By Jacqueline Klosek, Jon Ng and Jacob Lee, of Goodwin Procter
Wearables, AI-powered computer‑vision tools, and analytics platforms now collect and process heart‑rate variability, facial vectors, sleep metrics, and other data athletes and players rely on to optimize performance, prevent injuries, and gain competitive advantages. However, these innovations require the collection of information that can be used for identification or reveals health information, which is regarded as “sensitive” or “biometric” data. The collection and processing of such data is subject to regulation under global data protection and privacy laws. Sports organizations, clubs, leagues, and technology vendors must navigate a complex web of compliance obligations when collecting and processing this information. This article analyzes the key legal implications of biometric data processing in the sports context and outlines best practices for compliance.
What Is Biometric Data?
Biometric data refers to information derived from unique biological or behavioral characteristics that can identify individuals. In sports, this data typically includes physiological data (e.g., retina scans and fingerprints), behavioral data (e.g., reaction time or voice patterns), and health and performance metrics (e.g., heart rate or body temperature). This information is often collected through wearables, smart apparel, performance monitoring systems, and even video surveillance technologies during training and competition.
Jurisdictional Overview
The European Union’s General Data Protection Regulation (GDPR) and its United Kingdom (UK) equivalent define biometric data as a special category of personal data, subject to heightened protection due to its sensitivity. Article 9(1) of the GDPR prohibits processing biometric data for uniquely identifying a person unless an exception applies, such as explicit consent, compliance with employment or social protection law, or substantial public interest based on Union or Member State law. The UK’s Information Commissioner’s Office has also issued guidance on biometric recognition systems, emphasizing risk assessments and the principles of necessity and proportionality. Similarly, privacy laws in countries such as Canada and Australia treat biometric data as sensitive personal information, requiring higher levels of protection and stricter processing rules.
In contrast, the US lacks a comprehensive federal biometric privacy law. However, several states, most notably Illinois, Texas, and Washington, have enacted specific biometric privacy statutes imposing strict consent and disclosure requirements. Other states, including California, Colorado, and Connecticut, have adopted comprehensive privacy or health privacy laws, such as Washington’s My Health My Data Act, that classify biometric data as sensitive personal information subject to enhanced protections. And, of course, biometric data is also regulated as personal information under the numerous state comprehensive consumer privacy laws in effect.
Potential Liabilities
Sports organizations, device manufacturers, and other entities that collect or control athletes’ biometric data must comply with applicable privacy frameworks and industry best practices. Noncompliance can result in significant legal and financial liability, as well as reputational harm affecting public perception, sponsor trust, and athlete relations. Under the GDPR, violations can result in fines of up to €20 million or 4% of global annual turnover. In the US, failure to comply with state biometric privacy laws may trigger substantial penalties from state attorneys general. Illinois’ Biometric Information Privacy Act (BIPA) is particularly notable. Unlike similar laws in Washington and Texas, BIPA allows individuals to bring private lawsuits for actual or perceived noncompliance, in addition to providing statutory damages of $1,000 to $5,000 per violation.
Consent, Notice, Use Limitations, and Autonomy
Where consent for collection of certain categories of biometric data is required by law, organizations should obtain freely given, specific, informed, and unambiguous consent prior to collecting athletes’ biometric data. Organizations should also provide clear notice describing the types of data collected, the purposes of collection, how the data will be used and stored, and with whom it will be shared. Under certain legal frameworks such as BIPA, required consents must be informed and “in writing” (though collection through a “click-through” is the most common approach).
The validity of consent in the employer-employee context, which professional sports relationships often fall under, is subject to scrutiny, due to real or perceived power imbalances inherent in the relationship between athletes and the managing sports organization. For example, the European Data Protection Board has advised employers to avoid relying solely on consent and instead consider alternative legal bases, such as performance of a contract, compliance with legal obligations, or legitimate interest.
Organizations may not use biometric data for purposes beyond the original purpose of collection without obtaining additional consent. For example, if biometric data is collected to monitor injury risk, it cannot later be repurposed for unrelated secondary purposes without further disclosure or, in some cases, consent. Under BIPA, it is also unlawful for private entities to sell, lease, trade, or otherwise profit from an athlete’s biometric identifiers.
Data Security and Retention
Organizations processing biometric data must implement robust physical, technical, and organizational safeguards, including written information security policies and incident response protocols, to protect the biometric data in their possession.
Organizations must also comply with strict data retention requirements, limiting processing to only as long as necessary to fulfill the stated purpose. BIPA, for example, requires organizations to maintain written data retention schedules and destruction policies, mandating deletion once the initial purpose of collection has been satisfied or within three years of the individual’s last interaction with the entity. Organizations must also inform athletes of the length of time their biometric data will be collected, stored, and used.
Third-Party Vendors and Data Sharing
Youth Athletes
Profiling, Discrimination, and Ethical Risk
Best Practices for Compliance in Sports Organizations
To minimize legal risk and foster ethical data use, sports organizations should:
- Conduct impact assessment before deploying biometric technology;
- Use the minimum necessary data and adopt privacy-by-design principles;
- Enter into robust contracts with vendors and processors, including DPAs that protect data;
- Establish and implement data retention and deletion protocols;
- Ensure athletes are informed of their rights, including to object, access, and erasure;
- Implement staff training on data handling and incident response.
Biometric data offers valuable insights into athletic performance but also introduces the potential for significant legal, ethical, and reputational risks. As regulatory scrutiny intensifies and litigation proliferates, clubs, leagues, and vendors must prioritize compliance, transparency, and athlete autonomy. By embedding privacy into their biometric strategies, sports organizations can harness innovation without compromising individual rights or incurring unknown liabilities.
