As wearable and analytics technology continues to explode, professional sports leagues, such as the NFL, have aggressively pushed into this field. (See Bloomberg). NFL teams insert tiny chips into players shoulder pads to track different metrics of their game. During the 2018-2019 NFL season, data was released that Ezekiel Elliot ran 21.27 miles per hour for a 44-yard run, his fastest of the season. The Dallas Cowboys are not alone as all 32 teams throughout the league can access this chip data which is collected via RFID tracking devices. Sports statistics geeks don’t stand a chance as this technology will track completion rates, double-team percentages, catches over expectation, and a myriad of other data points.
There are obvious questions and concerns about the use of this technology, and not just at the professional level. Wearables can be found at all levels of sports and athletic activities, including at colleges and high schools. At the professional level, the NFL is unique in that it allows teams to use the chip data during contract negotiations. However, players do not have full access to this information, unless specifically granted by individual teams. This is important since there is much debate over who truly owns this data. And, for a variety of reasons, players and athletes want to know where their information is stored, how it is stored, whether and how it might be used and disclosed, who has access to it, and what safeguards are in place to protect it. Major League Baseball and the Players Association added Attachment 56 to the 2017-2021 Collective Bargaining Agreement to address some of these concerns. But, again, these and other questions are not unique to professional ball players.
With devices ranging from wearable monitors to clothing and equipment with embedded sensors, professional teams, colleges and universities, local school districts, and other sports and athletic institutions, as well as the companies that provide the wearables, can now collect massive amounts of data such as an athlete’s heart rate, glucose level, breathing, gait, strain, or fatigue. On the surface, this data may relate to an athlete’s performance and overall wellness, which may be somewhat apparent to onlookers without the aid of the device. However, alone or aggregated, the data may reveal more sensitive personal information relating to the athlete’s identity, location, or health status, information that cannot be obtained just by closely observing the individual. When organizations collect, use, share, or store this data, it creates certain privacy and security risks and numerous international, federal, and state data protection laws may apply. Any sports or athletic organization that develops a wearable device program, or has reason to believe that these devices are being used by coaches and others to collect similar data, should be mindful of these risks and regulatory issues.
Below is a non-exhaustive list of some of these laws:
EU’s General Data Protection Regulation
Many organizations still may not have heard of the General Data Protection Regulation (GDPR), and many sports and athletic institutions might not have a reason to know because the law does not apply to them. However, GDPR potentially applies, for example, where a team collects, monitors, analyzes – “processes” a player’s personal data obtained through a wearable device during an exhibition game or training session located in the EU. This may be the case even though the team is not established in the EU, the player is not a citizen or resident of the EU at the time of monitoring, and the team is not “targeting” the EU with this practice. For entities not aware of the GDPR, it grants data subjects (possibly the athletes in this example) a whole host of rights, along with significant obligations on the controllers and processors of that data.
California Consumer Privacy Act
The recently enacted California Consumer Privacy Act (CCPA) may apply to a sports or athletic organization that collects the personal data of an athlete that is a California resident, regardless of whether the organization is located in California. Under the Act, a covered business must provide a resident with information about its data collection practices including the personal information it collects, discloses, and sells, as well as the right to delete to this data and object to its sale. Since the CCPA defines personal information broadly, it may include the personal data that wearable devices typically collect. For example, under the CCPA, personal information includes “biometric information,” “geolocation data,” “audio, electronic, visual, thermal, olfactory, or similar information,” as well as
inferences drawn from any of the information [defined as personal information] to create a profile about a consumer reflecting the consumer’s characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Notably, the Act prohibits an individual from waiving these rights, which may affect a team’s ability to monetize player data.
Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA), the federal law that protects the privacy of student education records and applies to schools that, in general, receive funding from the U.S. Department of Education, may also apply to a student’s personal data collected by a wearable-device for a high school or college program. Generally, schools must obtain written permission from the parent or eligible student in order to release any information from a student’s education record. This is significant in the context of student wearable devices since companies are increasingly engaging with colleges and universities to access the performance data of student athletes. Schools may be obligated to perform due diligence and contractually obligate vendors to implement appropriate measures to safeguard the student personal data as well as obtain student or parental consent under FERPA.
State Mandates to Safeguard Personal Data
Multiple states impose an affirmative duty to use reasonable measures to safeguard personal data that an organization collects or owns. States such as California, Texas, Florida, and Illinois are among those requiring safeguards specifically for health related personal data. The applicability of these state laws may depend on location of the organization’s facilities, the athletes’ states of residency, and the specific kinds of personal information that is captured by the wearables. Many of these safeguarding laws address security in the abstract and do not mandate specific measures. However, “reasonable” generally implies safeguards appropriate to the sensitivity of the data, and one need only look to existing data security frameworks, such as under HIPAA and the Massachusetts data security regulations, to get a sense of what safeguards may be appropriate. In addition to a statutory duty to safeguard, some organizations may have a common law duty to safeguard an athlete’s personal data.
State Mandates Regarding Data Destruction and Disposal
Currently, more than thirty states have data destruction and disposal laws. These laws require taking reasonable steps to securely dispose of records containing personal information by shredding, erasing or other methods. Among those states, California, Florida, Illinois are a few that expressly require secure disposal of health-related personal data. Organizations should also implement a data retention schedule that ensures the destruction of personal data once it is no longer needed as part of meaningful data destruction practices.
State Data Breach Notification Laws
All fifty US states have data breach notification laws. In general, these laws require an entity that owns or licenses personal information about a state resident to report a data breach to individuals whose personal information is affected and, in some cases, the state attorney general or other agencies. Each state has its own definition of personal information, and states such as California, Texas, Florida, and Arizona include health, medical, and/or biometric information. Unauthorized acquisition or access to personal information collected by wearables, whether by hackers trying to get sensitive information about well-known athletes or caused by a local high school coach losing a drive with that information, can require notifications to the athletes creating significant exposure and reputational harm to the institution. With athletes often being residents of various states, reporting a breach may involve complying with the laws of multiple jurisdictions.
Vendor Contract Statutes
An increasing number of states including California, Massachusetts, and Oregon statutorily require a business to conduct due diligence before sharing or disclosing certain categories of personal information to a third party service provider. Many of these statutes also require contractually obligating the vendor to maintain safeguards appropriate to the sensitivity of the data, which is a good practice even if a written agreement is not mandated by the statute. In the professional sports context, these obligations could apply to a team sharing data with vendors in the course of trade negotiations or any attempt to monetize the player’s data. For younger athletes, local education institutions may be required to take similar measures with regard to sharing information with third parties. For example, in California, when “local educational agencies” obtain services from third parties involving the processing of “pupil records,” their contracts with those third parties must address certain issues concerning those pupil records such as, who owns the records, the security of those records, and how they may be used and accessed. Under the law, local educational agencies include school districts, county offices of education, and charter schools. And, “pupil records” include “any information directly related to a pupil that is maintained by the local educational agency” which could include information gathered by coaching staffs and other personnel through wearables used by the students. Cal. Ed. Code § 49073.1.
The wearable tech industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store athlete personal data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.