Who Owns Your Body Data? The Athlete Biometric Rights Question
- Shane Riddle

- 17 hours ago
- 15 min read
A biometric tracking vest records heart rate, GPS position, and movement load in real time but once that data leaves the athlete's body, who controls it?
Every heartbeat an elite athlete produces during training is logged. Every sprint, every stumble in sleep quality, every oxygen dip at altitude. Modern sport runs on this data, and the sensors collecting it never switch off. Yet for most athletes worldwide, a basic question stays unanswered, once that information leaves their body, who actually controls it?
In this post, I dig into a question that’s been on my mind for a while as a technologist and one that, as I’ve discovered, has been discussed and debated for years, who truly holds the rights to athlete biometric data, and how should those rights be protected?
We'll look at what the NFL Players Association secured in its landmark 2020 Collective Bargaining Agreement, how the NBA's wearable policy compares, where Australian and EU law falls short, and what a December 2025 paper in Frontiers in Sports and Active Living says needs to change. Whether you're a tech-curious fan or an athlete wondering what your coach actually does with your GPS files, this one should matter to you.

Key Takeaways:
Athletes generate the most valuable data in sport, but own the least of it: Wearables, GPS units, sleep monitors, and biometric sensors produce enormous volumes of deeply personal data, yet no international standard gives athletes clear ownership rights over it.
Australia's Privacy Act covers biometric data, but sport-specific rules remain thin: Under the Privacy Act 1988, biometric data is sensitive information requiring specific consent, but existing AFL Collective Bargaining Agreement (CBA) provisions leave significant data control in administration hands rather than with players.
The NFL and NBA have made real progress through collective bargaining: The NFL's 2020 CBA introduced consent requirements and joint oversight for biometric tracking. The NBA's 2023 agreement went further, banning use of wearable data in contract negotiations and setting a $250,000 fine for violations.
Performance data can reveal health conditions athletes haven't been told about: Heart rate variability, GPS movement patterns, and oxygen data can surface cardiac issues, psychological fatigue, and injury risks — information with serious career implications if mishandled or disclosed without consent.
GDPR offers the strongest existing protections, but applying them in sport is harder than it looks: The EU classifies biometric data as a special category requiring explicit consent, access rights, and Data Protection Impact Assessments — yet athletes inside elite sports systems often find those rights difficult to exercise in practice.
Over 850 professional footballers in the UK are already suing over this: The Project Red Card initiative is pursuing legal action against betting and data firms under GDPR for using player performance data without consent, potentially worth hundreds of millions of pounds.
Table of Contents
The Surveillance Playbook: What's Actually Being Collected
It started with GPS vests on a football field. Now it's considerably more than that.
Modern elite athletes can be wearing or generating data across multiple streams simultaneously. GPS tracking logs distance, speed, and positioning. Heart rate and heart rate variability monitors capture cardiovascular load. Blood oxygen saturation sensors track altitude adaptation and respiratory function. Recovery wearables record sleep quality and duration. Accelerometers measure neuromuscular load, movement efficiency, and fatigue. Cognitive testing platforms produce reaction time scores. Some facilities have added facial recognition for access control, generating what researchers call "facial vectors", geometric maps of a face that qualify as biometric identifiers under several data protection laws.
A December 2025 commentary published in Frontiers in Sports and Active Living by Jun Woo Kwon at Seoul National University captures the situation bluntly, athletes have become "among the most continuously monitored populations," generating data streams that are "simultaneously personal, professional, and commercial." The problem is that existing law hasn't kept pace with that reality.
Who Controls It? The Legal Gap That's Hard to Believe
Here's the uncomfortable truth at the centre of this debate. The data originates from an athlete's body, from their heartbeat, their stride, their sweat. But in most cases, the moment it uploads to a club's analytics platform, the athlete has no clear legal right to control what happens next.
Kwon's paper defines "data sovereignty" as "an individual's authority to decide how information linked to their physical identity is collected, accessed, shared, stored, and potentially erased." By that measure, most professional athletes currently have very little of it. A few structural problems explain why.
Consent is formal, not meaningful. In elite sport, refusing to wear a GPS vest or a heart rate monitor isn't really an option if a club has included it in an employment contract. The paper describes consent in this context as "typically formal rather than substantive due to structural bargaining inequality between athletes and organisations." When refusal risks your place in the squad, consent to data collection doesn't carry much meaning.
Leagues often don't define ownership at all. Most professional sport agreements say who can use data, but very few define who actually owns it. That gap lets clubs and tech vendors treat athletic performance information as a proprietary institutional asset rather than an extension of a person's body and livelihood.
