPD No. 15 (April 2024) requires notification to the ANPD within three business days of discovering a breach involving sensitive data. You must also notify affected data subjects within the same timeframe. Maintain an incident register for at least five years, even for incidents you determine do not require notification. The ANPD can investigate unreported incidents independently.
5. Watch the regulatory calendar
The ANPD's 2025-2026 agenda includes upcoming regulations on biometric data, Data Protection Impact Assessments, children's data, and AI. If your site processes any sensitive data from Brazilian users, track these developments. New rules on biometric processing alone could change your compliance obligations significantly.
Frequently Asked Questions
What types of data are considered sensitive under the LGPD?
Article 5(II) defines sensitive personal data as information about racial or ethnic origin, religious belief, political opinion, trade union membership, affiliation to religious, philosophical, or political organisations, health, sexual life, genetic data, and biometric data.
Can I use legitimate interest to process sensitive data under the LGPD?
No. Unlike the GDPR, the LGPD explicitly excludes legitimate interest, contract performance, and credit protection as legal bases for sensitive data. You must rely on specific consent or one of the limited exceptions in Article 11(II).
Do cookies collect sensitive personal data?
Most cookies do not directly collect sensitive data. However, the ANPD recognises that tracking cookies and advertising pixels can build behavioural profiles that reveal sensitive attributes such as health conditions, political views, or religious interests. When that happens, the stricter consent rules of Article 11 apply.
What is the maximum fine for mishandling sensitive data in Brazil?
The ANPD can impose fines of up to 2% of the company's gross revenue in Brazil (excluding taxes), capped at BRL 50 million (roughly USD 9 million) per infraction. Daily fines, data deletion orders, and operational suspensions are also available.
How quickly must I report a breach involving sensitive data to the ANPD?
Under Resolution CD/ANPD No. 15 (April 2024), controllers must notify the ANPD and affected data subjects within three business days of becoming aware of a security incident involving sensitive data that could cause relevant risk or harm.
Does the LGPD apply to my website if I am based outside Brazil?
Yes. The LGPD applies to any organisation that processes personal data of individuals located in Brazil, offers goods or services to people in Brazil, or collects data within Brazilian territory - regardless of where the organisation is headquartered.
Stay Compliant Without the Guesswork
If your website reaches visitors in Brazil, understanding which cookies and trackers touch sensitive data categories is the first step toward Article 11 compliance. Kukie.io scans your site, categorises every cookie, and flags those that may involve sensitive personal data - so you can configure consent flows that match what the LGPD actually requires.
