Law: Avoiding the data compliance offside trap

Data has become a core function of a football club’s business. Managing and monetising that data efficiently, legally and privately is a focal point. By Bryony Long, Mark Hersey and Lauren Stone at law firm Lewis Silkin

With Premier League football shown in all but seven countries worldwide, and consumed by a global audience of 3.2 billion in the 2018/19 season, the opportunities for sponsors are huge. Manchester United take first place amongst English clubs in Deloitte’s 2019 Football Money League, boasting more than 20 global partners, and Leicester City FC calculates that a deal with it exposes partners to 19,548 broadcast hours.

Sponsors will demand value from their investments. With billions watching worldwide, perimeter messaging is set to play a key role for some time. However, times are changing and broadcast revenue for clubs is expected to slow, as reported by Deloitte. Clubs will therefore look elsewhere for opportunities to drive revenue growth.

As clubs have huge pools of fan data through website traffic, social and email analytics, CRM, sales records, market insights and fan surveys, it is no wonder they are under increasing pressure from sponsors to leverage such data pools. Data is also not limited to traditional fans – clubs are branching out, such as into e-sports, to increase their fanbase. This data can not only be used to increase fan engagement with the club – it can be shared with sponsors so that they too can maximise engagement.

Making the most of fan data

  1. Social media: Platforms such as Facebook, Instagram and TikTok offer an easy and cost-effective way of targeting billions of users. Clubs and sponsors can target existing fans on social media by ‘matching’ fans with social media profiles (‘custom audience’ advertising), and they can also target users that share the same characteristics (e.g. age, gender and location) as their fans to find new opportunities (‘lookalike audience’ advertising).
  2. Email marketing: Clubs and sponsors can take advantage of synergies between their respective marketing lists. For example, a kit sponsor may want to cross-reference its own marketing list with the club’s to target some of the sponsor’s customers with offers for the club’s shirt. Clubs and sponsors may also undertake joint marketing campaigns, potentially circumventing requirements for multiple consents.
  3. Fan experiences: Fans are increasingly seeking more immersive and personalised experiences when they watch a game. This can be achieved in a number of ways, including through innovative AI solutions (for example, some clubs are using virtual assistants and chatbots as a tool for fans to ask questions, and receive instant answers, on a range of topics such as team stats and live game information). Clever use of fan data also allows clubs and sponsors to have a precise understanding of each modern fan which in turn enables them to create more personalised fan experiences.
  4. Real-time personalised advertising: Technology allows clubs and sponsors to deliver more personalised ads to fans, based on their preferences and behaviours, which are ascertained through the data collected about them. Fans watching the same live stream can be served different ads around the content or potentially, even within the stream (for example where digital replacement of perimeter boards is being used). This allows clubs and sponsors to better target their audience.

Leveraging fan data poses obvious privacy challenges, but these do not need to stifle legitimate and proportionate use of personal data.

Where possible try to minimise the amount of personal data shared

Clubs should share only the minimum amount of data with the minimum number of organisations necessary to achieve the objective. Where some data does need to be shared with sponsors (for example, to deliver the prize for a sponsor’s competition winner), clubs should consider whether it is necessary (and proportionate) to share certain types of data. For example, does the sponsor only need a list of names and email addresses, or is it necessary to share more detailed profiles? Where possible, clubs should aggregate data (i.e. compile data into data summaries) to minimise data privacy risks.

Always have a lawful basis

Clubs should ensure they have a lawful basis to share fan data with sponsors.  Many mistakenly believe that the only lawful basis available is to obtain consent. However, relying on consent is fraught with difficulties because there are stringent requirements that need to be met for consent to be valid and individuals can withdraw consent at will.

For this reason clubs should only rely on consent where they are legally required to do so or no other lawful basis can be established.  For example, if the club or sponsor wishes to send email marketing to a fan, the law requires consent to send the email. A sponsor may not have a relationship with the fan, so it will rely on the club to obtain consent on its behalf. However, the requirement to obtain consent only relates to the sending of the email marketing and not to the sharing of the data. Therefore, if a club wishes to share its database with its kit sponsor, so that the sponsor can match the club’s fans with individuals that the sponsor already lawfully markets to, a fresh consent will not be required.

Unless consent is required, clubs will usually rely on legitimate interest as their lawful basis to process personal data for commercial purposes. However, reliance on legitimate interest requires a ‘legitimate interest assessment’. Such assessment involves a careful balancing act – do the interests and fundamental rights of the individual outweigh the particular interest that the club and/or sponsor are seeking meet? This is not always an easy call but, as long as clubs clearly document their rationale and take a proportionate and transparent approach, they should keep on the right side of the regulator.

Ensure fan data is protected

Clubs and sponsors each need to work with their information security teams to adequately protect the personal data being shared. The law requires them to demonstrate that ‘appropriate’ security measures are in place with regard to the risks of the particular data processing activity.

The risk is likely to depend on the volume and type of personal data shared but preventative measures clubs and sponsors can take include:

  • encrypting the data and limiting access to it on a ‘need to know’ basis;
  • carrying out due diligence on any third parties to ensure that data will be secure;
  • ensuring that appropriate safeguards are put in place for any international transfers, for example model clauses; and
  • using data on an aggregated and anonymised basis, where possible.

Be transparent, not creepy

It’s important for clubs and sponsors to be transparent when they collect personal data, which means telling fans what personal data is being shared, with whom it is shared, and the reason for the sharing.

Fans should also be clearly informed about their rights over their personal data, including their right to object to particular processing activities, their right to have their personal data erased, or their right to obtain access to data that is processed by the club and sponsor.

Looking ahead

This recaps UK law. However, given recent developments in the US, the goalposts may shift in the future. The California Consumer Privacy Act (‘CCPA’) comes into force in January 2020 and requires companies to give consumers the choice to opt out of the sale of their data to third parties. This seems to go further than the General Data Protection Regulation by allowing individuals to entirely opt out of the sharing of their data for commercial purposes. Whilst there is no sign of UK law following suit just yet, clubs and sponsors looking to monetise data would be wise to do so in case this changes.