More than ever before, biometric data, a term often used broadly to refer to metrics related to human characteristics, is being collected at a faster pace. Devices of all kinds are now able to able to track and store data such as fingerprints, heartrate, and other potentially sensitive data. This tracking can be accomplished through a variety of mechanisms including smartphones, watches, and fitness tracking bands of all kinds. Because of the nature of information which can be collected, it is of particular interest in sports.

While the general consumer issues of such data collection are certainly daunting, tracking of biometric data for athletes can present special issues. At the college level, student-athletes may have concerns that the data being collected could be used to make player management decisions that could affect playing time, positions or even scholarship opportunities. At the professional level, athletes may share similar concerns and are worried that the collected data could be used against them come contract negotiation time.

Understanding the Three Part Relationship Is Essential

In most situations where athlete biometric data is being collected there will be three main participants in the data collection scenario: (1) the athlete whose data is being collected; (2) an institution or entity which wishes to use the data, typically a school or professional organization; and (3) the vendor that provides the biometric equipment and incident services. Understanding which entities have what rights and responsibilities regarding biometric data collected will require recognizing where each entity fits in the three part relationship, as well as whether any special circumstances exist that would influence these rights and responsibilities.

In the United States, biometric data collection falls under a patchwork of regulations, at both the federal and state level. The applicable rules are based primarily on the characteristics of the athlete data subject and the institution or entity that wishes to collect the biometric data, the relevant jurisdictions, the specific types of biometric data being collected, as well as any contractual commitments between the parties. Further, there may be contractual rights at play, particularly at the professional level.

Relevant Characteristics Which Determine Applicable Laws

I.  Specific Considerations For Student Data Subjects

In most situations the analysis begins with the athlete data subject to collection. Is the athlete a student? If so, consider whether the athlete is a K-12 student which would likely be most relevant in the context of high school athletics. As noted in our firm’s privacy blog, Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records, which could include biometric data.

Further on the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires education technology to comply with baseline privacy and security protections. Former California Attorney General Kamala Harris provided guidance for those providing education technology for K-12 students, which would likely implicate sensitive biometric tied to individual students. Delaware has enacted a similar law. Individuals operating in this space would be wise to check any applicable whether there are any applicable state laws in their situation.

At the federal level, the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) could also be implicated. As a reminder, FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Under FERPA generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. It also grants parents certain rights which transfer to the student once the student turns 18. The definition of “personally identifiable information” in § 99.3 includes “biometric record” as part of the list that constitute personally identifiable information.

II.  Specific Considerations For Biometric Collection Vendors

Vendors that collect biometric athlete data, as well as the business that contract with these vendors should be aware of the Illinois Biometric Information Privacy Act (“BIPA”), on which additional background can be found here. The Act is being actively litigated, and applies to “any ‘private entity’ — including employers — collecting, storing, or using the biometric information of any individual in Illinois – no matter how it is collected, stored or used, or for what reason.” Certainly, professional sports entities as well as the companies they work with in this space should consider their obligations under BIPA.

III.  Professional Sports Organizations, Players Associations and Contractual Issues

Certain professional sports leagues and associated player organizations may have their own rules regarding collection and use of biometric data. For example, the National Football League Players Association (NFLPA) via its newly formed athlete-driven accelerator, the OneTeam Collective, has a partnership that makes WHOOP the Officially Licensed Recovery Wearable of the NFLPA.

As part of the agreement between OneTeam Collective and WHOOP:

  • NFL players will own and control their individual data collected with the WHOOP Strap 2.0.
  • NFL players will design custom licensed bands for the WHOOP Strap for personal use and commercial sale.
  • The NFLPA and WHOOP will study the effects of travel, sleep, scheduling, injuries, etc. on recovery and generate reports to advance player safety and maximize athletic performance.
  • NFL players will have the ability to commercialize their WHOOP data through the NFLPA’s group licensing program.

The National Basketball Association’s collective bargaining agreement (CBA) limits how teams may use data collected from wearables. Under the restriction, “data may not be considered, used, discussed or referenced for any other purpose such as in negotiations regarding a future Player Contract or other Player Contract transaction (e.g., a trade or waiver) involving the player,” which allows for an arbitrator to impose a fine of up to $250,000 to any team that violates the provision.

The collection of biometric data on athletes is likely to an active area of regulatory interest for years to come. If you have any questions, please contact a member of the Mintz Levin Sports Law Practice Group.

Notwithstanding the glitz and glamour of multi-millionaire race drivers and champagne, Formula One is all about data. Analytics are fundamental to understanding Formula One races. Teams are fueled by data, and around every corner you’ll find a car fitted with over 150 sensors monitoring car and driver behavior. These sensors track vital stats such as brake wear, tire life and driver biometrics. In one lap, they can transmit 2GB of data; over the course of a full race, 3TB of data.

NBA teams too are now using a form of technology, called “Player Tracking,” that evaluates the efficiency of a team by an analysis of player movement. According to the SportVu software website, teams in the NBA are now using six cameras installed in the catwalks of arenas to track the movements of every player on the court and the basketball 25 times per second. The data collected provides a plethora of innovative statistics based on speed, distance, player separation and ball possession. Examples include stats on how fast a player moves, how far he travels during a game, how many times he touches the ball, how many passes he makes, how many rebounding opportunities he has, and much more. The information is available to fans on and NBA TV. Data analytics are also common in the MLB, NFL, MLS and other professional and collegiate sports, where statistics have become vital in analyzing games and players.

But gathering data in the volume and depth that is necessary to make accurate predictions comes with risks. What if the data falls into the wrong hands? How valuable would detailed statistics be? Of course, teams have traditionally monitored their opponents by sending scouts to games, or watching hours of video re-runs, while meticulously making notes on individuals’ performances; but access to the “fire hose” of data collected during training would provide a huge shortcut.

For example, in Formula One, a data or system loss, or even a malware infection, and the race is lost.  Formula One teams have data centers on the side of the track, processing every nanosecond of the race.  If any of that data fell into the wrong hands it could be disastrous, which is why Formula One teams take data security extremely seriously.

Interestingly, tools needed to make sure data can be collected safely and kept only in the hands of those who it’s intended for are already available. The problem is that outside of a few highly data-driven sports, such as Formula One, most clubs and teams just aren’t aware enough of the dangers to have implemented them. Like businesses gathering data, sports teams too should have a full understanding of any and all obligations and requirements under relevant data protection legislation.

Communication is also critically important, i.e., appropriate disclosure of what data is being collected and how it is stored. It’s also important to learn about and put in place the appropriate security measures to guard data, and to implement the necessary policies on deleting data a sports team no longer needs. The digital revolution engulfing sports has many challenges to overcome, but the point is that whether in sports or business, when data becomes an important asset that drives important decisions and competitiveness, it needs to be protected like any other important asset.