Analytics platforms create real opacity. Once biometric records enter multi-layered analytics systems, athletes "encounter fragmented storage, opaque processing, and procedural barriers," making rights like deletion or correction technically difficult even where they exist on paper.
Where Players Have Fought for Rights
Two of the world's wealthiest sports leagues have made the most progress, not through legislation, but through hard collective bargaining.
The NFL Players Association negotiated explicit wearable technology provisions into the 2020 Collective Bargaining Agreement. Under those provisions, any wearable technology must be approved by a joint NFL-NFLPA committee before use. Individual players must consent to wearing approved devices, any biometric data collected cannot be used to discipline players or inform contract decisions without their explicit agreement and clubs must store and secure the data according to jointly agreed standards.
The NBA's 2023 collective bargaining agreement went further. It explicitly prohibits the use of biometric data in contract negotiations, not just without consent, but categorically. It established a $250,000 fine per violation. It created a joint oversight committee with real enforcement power, and it established clearer data retention limits.
The Health Disclosure Problem
One dimension that makes athlete biometric data particularly sensitive is its capacity to reveal health information the athlete themselves may not know about.
Heart rate variability patterns that are consistently anomalous can indicate cardiac arrhythmias. GPS movement data over time can show subtle gait changes associated with developing injuries. Sleep architecture data can surface early signs of clinical depression or anxiety disorders. Oxygen saturation patterns at altitude can flag conditions affecting respiratory health.
The legal and ethical issue is that this information may be reaching a club's sports science team before it reaches the athlete or their personal physician. Kwon's paper specifically identifies this as a gap requiring immediate attention. "The potential for data to reveal sensitive health information beyond its intended performance purpose creates a distinct category of risk that current frameworks inadequately address."
How Major Leagues Compare
League | Key provision | Year |
AFL (Australia) | Some data collection provisions, but significant control remains with administration; no prohibition on contract-related use | Ongoing |
NFL (US) | Joint committee approval for wearables; player consent required; data cannot inform discipline or contracts | 2020 CBA |
NBA (US) | Explicit prohibition on using biometric data in contract negotiations; $250,000 fine for violations | 2023 CBA |
Premier League (UK) | No league-wide wearable data CBA provisions; subject to individual contracts and GDPR | N/A |
European club football (general) | GDPR applies to biometric data as special category; consent and access rights in principle; practical enforcement difficult | GDPR 2018 |
Data Collection in Children's and Junior Sport
The biometric tracking conversation usually focuses on professional athletes, but the practice doesn't begin there. Most elite sporting pathways now run through structured junior development systems, and measurement is increasingly built into those systems from an early age, well before anyone involved has the legal capacity to meaningfully consent to it themselves.
Academy recruitment in European football is the clearest example. Clubs across Europe have shifted from scouting networks toward data-driven talent identification, and that shift starts young. Children as young as seven or eight entering professional academy systems can have performance data, physical testing results, and growth and development tracking recorded as a matter of course.
A 2022 analysis from law firm Clifford Chance notes that recruitment in elite youth football has moved toward "a data driven model," with major clubs restructuring scouting departments around performance and non-performance data on prospects rather than relying primarily on in-person scouts. The same data used to identify and develop talent is later used to decide who gets promoted within an academy and who is released, decisions made at least in part, on data gathered from children.
This isn't confined to professional academy systems. Community and representative-level junior sport is following the same trajectory, just on a longer timeline. Wearable GPS vests, heart rate monitors, and video analysis tools that were exclusively elite-level a decade ago are now affordable enough that representative junior teams, school sport programmes, and ambitious community clubs use them routinely as part of "normal" training. The practice of measurement is being introduced earlier in an athlete's development, often well before the athlete or their family has given any real thought to where that data goes, who can see it, or how long it's kept.
The legal protections are real, but they're patchy. Under GDPR, processing a child's personal data, which includes biometric and performance data, requires parental consent for children under 16 (or as low as 13, depending on the EU member state), alongside the general requirement that organisations explain data use in age-appropriate language and apply enhanced safeguards. In the United States, the Children's Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting data from children under 13. In Australia, junior sport data sits under the federal Privacy Act 1988 rather than a separate scheme in each state. The OAIC's specific guidance for sporting clubs confirms that any club holding health information about a young participant, such as an injury or a medical condition, falls under the Australian Privacy Principles regardless of its size or turnover, and must obtain consent before collecting and using that information. State and territory sport and recreation departments, including WA's Department of Local Government, Sport and Cultural Industries and the NSW Office of Sport, publish practical guidance on top of this same federal law rather than a separate set of state rules, and consistently advise clubs not to use visual, audio, or performance data relating to young people without parental consent.
