The use of wearable technology (colloquially known as “wearables”) has been on the radar of athletes, sponsors, sports teams and leagues for years, with the various constituencies carefully balancing the necessity for player privacy with growing professional and financial interests. Following the Supreme Court’s decision in Murphy v. NCAA, which overturned the Professional and Amateur Sports Protection Act and cleared the way for more widespread legalized gambling, the regulation of how wearables may be used has gained attention. Analysis of these developments is complicated by the evolving legal landscape surrounding wearable tech, the privacy implications and the various types of biometric data it may collect.
What Are Wearable Devices?
Wearable technology is a blanket term for a type of electronic monitor that can be worn on the body, typically either sewn into clothing or otherwise incorporated in an accessory and often wirelessly connected to the internet to transmit data collected through sensors in the device. Wearables can track a wide variety of information about the wearer, such as heart rate, glucose levels, pulse oximetry, sleep patterns, gait, and other physical and physiological metrics that can facilitate the assessment of performance and recovery in sports. These physical and physiological data points may be considered “biometric information” under the definitions of that term that appear in certain laws. Within the broader category of biometric information is a subset of data referred to as “biometric identifiers,” which are unique biological characteristics that can be used to identify a person. Examples of biometric information are more general data points such as height and weight, whereas a fingerprint is considered a biometric identifier because it is unique to an individual. For athletes and coaches, wearables can provide meaningful insights about athletic performance, stress, rest and recovery, and their use has grown exponentially in recent years.
The Current State of Wearables in Professional Sports and the NCAA
Currently, Major League Baseball (MLB) permits wearables to be used in games, thereby allowing for analysis of the causes of various ailments common among baseball players, such as specific stresses on pitchers. For example, a common injury suffered by pitchers, an ulnar collateral ligament (UCL) tear, can sideline a player for well over a year. In 2016, MLB and the MLB Players Association approved the in-game use of a sensor-laden sleeve designed to specifically measure the stress on a pitcher’s arm throughout a game. In addition to measuring pitch count, the sleeve measures arm speed, rotation and force on the elbow with every throw, possibly allowing pitchers to avoid injury through rest and pitch correction. While the sleeve is pitcher-specific, MLB players in any position may utilize other types of wearables; for example, players may use wrist sensors that measure heart rate and body strain over a day, heart rate and breathing monitors, or GPS trackers. Although use of these devices is allowed during games and practice, a player’s use is strictly voluntary and can be terminated by the player at any time. In fact, the most recent MLB Collective Bargaining Agreement (the MLB CBA) states that a team must destroy the information collected by wearables if requested by a player.
Similar to the MLB CBA, the National Basketball Association’s 2017 Collective Bargaining Agreement (the NBA CBA) sets certain standards to combat the potential manipulation of wearables, codified in Article XXII Section 13. Use is prohibited during games, and use in practice is strictly voluntary. The NBA CBA specifies that “data collected from a Wearable worn at the request of a team may be used for player health and performance purposes and Team on-court tactical and strategic purposes only.” To honor this stipulation, any team requesting a player use wearable technology must explain in writing precisely what’s being tracked, how the team will be using this data and the benefits to the player of obtaining and analyzing the data. In addition to the player, this written explanation goes to the Wearables Committee, a six-person panel composed of three representatives from the players’ union and three from the NBA itself. Per the NBA CBA, the Wearables Committee is also charged with reviewing and approving wearable devices as well as setting the proper cybersecurity standards for the retention of biometrics. The MLB CBA implemented a similar panel, the Joint Committee on Wearable Technology, composed of members from the MLB Players Association and MLB.
The NBA CBA outlines the specific consequences for misuse of players’ biometric data. If the player agrees to use the wearable, the NBA CBA explicitly prohibits the use of this collected biometric data in contract and salary negotiations. Any team found in violation of the prohibition faces a $250,000 fine. Despite this potential threat, NBA players may still find themselves wary of the misuse of biometric information. By the terms of both the NBA CBA and the MLB CBA, players are allowed to cease use of wearables at any time for any reason. With technology still developing rapidly, these agreements set important standards concerning the ownership of this potentially sensitive data and attempts to balance both teams’ and players’ desires for excellence with appropriate privacy protection.
The NFL Players Association offered its athletes the opportunity to monetize their own athletic performance data. In 2017, the NFL Players Association announced a five-year partnership with a wearables company with the hope of accurately tracking recovery in between games and workouts. The deal explicitly lays out that the players themselves control the data and have rights to sell it to third parties if they so choose. In this scenario, ethical considerations relevant to monetizing private data are in the hands of each player rather than those of the teams or leagues.
In the college context, without a players’ union to advocate for specific standards concerning wearable use, ad hoc wearable use is regulated by school and NCAA rules. The NCAA does allow the use of wearables in games; however, it prohibits real-time data analysis during games to the extent such analysis is used to make performance-enhancing adjustments. As wearables become more sophisticated and their use is increasingly ubiquitous, it is likely that guidelines of this nature will evolve.
Other Laws and Regulations Relevant to Wearables
Currently in the United States, three states – Illinois, Texas and Washington – have implemented laws that regulate the collection and retention of biometric identifiers. Given technological developments that have occurred since the Illinois and Texas laws were passed (in 2008 and 2009, respectively), it is perhaps understandable that the definition of biometric identifiers in those laws is limited to retina or iris scans, fingerprints, voiceprints, and hand or face geometry. As a result, in their current form, those laws do not apply to many types of data captured by a wearable tracker. However, the newer Washington law includes “other unique biological patterns or characteristics” in its definition of biometric identifier, which could be interpreted to cover the type of data collected by many wearables. Additionally, the newly passed California Consumer Privacy Act includes exercise or health data in its definition of biometric information, which means data collected by wearables is likely to be subject to a host of new regulations beginning in June 2020.
Beyond laws governing the collection and retention of biometric data, several state data security breach laws, including the Colorado, Maryland, North Carolina and Wisconsin statutes, have added “biometric data” to their definitions of personal information that, if compromised, may trigger an obligation to provide notification to regulators and affected individuals. As the use of biometric identifiers in everyday life becomes more and more common and value of data collected by wearable technology continues to increase, it is likely that wearable technology companies and their rich stores of personal information will be appealing targets for hackers.
Given the exponential growth of wearable technology, as well as skyrocketing reliance on biometric identifiers, it seems inevitable that additional legislation will be proposed, perhaps including laws that would govern the manufacture and use of objects and clothing that harvest biometric data as well as the ways in which that data may be used and shared.
Players should educate themselves on their rights and the potential privacy implications if they choose to collect, share and/or allow third parties to have access to their data derived from wearables. Despite not being specifically covered by the Health Insurance Portability and Accountability Act (HIPAA), best practices would demand similar confidential treatment for all who have access to such data. Leagues, teams, players, developers and other interested parties should closely follow legal developments and be vigilant in their data protection efforts to ensure they remain in compliance with the various agencies and governments regulating the various aspects of wearable technology. For more information and guidance, please contact Melinda McLellan, Ronald Gaither, Elizabeth McCurrach or Robyn Feldstein.