Data Privacy in Sports: Key Takeaways

3 minute read | April.09.2025

Sports teams, leagues, agents and venues collecting personal information from athletes, fans and sponsors must comply with evolving privacy regulations. Here are key takeaways from a conversation Orrick recently hosted with the New York City Bar Association Sports Law Committee and IP Subcommittee.

Sports teams must navigate overlapping privacy regimes. Sports teams must navigate a complex network of privacy laws that govern athlete health data, which may include heightened protection under the Health Insurance Portability and Accountability Act (HIPAA) and state laws. Oftentimes, though, the health data is released to the team pursuant to a HIPAA authorization (i.e., with player consent), allowing the team to treat such data as part of the player’s employment record. Of course, an employee’s health information is subject to the ADA’s confidentiality provisions and potentially governed by the state’s breach notification law.
The rise of biometric data brings new risks. From heart rate monitors to biometric gloves that measure blood oxygen levels, teams are using increasingly sophisticated tools to measure biometric information, analyze performance, and monitor athlete health. Simultaneously, state regulators are increasingly concerned about biometric data privacy, and state laws that grant private rights of action present significant risk for this type of sensitive information.
The modern fan experience is data-driven. Stadiums employ cutting-edge technologies that gather a significant amount of fan data. While facial recognition and fingerprint scanning streamline stadium entry and AI is being used to promote stadium safety, they also raise concerns about transparency. Stadium operators need to consider the need for appropriate signage and other disclosures.
An international fanbase leads to cross-jurisdictional concerns. Many teams are playing overseas and expanding their international footprint. This expansion may bring the teams under the jurisdiction of international privacy regimes, which may impose additional requirements on collecting, storing and securing personal information. Sports organizations should be thoughtful in how they engage and market to international audiences.
Emerging technologies and trends will mean even more privacy and cybersecurity risk. Current trends suggest that sports organizations’ privacy challenges will continue to increase. Innovative technologies, like brain health and function tracking, are introducing new privacy concerns, and some states have already identified neurological data for special protection. Mandatory genetic testing, under consideration by several sports governing bodies, would add genetic data to the list of athlete information organizations must manage. With cyberattacks occurring at a greater frequency and level of sophistication each year, organizations should maintain robust privacy and cybersecurity programs to ensure that their teams can minimize risk while remaining ready to rapidly adopt new technologies.

Want to know more? Contact one of our panelists: Shannon Yavorsky, Thora Johnson, Beth McGinn and Alex Sobolev.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: syavorsky@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Elizabeth McGinn Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: emcginn@orrick.com

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn Partner

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

Alex Sobolev Partner, Cyber, Privacy & Data Innovation, Technology Transactions

London

See my bio

D:+44 20 7862 4832
E: asobolev@orrick.com

Practice:

Cyber, Privacy & Data Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)
Trademark, Copyright & Media
Intellectual Property

vCard

See full bio

Alex Sobolev Partner

London

Alex’s multidisciplinary practice and transatlantic experience enable him to provide strategic commercial advice for technology led companies, including coordinating and implementing data and consumer risk mitigation projects, providing outsourcing advice and developing key legal risk mitigation strategies in relation to products where the pace of innovation nearly always outpaces the law.

He has advised companies at all stages of the corporate lifecycle, from software development and product launch, through technology licensing, sale and purchase, to mergers and acquisitions of data and tech-heavy businesses. He has assisted organisations with the design, development and implementation of global data protection and compliance policies, as well the management of risk and security associated with data retention, processing and transfer.