In practice, enforcement and awareness vary enormously between a Premier League academy with a dedicated data protection team and a suburban junior club run by volunteers. A 2025 review by Data Protection People notes that grassroots clubs handling junior registrations and basic medical information face the same enhanced child-data obligations as professional academies, but typically without the compliance resources to match.
Locally in my home state, Victoria Australia, on the surface it looks as though it goes further on child safeguarding specifically, the Child Wellbeing and Safety Act 2005 (Vic) makes the 11 Victorian Child Safe Standards legally mandatory for any club or organisation providing services to children, with real enforcement through the Commission for Children and Young People, rather than the advisory guidance other states rely on. But reading through the detail it becomes evident that this stronger framework is built for abuse prevention and reportable conduct, not biometric or performance data, so a Victorian junior club using GPS vests or video analysis still falls back on the same federal Privacy Act gap described above.
The Australian Academy of Science raised this exact concern. A landmark 2022 discussion paper, Getting Ahead of the Game: Athlete Data in Professional Sport, produced by a 12-member expert working group convened with the University of Western Australia's Minderoo Tech & Policy Lab, focused on professional sport as "the frontier of human monitoring" but explicitly flagged its concern about the "increasing uptake of these practices and technologies in junior sports and development pathways." The working group's broader finding was that data collection in elite sport has outpaced any proven benefit to the athletes it's collected from. Extending that same largely unregulated practice down into children's sport, before a young athlete has any say in the matter, is precisely the trajectory the paper warned needed scrutiny.
What this means in practice for parents and clubs. If your child is in a representative or academy programme using GPS vests, heart rate monitors, or video analysis, it's reasonable to ask, what specifically is being measured, who has access to it, is it used in any selection or promotion decision, and how long is it retained after your child leaves the programme? A club or academy that can't answer those questions clearly hasn't yet caught up with the practice it's already adopted. The pathway from "fun run-around on a Saturday" to "fully quantified professional athlete" increasingly has no clear line where the measurement begins, which is exactly why getting the protections right early in that pathway matters as much as it does at the elite end.
Australia, the EU, and the Missing Rulebook
Under Australia's Privacy Act 1988, biometric data is classified as sensitive information, requiring specific consent for collection and use. Restrictions on disclosure to third parties and the individual's right to access data held on them and the right to seek correction of inaccurate data.
The problem isn't the legislation, it's the absence of sport-specific provisions that account for the unique power dynamics of professional athlete employment. The AFL's current CBA requires players to wear GPS units in matches if a club requests it, and Section 45 of the agreement governs how that data can be used. As legal analysis from HWL Ebsworth puts it, that clause "in effect, leaves control of the data in the hands of" the club rather than the individual player.
In the European Union, GDPR Article 9 classifies biometric data as a special category requiring explicit informed consent, purpose limitation (data collected for performance cannot be used for insurance or contract purposes), Data Protection Impact Assessments for large-scale processing, and meaningful rights of access, erasure, and portability. The framework is strong. The challenge is exercising those rights within the structural inequality of professional sport employment.
Project Red Card
The most significant direct legal challenge to athlete data practices currently underway is Project Red Card, a UK-based initiative representing over 850 professional footballers including players from the Premier League, EFL, and Scottish Premiership.
The lawsuit, filed in 2023, argues that betting companies and sports data firms have been using players' performance data commercially without their consent, in violation of GDPR. The value at stake is estimated in the hundreds of millions of pounds. A finding for the players would establish a significant precedent: that athlete performance data is personal data belonging to the athlete, not a proprietary asset of the league or club.
What the Research Says on athlete biometric data rights
The clearest statement of what the research says comes from the December 2025 paper in Frontiers in Sports and Active Living by Jun Woo Kwon at Seoul National University. Kwon's central finding is blunt in suggesting the existing privacy law and sports governance frameworks offer no clear allocation of rights over the data produced through training and competition. What looks like protection, on closer examination, mostly isn't. Consent in professional sport is formal rather than substantive. Athletes agree to data collection because the alternative is losing their place in a squad, not because they've made a free and informed choice. The data is then treated by clubs and leagues as a proprietary institutional asset rather than an extension of the athlete's own body and livelihood.
Kwon's recommendations go well beyond anything currently in any major league's data provisions. He calls for a universal opt-in consent framework that is genuinely revocable, mandatory independent audits of data storage practices within sporting organisations, explicit prohibition on the use of biometric data in contract negotiations across all jurisdictions, data portability rights allowing athletes to take their biometric history with them between clubs, and sport-specific data protection officers in organisations above a threshold size. None of these exist as standard practice anywhere in professional sport today.
