The collection of personal data by organizations in the sports industry creates unique data privacy challenges. Generally, a business-to-consumer organization is focused on the personal data of its customers and separately employment related personal data. Organizations operating in the sports industry also need to focus on privacy compliance activities in relation to athletes’ "performance data."
In the 20 years since Michael Lewis published “Moneyball: The Art of Winning an Unfair Game” the sports data industry has grown into a multi-billion-dollar industry. Sports "rights holders" have realized significant new revenue streams as they have sold live competition data to the data companies that have emerged to the distribute data to end users such as the sports betting industry; itself fuelled to become a trillion-dollar industry.
However, disputes are starting to emerge over who “owns” sports data. In this sense, a distinction can be drawn between "competition data" which covers the outcomes of a sporting event, and "performance data" which captures an individual athlete’s performance via a "wearable" collection tool. In addition to tracking data points such as speed and distance covered, performance data includes medical data such as heart rates, recovery rates, fitness, and the like. Clearly, drawing a boundary between competition data and performance data can be problematic, for example when performance data is used to track the deteriorating recovery rate of an individual player’s performance via a "heat map" which then could be used to predict the outcome of a sporting event.
There is little dispute that "competition data" is owned by the event "rights holder," but how that revenue is shared with participants - such as franchises, clubs, and players - can be more contentious. It is moot as to who "owns" the "performance data" but a strong argument exists that it is the employer of the athlete, for example, a rugby club, or the body within which the athlete is competing, such as a national Olympic team. A counter argument is that it remains the athlete’s data which can be sold individually or collectively, perhaps in a collective bargaining agreement.
However, as the two data sets are packaged and sold together, more complex issues arise. An athlete’s personal medical information is protected in many jurisdictions by data privacy laws such as the Health Insurance Portability and Accountability Act (HIPPA) in the USA. And such information can also have far-reaching insights, for example on the value of a soccer player in the transfer market. Should a medical condition be detected, what obligations and liabilities does this create to the player’s welfare and in any subsequent trade/sale of that player?
“Project Red Card’ is an example of the tensions created by the sports data boom. It has been reported that pre-action litigation letters have been issued in the UK by an organization called Global Sports Data and Technology Group Limited (GSDT) to seventeen companies who gather and use football/soccer players’ data in the betting and gaming sector. GSDT claims to represent about 850 current and former professional footballer/soccer players. The basis of the claim is that the defendants are processing the footballers’ personal data in breach of data protection laws.
Under the EU’S General Data Protection Regulation (GDPR), athletes may have the right to access their data, request rectifications and have the right to erasure. The wider exercise of such rights by athletes, specifically the right to erasure, could create gaps that may reduce the utility and overall value of performance datasets.
Ankura recommends organizations in the sports industry focus on the following privacy management activities to maintain compliance with data privacy laws governing the collection and processing of customer personal data, employment personal data, and athletes’ performance personal data:
- Complete an assessment and develop a privacy compliance roadmap - Many organizations in the sports industry are unique in that they are regional in nature. For example, many sports teams don’t have exposure to the EU’s GDPR and similarly don’t have exposure to California’s Privacy Rights Act (CPRA). As such, they may not yet have made their investment in modernizing their privacy program. An important first step is for organizations to evaluate the privacy laws that currently impact them, or which may impact them in the future such as emerging state level privacy laws in the USA or emerging national privacy laws in India. Then organizations can assess their current privacy compliance posture and utilize the output from their assessment process to develop a roadmap to privacy compliance.
- Prepare a data inventory - Under the EU’s GDPR Article 30, organizations are required to prepare and maintain a record of processing activity which is commonly referred to as data inventory. To date, U.S. privacy laws do not require the preparation of a data inventory; however, most organizations striving for compliance with data privacy laws will first develop a data inventory. A data inventory is a record of what type of personal data is collected, where it is stored, what the organization is doing with that data when it’s in their environment, how they are protecting that data, and where they are transferring that personal data. The data inventory is a foundational building block for any privacy program and enables downstream activities such as developing processes to respond to requests from customers to erase their personal data or developing accurate privacy notices.
- Evaluate access controls – Given the different types of personal data that sports organizations are collecting and processing, it is important to evaluate who within the organization has access to such personal data. For example, the team’s marketing manager focused on driving ticket sales does not likely need access to the athlete’s performance data.
- Conduct privacy impact assessments – The collection and share/sale of athlete performance data, would likely fall under a high-risk processing activity as set forth in EU privacy guidance and as such would require closer evaluation via the completion of a Data Protection Impact Assessment (DPIA). In addition, emerging privacy laws in the U.S. call for the completion of DPIA equivalent analyses for large scale processing of sensitive data, profiling, and combining data sets.
- Modernize your vendor risk management process – The outbound sharing of personal data from a sports organization to third parties such as service providers, vendors, processors, the associated league, and stadiums increases the need to have a robust third-party management process in place. The organization will utilize their third-party risk management process to evaluate their third parties for privacy and security risks and also ensure the appropriate contractual data sharing restriction clauses are utilized in contracts with such third parties.
- Jonny Gray is a Senior Managing Director in the Ankura global sports practice based in the UK.
- David Manek is a Senior Managing Director in the Ankura data privacy, information security, and data management practice and is based in the U.S.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
