Gauging Professional Sport Biometric Data Privacy Concerns
This article was originally published in Law360 on May 15, 2025, and is republished here with permission.
In today’s data-driven sports industry, teams, leagues and sponsors increasingly rely on biometric and performance data to enhance player performance, prevent injuries and optimize contract negotiations. Such data collection often includes highly sensitive physiological and health information that goes beyond mere statistics, prompting additional ethical and legal considerations.
However, this growing reliance on highly sensitive data raises significant legal and privacy concerns, particularly in light of evolving biometric privacy laws like the Illinois Biometric Information Privacy Act, or BIPA,[1] as well as other consumer privacy and data protection laws at the state and international level that impose heightened requirements on the collection and processing of biometric data, including several U.S. state consumer privacy laws and the European General Data Protection Regulation.[2]
Professional sports leagues and their respective clubs that utilize biometric and performance data should be aware of these risks, as well as of other related legal and regulatory considerations, and the measures they can take to help minimize their exposure to potential liability.
In addition, these organizations need to be mindful of the various implications that their reliance on biometric and performance data can and will have on contract negotiations with athletes, and the issue of data ownership. These critical aspects surrounding the collection and use of biometric data in professional sports today, and how they are likely to evolve, are examined below.
Player Monitoring and Biometric Data Collection
Hypothetical
A star football player consents to wearable technology usage for injury prevention. Over time, the system collects data indicating a higher-than-normal risk of certain muscle tears. The club’s medical staff and coaching personnel have access to these metrics, which prompts the player’s agent to worry that this information might reduce the player’s contract value. The league, meanwhile, points to the health benefits of preemptive care.
This scenario illustrates how both parties — player and team — can benefit from early detection, but also sets up a possible dispute over how such predictive data could negatively affect negotiations.
Analysis
Professional sports organizations leverage cutting-edge technologies such as wearable devices, motion-tracking systems, and artificial intelligence-driven analytics to collect and analyze player biometrics, including heart rate variability, sleep cycles, hydration levels and muscle recovery patterns.[3] The promise of these tools is clear: improved training, better gameplay strategies and enhanced player health management.
However, while these innovations are designed to optimize performance and provide unparalleled insights into player conditioning, long-term potential and health, they also introduce substantial privacy risks. The data collected can reveal personal and sensitive information about an athlete’s physical and mental state, including fatigue levels, injury risks and overall fitness.
The improper handling or any unauthorized access or misuse of this data could have severe repercussions for players’ careers and reputations, as well as invite legal disputes. For instance, publicizing data that highlights an athlete’s performance decline could damage their marketability, leading to fewer endorsement deals or public scrutiny. In addition, this data could be used against players in situations where their performance drops due to injury, age or fatigue — putting them at a disadvantage both on and off the field.
BIPA and similar state laws impose stringent restrictions on the collection, storage and use of biometric data. Under BIPA, for example, organizations must obtain explicit, informed consent from individuals before collecting their biometric identifiers, provide clear notice regarding data usage and retention, and implement robust security measures to protect the integrity of such data.
Washington[4] and Texas[5] have also enacted biometric privacy laws that, while not as far-reaching as BIPA, impose obligations on entities collecting biometric data.
Washington’s law mandates that entities inform individuals about biometric data collection and obtain consent, while Texas’ statute prohibits the sale or disclosure of biometric data without explicit permission.
In addition, with legislative trends pointing toward heightened data privacy considerations, a number of other states are considering enhanced biometric privacy protections, signaling a steady trend toward stricter regulations nationwide.
League Policies on Biometric Data
As illustrated below, major U.S. professional leagues have taken steps to define the scope of biometric data usage in player monitoring, reflecting growing awareness of data privacy concerns at the league level.
