Prontua LGPD Regulatory Analysis — Ambient Audio Recording in Veterinary Clinics
Prontua LGPD Regulatory Analysis — Ambient Audio Recording in Veterinary Clinics
Research date: 2026-03-29 | Agent: Deep Research | Confidence: High
Executive Summary
Prontua’s ambient audio recording in veterinary exam rooms captures multiple categories of personal data under LGPD. The core legal challenge is that voice data can be classified as sensitive biometric data depending on processing purpose, and clinical content may contain health data of the tutor (pet owner) incidentally. This analysis maps the full regulatory landscape and recommends a consent-first approach with specific safeguards for cross-border data transfer.
Bottom line: Prontua is legally viable under LGPD, but requires (1) explicit informed consent per tutor, (2) ANPD-compliant standard contractual clauses with foreign API providers, (3) strict data retention and deletion policies, and (4) a designated DPO (encarregado).
1. Types of Data Captured
Prontua’s ambient recording captures the following data categories:
| Data Type | LGPD Classification | Justification |
|---|---|---|
| Raw audio (voice of vet + tutor) | Personal data; potentially sensitive (biometric) | Voice is a biometric identifier when used for identification/authentication. Even when not used for biometric purposes, recordings contain identifiable personal data (Art. 5, I) |
| Transcript (STT output) | Personal data | Contains names, descriptions, personal context spoken during consult |
| Clinical notes (SOAP) | Personal data | Contains animal health data (not directly protected), but may contain tutor health references, contact info, and identifiable information |
| Tutor identity | Personal data | Name, contact, relationship to animal — identifiable natural person data |
| Veterinarian identity | Personal data | Name, CRMV registration, professional activity |
| Incidental health data of tutor | Sensitive data (Art. 5, II) | Tutors may mention their own health conditions, allergies, or medications during consult — this is health data of a natural person |
| Device metadata | Personal data | IP address, timestamps, geolocation of clinic |
Key Distinction: Voice as Biometric Data
Under LGPD Art. 5, II, biometric data is classified as sensitive personal data. Brazilian jurisprudence and ANPD guidance increasingly recognize voice as biometric when:
- Used for identification or authentication purposes
- Processed through voice recognition/fingerprinting systems
For Prontua: The primary purpose is transcription, not voice identification. However, raw audio inherently contains biometric characteristics. The conservative legal position — and the one we recommend — is to treat audio recordings as sensitive data and apply the Art. 11 consent regime. This avoids regulatory risk as ANPD enforcement matures.
2. LGPD Legal Bases for Processing
Art. 11 — Sensitive Data Processing
Since we classify audio as potentially sensitive, the available legal bases under Art. 11 are:
| Legal Basis | Applicable? | Notes |
|---|---|---|
| Consent (Art. 11, I) | Yes — Primary | Must be specific, informed, highlighted, and for defined purposes. This is the recommended basis. |
| Compliance with legal obligation (Art. 11, II, a) | No | No law mandates ambient audio recording in vet clinics |
| Public policy execution (Art. 11, II, b) | No | Not applicable to private vet clinics |
| Research by research body (Art. 11, II, c) | No | Moklabs is not a research institution |
| Exercise of rights in judicial/arbitral proceedings (Art. 11, II, d) | No | Not the primary purpose |
| Protection of life/physical safety (Art. 11, II, e) | No | Does not apply to routine consults |
| Health protection (Art. 11, II, f) | Partial | Applies “exclusively in procedures performed by health professionals, health services, or health authorities.” Veterinarians are health professionals for animals, but this exception is designed for human health data processing. Not reliable as primary basis. |
Recommendation: Use explicit consent (Art. 11, I) as the primary legal basis. This is the safest, most defensible position and aligns with the consent model already planned for the front-desk workflow.
Consent Requirements (Art. 8 + Art. 11)
For consent to be valid under LGPD for sensitive data:
- Free — Not coerced; tutor must be able to refuse without losing access to veterinary care
- Informed — Clear explanation of what is recorded, why, how it’s processed, who receives it
- Unambiguous — Active opt-in (not pre-checked boxes or implied consent)
- Specific — Separate consent for each distinct purpose (recording, STT processing, LLM processing, storage)
- Highlighted — Consent for sensitive data must be prominently presented, separate from general T&C
- Revocable — Tutor can withdraw consent at any time; must be as easy to withdraw as to grant
3. Client (Tutor) ↔ Patient (Animal) Relationship Under LGPD
LGPD protects natural persons (Art. 1). Animals are not data subjects. Therefore:
- Animal health data (species, breed, diagnosis, treatment) is not personal data under LGPD — it only becomes personal data when linked to an identifiable tutor
- Tutor data (name, CPF, address, voice, statements) is personal data
- The veterinarian’s data (name, CRMV, professional opinions) is also personal data
Practical Implication
The consent obligation attaches to the tutor (and any other identifiable person in the room), not to the animal. If multiple people are present in the exam room (e.g., tutor + family member), all identifiable speakers should be informed of the recording.