The gap between the scale of collection and the adequacy of protection is the other finding that emerges consistently across the literature. A 2025 analysis from law360.com examining biometric data governance across the four major North American leagues found that even where CBAs include data provisions, the question of who actually owns the data, the athlete, the team, the league, or the technology provider, is rarely answered directly. When a player is traded, their historical biometric record typically stays with the former club. When a wearable company's contract ends, data retention is governed by whatever the original agreement said, which is often nothing specific. Legal commentary from Proskauer Rose describes the current situation as a "gold rush," with teams, leagues, and technology vendors all treating athlete-generated data as a commercial asset without settled legal clarity about who has the right to do so.
What the research doesn't say is that this is unsolvable. The NBA's 2023 CBA provisions and the NFL's 2020 framework demonstrate that precise, enforceable protections are achievable when players have sufficient collective bargaining power to demand them. The problem is that most athletes across most sports, in most countries, and especially in the junior development pathways where monitoring begins earliest don't.
Governing Bodies and Regulatory Authorities
Organisation | Role | Contact |
Australian Human Rights Commission | Oversees Privacy Act enforcement; accepts complaints about biometric data misuse | |
Office of the Australian Information Commissioner (OAIC) | Privacy Act regulator; handles data access complaints | |
UK Information Commissioner's Office (ICO) | GDPR enforcement in the UK; data subject rights | |
NFLPA (US) | Negotiates and enforces CBA provisions on wearable data for NFL players | |
NBPA (US) | Negotiates and enforces NBA CBA biometric data provisions | |
Project Red Card (UK) | Legal action on behalf of professional footballers against data firms |
Final Thoughts
The fight over athlete biometric data is really about a simpler question, who owns the information that your body generates? As someone who works at the intersection of technology and community service, I find the answer to that question genuinely troubling, not because the technology is wrong, but because the governance surrounding it is so far behind. We are collecting data on human beings at a scale and depth that would have been unimaginable twenty years ago, and with the introduction of AI, will increase exponentially and we have not come close to building the frameworks that should accompany that capability.
What concerns me most is not what happens at the elite end with stronger playing groups like the NFL and NBA, who have the collective bargaining power to negotiate protections, and they are using it. The gap that I can see and concerns me is the one below that level. The social clubs, the representative junior teams, the community associations that feed these professional organisations. They are collecting the same data, using the same devices, and operating with none of the legal framework, none of the oversight, and often none of the awareness of what they are actually doing.
A twelve-year-old in a GPS vest at weekend football training has no union or voice that represents their best interests. Their parents in many cases, almost certainly have no idea that data is being retained, who can access it, or whether it will follow that child into a professional pathway where it could one day influence a contract decision. This is not a hypothetical, it's happening right now, at grounds and pools and courts across the country, every weekend.
This question has been raised before. It will be raised again. And each time, government moves too slowly, regulators look the other way, and sporting associations default to whatever their current contract says rather than asking what is right. I am not naive about how change happens in sport, it's slow, conservative, and usually driven by crisis rather than foresight. But that is precisely why I think the call here has to be direct. If you are a parent with a child in a representative or academy program, ask the questions. Ask what is being collected, who holds it and has access to it and how long it is kept. Also, whether it will ever be used in a selection decision. You have every right to know, and any organisation that cannot answer you clearly has not thought carefully enough about what they are doing. If you run a sporting as sociation or club, this is your moment to get ahead of it. Not because legislation will force you to, but because the athletes in your program including the youngest ones deserve to be looked after properly. The data you collect on them is not yours. It belongs to them.
Note: Every effort has been made to verify the current state of athlete rights and the legal frameworks governing ownership of biometric data. However, sporting associations, legislation, and policy guidelines continue to evolve, and the landscape may change as new regulations and agreements emerge.
Frequently Asked Questions
Q: Can a club legally use my biometric data to decide whether to sign me?
A: In most jurisdictions, there is no explicit law preventing it outside of the NBA's CBA prohibition. The answer depends on consent language in your individual contract, whatever data protection law applies in your jurisdiction, and whether your players' association has negotiated specific restrictions. The NBA's $250,000 fine for using wearable data in contract decisions is currently the strongest single protection anywhere in professional sport.
Q: What does GDPR actually protect for athletes in Europe?
A: GDPR classifies biometric data as a special category of personal data requiring explicit consent to process. Athletes in EU jurisdictions have the right to access all data held on them, the right to erasure, the right to object to processing, and the right to data portability. The challenge is exercising those rights within the power-imbalanced environment of professional sport employment, where practical barriers often make formal rights difficult to use.
Q: What is Project Red Card and what would a win mean?
A: Project Red Card is a UK legal action on behalf of over 850 professional footballers, arguing that betting companies and sports data firms used players' performance data commercially without consent, in violation of GDPR. A win would establish that athlete performance data is personal data belonging to the athlete, not a free resource for leagues, clubs, or third parties to commercialise.


