Esports Face Significant Legal Risk Over the Collection and Use of Biometric Data


SportTechie Legal

This SportTechie Legal article was written by Aalok K. Sharma, an attorney at Stinson Leonard Street LLP.

Sports data is a valuable commodity. It can be used by broadcasters to bring fans closer to the game, or serve as a framework for fantasy sports or sports betting. There is a consensus that data is critical to the sports industry’s growth, but in recent years, the legal stakes over its use, especially including the use of biometric data, have escalated. While many traditional sports leagues address the legality of data use through collective bargaining agreements, esports have not yet managed to do the same.

Without the constraints of an organized league framework, esports have flourished. Game publishers from Activision Blizzard to Ubisoft have created competing leagues, viewership has skyrocketed, and sponsorships have rolled in. But the lack of collective bargaining in esports may pose a business risk, as leagues may not be able to fully aggregate and monetize biometric data from their athletes.

The NBA’s collective bargaining agreement, for example, provides for the use of wearables, and further describes how the data they generate can be used. Some players’ associations also have agreements with device manufacturer WHOOP to track and monitor athlete biometric data. In comparison, most esports leagues do not have players’ associations, let alone collective bargaining agreements. Yet that hasn’t stopped esports leagues from attempting to acquire data.

In 2019, several leagues, including ELeague, will allow wearables that track eye movement and heart rate data. And, as most leagues stream content, fans may be able to view those metrics on screen in real-time. But with complex regulatory schemes that vary from state to state, and internationally with GDPR regulations, there are significant hurdles that exist. Esports leagues must carefully consider how they’ll be able to extract data from their athletes, including those that are under 18 years old.

Collective bargaining agreements in pro sports set out parameters for how leagues and athletes can work together. Without collective bargaining, esports leagues will have to negotiate individually with their athletes to capture data. Entering into agreements individually will not only take time, but presents significant legal complications.

The average esports player is somewhere in their mid-20s, but many are younger than 18. Because minors do not have the legal capacity to enter into agreements, a child could void an agreement at any time. An esports league could undertake business costs to put a system in place, but then face the uncertainty that some of its athletes can void the agreement.

Sports business, tech, analytics

Esports are also truly international—there are no national borders in League of Legends, Overwatch League, or Fortnite. However, because gamers are physically located in real places, including in different countries, leagues need to grapple with jurisdiction specific biometric data laws.

In the past several years, some U.S. states have passed data privacy laws that are designed to create transparency about the transfer of biometric data. Generally, those transparency rules require consent and disclosure—two hallmarks of the E.U.’s GDPR regulations. For example, in 2008 the Illinois legislature passed the Biometric Information Privacy Act. BIPA applies to biometric identifiers such as facial scans, finger prints, and retina scans. It imposes obligations regarding the collection, destruction, and disclosure of biometric identifiers.

Similarly, California recently passed the California Consumer Privacy Act, which will go into effect in 2020. The CCPA requires certain businesses comply with stringent requirements, including transparency about the sale of data. Perhaps more importantly, the CCPA provides for civil penalties, including up to $7,500 for each intentional violation.

Esports leagues need to undertake the responsibility to mitigate litigation risk that could arise from a violation. The first step is for leagues to provide the type of legal disclosure that is necessary. To comply with Illinois law, that disclosure must identify the biometric information that is being collected, and state the purpose and length of time it will be stored or used. The leagues also need to inform the public about why they are collecting the data, and how they will destroy the data once they no longer need it.

Esports face significant risks without collective bargaining, but also may face hurdles that make implementing a CBA complicated. As leagues attempt to monetize biometric data to catch up with some of their traditional sports peers, they must begin to formulate a strategy that focuses on transparency, consent, and disclosure