4. Is Veterinary Clinical Audio Sensitive Data?
Assessment: Yes, treat it as sensitive. Three independent reasons:
-
Biometric dimension: Raw audio contains voice biometric data. Even without biometric processing intent, the ANPD’s evolving interpretation favors classification as sensitive when raw biometric-capable data is retained.
-
Incidental health data: Tutors routinely mention their own health context (“I’m allergic to X too,” “I have the same symptoms”), creating incidental sensitive health data capture.
-
Precautionary principle: ANPD enforcement is maturing rapidly. Treating data as sensitive when there’s ambiguity is the defensible position that avoids re-architecture later.
5. CFMV/CRMV Regulatory Requirements
Resolution CFMV nº 1.321/2020 (updated by Res. 1.653/2025)
This resolution governs veterinary medical records (prontuário médico-veterinário):
- Required record contents: date, time, location, vet ID, tutor-reported information, animal general state, clinical findings, exam results
- Record retention: The resolution does not specify a mandatory retention period for medical records, but general practice and professional liability timelines suggest minimum 5 years (aligned with general statute of limitations for professional liability)
- Record access: Copies must be provided within 5 business days of request, extendable to 30 business days with justification
- Electronic records: Permitted, but must maintain integrity, authenticity, and confidentiality
Resolution CFMV nº 1.402/2021 — LGPD Guidelines for CFMV/CRMVs
This resolution established data protection guidelines within the veterinary regulatory system:
- Defines CFMV/CRMVs as data controllers for their own processing
- Requires appointment of a DPO (encarregado)
- Establishes data processing principles aligned with LGPD
Resolution CFMV nº 1.465/2022 — Telemedicine
Relevant by analogy for remote/recorded interactions:
- Requires informed consent for telemedicine, including consent for data transmission
- Mandates confidentiality and security of patient data
- Requires documentation of consent as part of medical records
Gap: No Specific Regulation on Ambient Audio Recording
There is no CFMV/CRMV resolution specifically addressing ambient audio recording in veterinary exam rooms. The closest analogs are:
- Telemedicine consent requirements (Res. 1.465/2022)
- General medical record requirements (Res. 1.321/2020)
- LGPD data protection guidelines (Res. 1.402/2021)
Recommendation: In the absence of specific regulation, apply the most conservative interpretation — combine LGPD consent requirements with telemedicine-level disclosure, and document audio recording consent as part of the veterinary medical record.
6. Data Retention, Deletion, and Portability Obligations
Retention Policy Framework
| Data Type | Recommended Retention | Justification |
|---|---|---|
| Raw audio | 30 days max | Delete after transcript generation + QA window. Minimizes sensitive data exposure. |
| Transcript | Duration of clinical relationship + 5 years | Supports medical record integrity and professional liability defense |
| SOAP notes | Duration of clinical relationship + 5 years | Part of the prontuário médico-veterinário |
| Processing logs | 2 years | LGPD accountability and audit trail |
| Consent records | Duration of relationship + 5 years after last interaction | Must be retained to demonstrate lawful processing |
Deletion Obligations (Art. 15-16)
Data must be deleted when:
- The purpose of processing has been achieved (e.g., raw audio after transcription)
- The data processing period ends
- The titular revokes consent
- ANPD orders deletion
Exception: Data may be retained even after consent withdrawal for:
- Legal/regulatory obligation compliance
- Research (anonymized)
- Transfer to third party (with legal basis)
- Legitimate use by the controller (anonymized)
Portability (Art. 18, V)
- Tutor has the right to request portability of their data to another service
- Format: structured, commonly used, machine-readable
- Scope: personal data provided by the tutor, not derived/inferred data
- Timeline: ANPD has not yet specified exact timeframes; best practice is 15 business days
- Does not include anonymized data
7. Cross-Border Data Transfer
The Challenge
Prontua’s architecture sends data to foreign APIs:
- Deepgram (STT) — US-based
- Anthropic/Claude (LLM) — US-based
- Both constitute international transfer of personal data under LGPD Art. 33
ANPD Resolution CD/ANPD nº 19/2024
Published August 23, 2024, this resolution regulates international data transfers under LGPD Arts. 33-36:
Permitted transfer mechanisms:
- Countries/organizations with adequate protection level (ANPD adequacy decision)
- Standard Contractual Clauses (SCCs) — Approved by ANPD ← Primary mechanism for Prontua
- Equivalent standard contractual clauses
- Specific contractual clauses
- Global corporate rules
- Seals, certificates, codes of conduct
- ANPD authorization
- International cooperation commitments
- Specific consent of the titular
Key dates:
- Resolution published: August 23, 2024
- Grace period for SCC adoption: 12 months (ended August 23, 2025)
- Current status: SCCs are now mandatory for international transfers not covered by adequacy decisions
Recommended Approach for Prontua
- Execute ANPD-compliant SCCs with Deepgram and Anthropic (or their DPAs)
- Document the transfer in the privacy policy and consent form
- Obtain specific consent for cross-border transfer as an additional safeguard
- Implement technical safeguards: encryption in transit (TLS 1.3), data minimization (send only audio/text needed, not full metadata)
- Conduct Transfer Impact Assessment (TIA) evaluating the legal framework of the recipient country (US)
US Adequacy Status
As of March 2026, ANPD has not issued an adequacy decision for the United States. Therefore, SCCs or other contractual mechanisms are required.
