Wearables present new realm of legal risks for teams
Reaching peak athletic performance is an increasingly scientific and quantitative pursuit, and professional sports franchises, which have tremendous financial and emotional motivation to be the best, are at the forefront in gathering as much data about their assets as possible. FitBits, Apple Watches, and more specialized wearable devices are becoming indispensable as athletes and teams recognize the potential offered by biometric data to optimize player performance and avoid injury.
Not all franchises have considered the full legal ramifications of this data collection. While most recognize that the information collected could constitute “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA), with its attendant privacy and security obligations, fewer appreciate the potential risk of the Fair Credit Reporting Act (FCRA).
The compilation and communication of biometric data from wearables to third parties (i.e.,not the team currently employing the athlete) may result in the entity that maintains the databases becoming a consumer reporting agency (CRA) subject to extensive regulation under the FCRA. That raises important questions for teams and franchise associations looking to compile leaguewide databases to help teams decide whether to sign or renew contracts with athletes, or make compensation or other related decisions.
As teams and leagues become more sophisticated in their use of wearables data, this scenario looms. For example, Major League Baseball maintains an injuries database to which all teams must provide data. As collective bargaining agreements with the players’ unions are renegotiated, wearables have been, and will be, a hot topic. Legalized sports betting will only increase the concern.
The FCRA is enforced by the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and private litigants, and applies to CRAs and purchasers and/or users of “consumer reports” provided by CRAs. The FTC and CFPB may impose civil penalties and obtain other relief against violators, and in a private lawsuit, consumers may obtain statutory damages for willful violations of the Act ranging from $100 to $1,000 for each violation, plus punitive damages, court costs, and reasonable attorney fees.
The answers to three questions determine whether wearables’ data relating to professional athletes would fall within the scope of the FCRA:
■ Are professional athletes protected by the FCRA?
■ Are reports containing data collected from professional athletes’ wearable devices “consumer reports?”
■ Would the use by a sports team of third-party databases containing these reports for employment or similar purposes trigger the FCRA’s protections?
The FCRA’s definition of “consumer” is broad, encompassing all “individuals.” Also, the Act has extensive provisions governing obtaining consumer reports on employees. It is likely that professional athletes would qualify as “consumers” under the FCRA.
The FCRA’s definition of a “consumer report” is not so clear-cut. If the data collected from wearables is compiled into reports for inclusion in leaguewide databases used by teams to make employment-related decisions (e.g., MLB’s injuries database), the wearables data could potentially fall within the scope of the FCRA. This type of communication of data to parties other than the player’s own team could make the collecting entity a CRA, bringing reports compiled by the entity within the Act’s scope.
In answer to the final question — does the use of shared databases containing wearable device data for employment or similar purposes trigger the FCRA’s protections — the FCRA provides that covered consumer reports involve information “used or expected to be used or collected in whole or in part for” various listed purposes, including employment decisions. If the information is expected to be used for a covered purpose, or if the information was in fact collected for a covered purpose, the report is a consumer report, even if the user applies the report to a different purpose. If the entity furnishing the report to the team qualifies as a CRA, the FCRA’s protections likely are triggered, and the team and reporting entity would need to comply with its requirements.
The FTC has not been shy in pursuing “big data” cases, including cases of alleged FCRA violations. For example, in 2012, it obtained a consent decree that provided for $800,000 in civil penalties and other relief against an online data broker that compiled and sold detailed information profiles on consumers. Although the company attempted to avoid FCRA coverage by prohibiting use of its information for FCRA-covered purposes, the FTC claimed that it did not adequately enforce that prohibition, and, therefore, its reports to clients were consumer reports and the company was a CRA.
The applicability of the FCRA to wearables data is unclear, but as sports teams and leagues contemplate new ways to measure player and team performance, potential uses may implicate the FCRA. If so, they will need to implement appropriate compliance procedures to avoid the costly penalties and litigation that may follow in the wake of a violation.
Elizabeth E. McGinn is a partner and Jonathan D. Jerison is senior counsel at Buckley LLP. James T. Shreve is a partner with Thompson Coburn LLP. The authors wish to thank Buckley counsel John B. Williams III for his contributions to this column.