- The NFL implemented rules in 2020 allowing teams to collect biometric data, but restricted how it can be used in contract negotiations;
- The NHL is currently updating its collective bargaining agreement to require player consent prior to using their biometric data collected during games or practices; and
- The MLB established policies in 2020 granting players the ability to review and control access to their biometric data.[6]
Obtaining consent is an important first step, but it only addresses the immediate issue of unauthorized data collection. It does not account for the ongoing or long-term use of that data, such as how it might be shared, stored or used in negotiations years after it was originally collected.
In addition, consent agreements are often complex and may be signed under duress, with players feeling pressure to comply in order to secure their place on the team.
As biometric tracking becomes more embedded in sports science, leagues will likely continue refining their policies to balance competitive advantages with player privacy rights. Future iterations of the policies may include language addressing the use of anonymization or pseudonymization, as well as restrictions on data sale or licensing to third parties.
Data Ownership and Usage Rights
Hypothetical
A basketball franchise invests in a proprietary performance analytics platform. The player’s data is shared with third-party sports medicine providers for treatment recommendations. Midseason, the player is traded, but the franchise retains full access to the athlete’s historical biometrics — even after the athlete has joined a new team.
Disputes arise over whether the athlete can request deletion of older data, whether that data can be retained by the former team and used as a competitive advantage, or whether the former team can profit from aggregated datasets that the team uses in broader commercial ventures.
Analysis
Determining who owns the data collected from athletes is a complex and sometimes controversial legal issue. This is especially prevalent in the context of biometric and performance data, which have direct implications for salary negotiations, injury risk assessment and market valuation.
Does the data belong to the athlete, the team, the league or the technology provider? Clear contractual agreements are essential to outline data ownership and usage rights, preventing potential disputes and ensuring fair use of athlete information.
CBAs play a pivotal role in defining the extent of biometric data usage in professional leagues. For example, in 2017, the National Basketball Players Association has negotiated provisions regarding the collection and use of wearable technology data, ensuring that players retain specific rights over their personal biometric information.
As biometric tracking becomes more advanced, future CBAs will likely refine these protections further.
Legal and Regulatory Considerations
Beyond BIPA, Washington and Texas laws, other state and international regulations affect how leagues, clubs, and teams collect and use biometric and performance data in professional sports. Below are some notable examples.
U.S. State Consumer Privacy Laws
Currently, there are 20 states that have enacted consumer privacy laws — some of which are already in effect — while others become effective later this year or next.[7]
Biometric data is considered sensitive data under all of these laws, which expand their respective protections to residents of those states — including athletes — by either: (1) requiring covered businesses to provide specific notice and obtain consent before collecting or processing biometric data or identifiers from those individuals, as is the case under most state consumer privacy laws; or (2) granting individuals additional rights, such as the ability to limit the use and disclosure of their biometric data to only those purposes that are expressly permitted by statute.
Interestingly, unlike BIPA, which does not explicitly require that consent be freely given prior to collecting and processing individuals’ biometric data or identifiers, nearly all state consumer privacy laws enacted to date have adopted a similar definition of consent to mean a clear affirmative act signifying an individual’s freely given, specific, informed and unambiguous agreement.
Given the power imbalance between athletes and sports organizations, there are concerns about whether consent can truly be freely given. If an athlete must provide their biometric data to be eligible for competition, can their consent truly be considered voluntary?
In addition, contrary to BIPA, several state consumer privacy laws require entities that collect and process biometric data for their own or commercial purposes to perform a risk assessment that is designed to help organizations identify, analyze and minimize the privacy risks associated with their data collection, use, retention and disclosure practices. This is also known as a data protection impact assessment.
With that said, the requirements associated with data protection impact assessments vary by state.
General Data Protection Regulation
European professional sports leagues, teams and clubs, as well as athletes, particularly those competing in international leagues or events, likely fall under the jurisdiction of the GDPR, which imposes strict data protection and privacy requirements on the processing of biometric data, classified as a sensitive form of data under the law.