8. Regulatory Requirements Checklist
For Prontua to operate compliantly under LGPD:
Mandatory (Before Launch)
- Appoint a DPO (Encarregado) — Art. 41; name and contact must be published
- Draft and publish Privacy Policy — Art. 9; must cover all items in Art. 9, §1
- Create specific Consent Form — Art. 8 + Art. 11; separate from general T&C
- Execute SCCs with Deepgram and Anthropic — Res. CD/ANPD 19/2024
- Implement data deletion pipeline — Art. 15-16; automated deletion of raw audio after 30 days
- Create data subject rights request channel — Art. 18; must respond within 15 days
- Conduct Data Protection Impact Assessment (DPIA/RIPD) — Art. 38; recommended for sensitive data processing
- Register of Processing Activities (ROPA) — Art. 37; document all processing operations
Recommended (Phase 1)
- Implement consent management system — Track consent grants, withdrawals, and scope per tutor
- Encryption at rest for stored audio, transcripts, and notes
- Access control with role-based permissions for clinic staff
- Audit logging for all data access and processing events
- Incident response plan — Art. 48; must notify ANPD and affected titulars of security incidents
- Front-desk micro-script for verbal consent (backed by digital record)
- Visual notice in exam room about ambient recording (LED indicator + signage)
Penalties for Non-Compliance
| Severity | Sanction |
|---|---|
| Warning | With deadline for corrective measures |
| Simple fine | Up to 2% of revenue, capped at R$ 50 million per violation |
| Daily fine | Until violation is remedied |
| Publicization | Public disclosure of the violation |
| Data blocking | Suspension of processing |
| Data deletion | Mandatory deletion of data related to the violation |
| Partial suspension | Up to 6 months, extendable |
| Total prohibition | Of the processing activity |
9. Risk Matrix
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Tutor refuses consent | High (20-30%) | Medium — lost data point, not lost customer | Design workflow so care continues normally without recording; consent is optional |
| ANPD reclassifies all voice as biometric/sensitive | Medium | Low — we already treat it as sensitive | Current approach is already conservative |
| Cross-border transfer challenged | Low-Medium | High — could halt LLM/STT processing | SCCs in place; monitor ANPD adequacy decisions; evaluate domestic STT alternatives |
| Incidental capture of third-party data | Medium | Medium — person not covered by consent | Room signage + verbal notice; implement speaker diarization to flag non-consented speakers |
| Data breach of audio recordings | Low | Critical — reputational + regulatory | Encryption at rest + transit; 30-day audio deletion; access controls; incident response plan |
| CFMV issues specific regulation on clinical recording | Low-Medium | Variable | Current approach exceeds likely regulatory requirements; monitor CFMV bulletins |
10. Recommendations
-
Consent-first architecture: Build consent collection into the clinical workflow from day zero. Digital consent form + front-desk verbal disclosure + room signage + LED indicator.
-
Treat all audio as sensitive: Apply Art. 11 regime universally. This is slightly more burdensome but eliminates reclassification risk.
-
30-day raw audio deletion: This is the strongest signal of data minimization. Retain only transcripts and SOAP notes for clinical record purposes.
-
Execute SCCs immediately: Both Deepgram and Anthropic should have DPA/SCC templates available. Adapt to ANPD format per Resolution 19/2024.
-
DPIA before launch: Document the necessity and proportionality of ambient recording. This becomes your defense document if ANPD inquires.
-
Monitor ANPD and CFMV: Set quarterly review cadence for new guidance, adequacy decisions, or sector-specific regulations.
Sources
- LGPD — Lei nº 13.709/2018
- CRMV-SP — LGPD Guidelines
- ANPD — Resolution CD/ANPD nº 19/2024 (International Transfers)
- CFMV — Resolution 1.402/2021 (LGPD Guidelines)
- CFMV — Resolution 1.321/2020 (Medical Records)
- CFMV — Resolution 1.465/2022 (Telemedicine)
- SERPRO — Sensitive Data under LGPD
- Biometria Vocal como Dado Sensível — GPF
- Gravadores de Voz Inteligentes e LGPD — Jusbrasil
- Mayer Brown — End of Grace Period for SCCs
- CRMV-SP — Resolution 1.653/2025 (Updated Medical Records)