As wearable and analytics technology continues to explode, professional sports leagues, such as the NFL, have aggressively pushed into this field. (See Bloomberg). NFL teams insert tiny chips into players shoulder pads to track different metrics of their game. During the 2018-2019 NFL season, data was released that Ezekiel Elliot ran 21.27 miles per hour for a 44-yard run, his fastest of the season. The Dallas Cowboys are not alone as all 32 teams throughout the league can access this chip data which is collected via RFID tracking devices. Sports statistics geeks don’t stand a chance as this technology will track completion rates, double-team percentages, catches over expectation, and a myriad of other data points.

There are obvious questions and concerns about the use of this technology, and not just at the professional level. Wearables can be found at all levels of sports and athletic activities, including at colleges and high schools. At the professional level, the NFL is unique in that it allows teams to use the chip data during contract negotiations. However, players do not have full access to this information, unless specifically granted by individual teams. This is important since there is much debate over who truly owns this data. And, for a variety of reasons, players and athletes want to know where their information is stored, how it is stored, whether and how it might be used and disclosed, who has access to it, and what safeguards are in place to protect it. Major League Baseball and the Players Association added Attachment 56 to the 2017-2021 Collective Bargaining Agreement to address some of these concerns. But, again, these and other questions are not unique to professional ball players.

With devices ranging from wearable monitors to clothing and equipment with embedded sensors, professional teams, colleges and universities, local school districts, and other sports and athletic institutions, as well as the companies that provide the wearables, can now collect massive amounts of data such as an athlete’s heart rate, glucose level, breathing, gait, strain, or fatigue. On the surface, this data may relate to an athlete’s performance and overall wellness, which may be somewhat apparent to onlookers without the aid of the device. However, alone or aggregated, the data may reveal more sensitive personal information relating to the athlete’s identity, location, or health status, information that cannot be obtained just by closely observing the individual. When organizations collect, use, share, or store this data, it creates certain privacy and security risks and numerous international, federal, and state data protection laws may apply. Any sports or athletic organization that develops a wearable device program, or has reason to believe that these devices are being used by coaches and others to collect similar data, should be mindful of these risks and regulatory issues.

Below is a non-exhaustive list of some of these laws:

EU’s General Data Protection Regulation

Many organizations still may not have heard of the General Data Protection Regulation (GDPR), and many sports and athletic institutions might not have a reason to know because the law does not apply to them. However, GDPR potentially applies, for example, where a team collects, monitors, analyzes – “processes” a player’s personal data obtained through a wearable device during an exhibition game or training session located in the EU. This may be the case even though the team is not established in the EU, the player is not a citizen or resident of the EU at the time of monitoring, and the team is not “targeting” the EU with this practice. For entities not aware of the GDPR, it grants data subjects (possibly the athletes in this example) a whole host of rights, along with significant obligations on the controllers and processors of that data.

California Consumer Privacy Act

The recently enacted California Consumer Privacy Act (CCPA) may apply to a sports or athletic organization that collects the personal data of an athlete that is a California resident, regardless of whether the organization is located in California. Under the Act, a covered business must provide a resident with information about its data collection practices including the personal information it collects, discloses, and sells, as well as the right to delete to this data and object to its sale. Since the CCPA defines personal information broadly, it may include the personal data that wearable devices typically collect. For example, under the CCPA, personal information includes “biometric information,” “geolocation data,” “audio, electronic, visual, thermal, olfactory, or similar information,” as well as

inferences drawn from any of the information [defined as personal information] to create a profile about a consumer reflecting the consumer’s characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Notably, the Act prohibits an individual from waiving these rights, which may affect a team’s ability to monetize player data.

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA), the federal law that protects the privacy of student education records and applies to schools that, in general, receive funding from the U.S. Department of Education, may also apply to a student’s personal data collected by a wearable-device for a high school or college program. Generally, schools must obtain written permission from the parent or eligible student in order to release any information from a student’s education record. This is significant in the context of student wearable devices since companies are increasingly engaging with colleges and universities to access the performance data of student athletes. Schools may be obligated to perform due diligence and contractually obligate vendors to implement appropriate measures to safeguard the student personal data as well as obtain student or parental consent under FERPA.

State Mandates to Safeguard Personal Data

Multiple states impose an affirmative duty to use reasonable measures to safeguard personal data that an organization collects or owns. States such as California, Texas, Florida, and Illinois are among those requiring safeguards specifically for health related personal data. The applicability of these state laws may depend on location of the organization’s facilities, the athletes’ states of residency, and the specific kinds of personal information that is captured by the wearables. Many of these safeguarding laws address security in the abstract and do not mandate specific measures. However, “reasonable” generally implies safeguards appropriate to the sensitivity of the data, and one need only look to existing data security frameworks, such as under HIPAA and the Massachusetts data security regulations, to get a sense of what safeguards may be appropriate. In addition to a statutory duty to safeguard, some organizations may have a common law duty to safeguard an athlete’s personal data.

State Mandates Regarding Data Destruction and Disposal

Currently, more than thirty states have data destruction and disposal laws. These laws require taking reasonable steps to securely dispose of records containing personal information by shredding, erasing or other methods. Among those states, California, Florida, Illinois are a few that expressly require secure disposal of health-related personal data. Organizations should also implement a data retention schedule that ensures the destruction of personal data once it is no longer needed as part of meaningful data destruction practices.

State Data Breach Notification Laws

All fifty US states have data breach notification laws. In general, these laws require an entity that owns or licenses personal information about a state resident to report a data breach to individuals whose personal information is affected and, in some cases, the state attorney general or other agencies. Each state has its own definition of personal information, and states such as California, Texas, Florida, and Arizona include health, medical, and/or biometric information. Unauthorized acquisition or access to personal information collected by wearables, whether by hackers trying to get sensitive information about well-known athletes or caused by a local high school coach losing a drive with that information, can require notifications to the athletes creating significant exposure and reputational harm to the institution. With athletes often being residents of various states, reporting a breach may involve complying with the laws of multiple jurisdictions.

Vendor Contract Statutes

An increasing number of states including California, Massachusetts, and Oregon statutorily require a business to conduct due diligence before sharing or disclosing certain categories of personal information to a third party service provider. Many of these statutes also require contractually obligating the vendor to maintain safeguards appropriate to the sensitivity of the data, which is a good practice even if a written agreement is not mandated by the statute. In the professional sports context, these obligations could apply to a team sharing data with vendors in the course of trade negotiations or any attempt to monetize the player’s data. For younger athletes, local education institutions may be required to take similar measures with regard to sharing information with third parties. For example, in California, when “local educational agencies” obtain services from third parties involving the processing of “pupil records,” their contracts with those third parties must address certain issues concerning those pupil records such as, who owns the records, the security of those records, and how they may be used and accessed. Under the law, local educational agencies include school districts, county offices of education, and charter schools. And, “pupil records” include “any information directly related to a pupil that is maintained by the local educational agency” which could include information gathered by coaching staffs and other personnel through wearables used by the students. Cal. Ed. Code § 49073.1.

Conclusion

The wearable tech industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store athlete personal data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently leads the firm’s Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with…

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently leads the firm’s Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Mr. Lazzarotti also is a member of the firm’s Employee Benefits Practice Group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Mr. Lazzarotti counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Mr. Lazzarotti’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Mr. Lazzarotti speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Mr. Lazzarotti served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.