For example, entities must have a lawful basis to process such data before they can do so, such as (1) obtaining explicit consent from European athletes, which is similar to how consent is defined under state consumer privacy laws; or (2) if the processing is necessary to fulfill employment obligations or exercise specific rights, as long as it’s authorized by relevant domestic law or collective agreements with appropriate safeguards for the European athlete.
GDPR-regulated organizations processing European athletes’ biometric data must implement robust security measures, provide transparency regarding data use and facilitate data subject rights such as access, rectification and erasure, unless an exception applies.
In addition, since biometric data is considered a sensitive type of data under the GDPR, entities that are subject to it must also carry out a data protection impact assessment prior to processing such data.
Key Takeaways for Professional Sports Organizations
Real-Life Scenario
In an international soccer league, teams adopt real-time biometric monitoring for performance optimization. Players agree to share data with medical staff, coaches and nutritionists. However, the league’s sponsors — which produce the wearable devices — start requesting anonymized and aggregated data for their own research and development.
Some players fear commercial exploitation and question how truly anonymized such data can be. Ultimately, the league’s regulatory body may be required to negotiate stricter anonymization protocols on behalf of the players and league, but the controversy highlights how easily data may cross boundaries once it is collected.
Analysis
As biometric and performance data collection grows more sophisticated, stakeholders in professional sports must navigate an increasingly complex legal landscape to ensure compliance and protect player rights.
In addition to legal obligations, ethical considerations around fairness, consent and athlete welfare are equally pressing. Professional sports leagues and teams implementing comprehensive policies around wearable tech and data privacy is crucial to safeguard athlete rights. Below are some best practices to consider.
Obtain explicit, informed consent.
Ensure athletes understand exactly what data is being collected, how it will be used and who will have access. Consent forms should detail any potential data-sharing with third parties and specify any monitoring beyond training and games, as well as conform with any related requirements under applicable privacy laws. Emphasize that athletes can revoke consent or request data deletion where permitted by law.
Limit monitoring to relevant times.
Restrict data collection to training and competition settings to respect athlete privacy during personal time. Clear policies should outline specific circumstances in which ongoing monitoring is justified and limit unnecessary data collection.
Secure data against misuse.
Implement strong data security measures to help prevent unauthorized access to and/or use of biometric and performance data.
Set clear expectations with third-party providers.
Require third-party vendors that process biometric and performance data on your behalf to comply with applicable data protection laws and establish data security measures that protect against unauthorized access to or use of such data.
These agreements should explicitly outline the vendor’s privacy and security responsibilities, as well as offer broad indemnification rights to the contracting league and/or team if the vendor’s mishandling of the data leads to a security incident.
[1] 740 ILCS 14/1 et seq. (Illinois Biometric Information Privacy Act), available at https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004.
[2] Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), available at https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng.
[3] Jen Booton, Analyzing Movement and Biometrics in Sports, Sports Business Journal (Jul. 29, 2020), available at https://www.sportsbusinessjournal.com/Daily/Issues/2020/07/30/Technology/biometrics-sports-athletes-performance-injury-prevention/ (subscription may be required).
[4] Wash. Rev. Code § 19.375.010 et seq. (Washington Biometric Privacy Protection Act), available at https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.
[5] Tex. Bus. & Com. Code Ann. § 503.001 et seq. (Texas Capture Or Use Of Biometric Identifier Act), available at https://statutes.capitol.texas.gov/docs/bc/htm/bc.503.htm.
[6] Nick Fustor, MLB Approves Use of Device to Measure Biometrics of Players, Fox Sports (Mar. 2020), available at https://www.foxsports.com/stories/mlb/mlb-approves-use-of-device-to-measure-biometrics-of-players. Tom Friend, Biometrics Language Evolving with Each New CBA, Sports Business Journal (Aug. 1, 2022), available at https://www.sportsbusinessjournal.com/Journal/Issues/2022/08/01/In-Depth/Biometrics (subscription may be required).
[7] International Association of Privacy Professionals (IAPP), US State Privacy Legislation Tracker (Last Updated Apr. 7, 2025), available at https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.
