By Casey Yang[i]
There are many privacy concerns associated with the use of wearable technology in sports. Therefore, athletes, teams, leagues, and affiliated third parties should begin to heavily consider the ongoing development of biometric privacy laws into their respective cost-benefit analyses. Wearable technology first came onto the sports scene about five years ago when two professional basketball players, Matthew Dellavedova and DeAndre Jordan, were found wearing WHOOP devices – continuous biometric monitors – without permission during games.[ii]
Since then, the four major professional sports leagues in the United States – Major League Baseball (MLB), the National Football League (NFL), the National Basketball Association (NBA), and the National Hockey League (NHL) – have reached agreements with their players regarding wearable technology.[iii] At the college level, “the University of Michigan . . . became the first major college team to consent to collecting private biometric data from their athletes as part of their apparel contract with Jumpman, a Nike division, which allows for collection of data through heart-rate monitors, GPS trackers and other devices.”[iv]
Now, media outlets want a piece of the action by broadcasting player data to their audiences in real time, as evidenced most recently at last year’s Ryder Cup (a rowdy, Team USA-versus-Team Europe-style, professional golf tournament) where fans at home watched certain golfers’ heart rates fluctuate as they stood on the first tee.[v] Given that these sports entities and media outlets have partnerships with gaming and gambling companies, all sights are set on monetizing player data in the sports betting space.[vi]
Clearly, there seems to be some appeal among athletes to use wearable technology because the technology helps them improve performance and prevent injuries. For leagues, teams, media outlets, and other affiliated third parties, there seems to be significant revenue-generating potential through live media coverage and sports betting. However, there are serious privacy concerns that all parties should consider, and there are potentially negative consequences that may outweigh the benefits derived from wearable technology.
So far, privacy concerns in this area have largely centered around whether controllers of players’ performance data need to comply with the Health Insurance Portability and Accountability Act (HIPAA).[vii] However, there seems to be a general consensus that HIPAA does not apply to data collected from wearable technology either because (a) wearable technology companies are not considered “covered entities” under HIPAA, (b) athletes consent to these companies having access to their information, or (c) an employment exception applies.[viii] Moreover, many sports leagues included provisions in their player agreements that are intended to reduce the chances that they will accidentally violate HIPAA.[ix]
As it pertains to the athletes’ performance data, there has been little to no discussion about whether sports entities that control this data need to comply with state (and possibly federal) biometric privacy laws. The lack of discussion is especially peculiar, given that athletes’ performance data is generally referred to as “biometric data.”[x]
One reason may be that the meaning of “biometric data,” as applied to sports, has a slightly different meaning than the legal definitions provided in state statutes. For instance, the Engineering in Medicine and Biology Society (EMBS) defines “biometrics” as “the science of measuring and analyzing data collected from the body, such as heart rate or hormone levels.”[xi] Furthermore, such biometrics are “used in sports to identify talent, injury risk, and estimate readiness,” according to Sparta Science founder Dr. Phil Wagner.[xii]
In contrast, the Illinois Biometric Information Privacy Act (“BIPA”), which is the first and oldest biometric regulation in the United States, defines “biometric information” as any information, “regardless of how it is captured, converted, stored, or shared,” based on an individual’s “biometric identifier” used to identify an individual.[xiii] “Biometric identifiers” are retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry.[xiv]
It would seem reasonable to conclude that “biometric data” collected in sports would be excluded because it does not fit within BIPA’s narrow “biometric identifier” definition, and thus, sports leagues and their affiliates would not have to comply with biometric regulations. Additionally, there is limited controlling precedent in Illinois state court to rely on, and ongoing litigation at both the state and federal levels revolve around face- and finger-scanning technologies.[xv] Therefore, one could argue that biometric regulations are limited in scope to biometric data that may grant access to devices, and such regulations do not apply to data collected by wearable technology.
The counter to this reasoning though is that “several states have followed Illinois in passing legislation regulating the use and disclosure of biometric information,” and even federal lawmakers have shown interest in legislating biometric information by introducing the National Biometric Information Privacy Act of 2020 (NBIPA) in August 2020.[xvi] Such laws range from “comprehensive laws governing biometric information that are similar to BIPA, to data privacy laws which include biometric information within the definition of ‘personal data,’ to breach response laws including biometric information under ‘covered personal information.’”[xvii] Consequently, some of the differing regulatory regimes offer broader definitions of “biometric information” than BIPA, and thus, may include biometric data collected from wearable technology.
For instance, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), includes biometric data within the definition of personal data.[xviii] The CCPA/CPRA provides consumer rights related to the control of their personal information, which extends to biometric data defined as “physiological, biological or behavioral characteristics, including … DNA[,] that can be used … to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”[xix]
Other states such as Maryland and Arkansas have adopted similar, non-exhaustive definitions for “biometric information.”[xx] More importantly, the federal NBIPA also takes a broad approach in defining the term, which could have preemptive effect over state laws.[xxi] Broadening the definition of “biometric information” is a recognition among lawmakers and privacy experts that biometric technology is evolving quickly, and misuse of this information can lead to serious issues like identity theft.[xxii]
First, biometric data is part of one’s identity and can never be changed (e.g. DNA, fingerprints, voice, etc.).[xxiii] As a result, “when biometric data becomes compromised, it will never be completely secure as a method of authentication again, which is more damaging than when other types of data are stolen, like a person’s credit card number.”[xxiv] One can replace a credit card if it is stolen, but one cannot change his or her fingerprints.
While it is more common to gain access to devices by scanning a person’s fingerprints, face, eyes, or voice, it will not be long before technology will have the ability to detect other biological and behavioral characteristics such as keystroke patterns, sleep patterns, and exercise patterns to name a few – all of which are tracked and collected by wearable technology. Couple that with the fact that professional athletes are worth hundreds of millions of dollars, and there appears to be an inflection point where biometric data collected from wearable technology worn by professional athletes will be the prime targets for identity thieves.
If and when this inflection point happens, and if leagues, teams, media outlets, gambling entities, and wearable technology companies do not take proactive measures to address it, the financial consequences may be enormous for all parties involved. The athletes may lose millions of dollars directly to identity thieves, but more importantly, their identities may be permanently compromised.
The sports entities that control the athletes’ biometric data could be liable for each violation and may have to pay a significant amount to the affected athletes in the form of monetary penalties (e.g. Under BIPA, statutory damages of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus reasonable attorneys’ fees and costs) or by settlement.[xxv] Even worse, this could all lead to mistrust and reluctance among players, leagues, teams, consumers, wearable technology companies, and all parties in between.
Going forward, it would be in the best interests of all parties involved in transactions related to athletes’ biometric data to factor in the rights, obligations, and consequences under current biometric privacy laws. Before providing their consent, players should make sure they are well-informed about all the issues and consequences explained above and that controllers of their biometric data are making the appropriate disclosures about the intended use of such data. They should also leverage their highly valuable biometric information in future negotiations with leagues, teams, media networks, and gambling entities to reap a greater portion of the revenues derived from using their biometric information. Once players consent, they lose all their bargaining power when it comes to profiting from their biometric information.
For leagues and their affiliates, they should ensure that appropriate safeguards and procedures are in place to protect players’ biometric information, and that they are compliant with all relevant biometric privacy laws. While it may be beneficial in the short-term to use and profit off athletes’ biometric data derived from wearable technology, there could be irreparable repercussions in the long-term if sports actors do not take these privacy concerns seriously.
[i] Casey Yang is a J.D. and Privacy Law Certificate Candidate for the Class of 2022 at Santa Clara University School of Law
[ii] Darren Rovell, MLB approves device to measure biometrics of players, ESPN (Mar. 6, 2017), https://www.espn.com/mlb/story/_/id/18835843/mlb-approves-field-biometric-monitoring-device.
[iii] David W. Sussman & Amy Egerton-Wiley, Is Betting on an Athlete’s Heart Rate During a Game Coming to Broadcasting?, Hollywood Reporter (July 18, 2020),https://www.hollywoodreporter.com/business/business-news/is-betting-an-athletes-heart-rate-a-game-coming-broadcasting-guest-column-1303582/.
[v] James Colgan, New tech shows exactly how nervous Ryder Cuppers get on the first tee, GOLF (Sep. 24, 2021), https://golf.com/instruction/fitness/new-tech-shows-nervous-ryder-cuppers-first-tee/.
[vi] Sussman & Egerton-Wiley, supra note 2.
[vii] Rovell, supra note 1; see also Mary Bates, Biometric data have the potential to keep athletes safer and healthier, maximize athletic training, augment the fan experience, and provide insights that could win or lose games, IEEE Engineering in Medicine & Biology Society (Jun. 29, 2020),https://www.embs.org/pulse/articles/the-rise-of-biometrics-in-sports/.
[ix] Bates, supra note 6.
[x] Id.; see also Sussman & Egerton-Wiley, supra note 2; see also Jen Booton, Analyzing Movement and Biometrics in Sports, SportTechie (July 30, 2020), https://www.sporttechie.com/biometrics-sports-athletes-performance-injury-prevention.
[xi] Bates, supra note 6.
[xii] Booton, supra note 9.
[xiii] 740 Ill. Comp. Stat. 14/10 (2021).
[xv] Dmitry Shifrin & Mary Buckley Tobin, Past, Present and Future: What’s Happening with Illinois’ and Other Biometric Privacy Laws, The National Law Review (May 28, 2021), https://www.natlawreview.com/article/past-present-and-future-what-s-happening-illinois-and-other-biometric-privacy-laws; see also Sarah Bruno, Jason Gordon, & Erika Auger, Chicago Blackhawks Hit with Illinois BIPA Class Action Over Use of Facial Recognition Technology at Home Games, Reed Smith (March 31, 2020), https://www.adlawbyrequest.com/2020/03/articles/in-the-courts/chicago-blackhawks-hit-with-illinois-bipa-class-action-over-use-of-facial-recognition-technology-at-home-games.
[xvi] Shifrin & Tobin, supra note 14.
[xviii] Cal. Civ. Code § 1798.140(v)(1)(E) (West 2021).
[xix] Cal. Civ. Code § 1798.140(b) (emphasis added); see also Shifrin & Tobin, supra note 14.
[xx] Shifrin & Tobin, supra note 14; see also Jad Sheikali, Recent State Biometric Privacy Bills Put Spotlight On Federal Regulation, Honigman (Apr. 28, 2021), https://www.honigman.com/blogs-the-matrix,recent-state-biometric-privacy-bills.
[xxi] Sheikali, supra note 19.
[xxii] State Biometric Laws are Trending and Class Actions Could be on the Rise, JD Supra (Mar. 24, 2021), https://www.jdsupra.com/legalnews/state-biometric-laws-are-trending-and-2640319/.
[xxiii] Morey J. Haber, Is Your Identity at Risk from Biometric Data Collection?, BeyondTrust (Mar. 21, 2019), https://www.beyondtrust.com/blog/entry/is-your-identity-at-risk-from-biometric-data-collection.
[xxiv] State Biometric Laws are Trending and Class Actions Could be on the Rise, supra note 21.
[xxv] Shifrin & Tobin, supra note 14.