"You can't win anything with kids" - Minor's data in sport – returns and regulations
Over the last two decades, there has been an industry wide acceleration, in sports, towards collecting and processing athlete personal data. This trend shows no signs of slowing and, indeed, as discussed in our previous article Player Power V Data Monetisation – A New Battleground In Sport continues to grow with the industry valued at close to $1 billion in 2020 and expected to reach $5 billion by 2026.
At the same time, global sporting events, like the Olympics, highlight the fact that young persons are competing at the highest levels, on a global stage - with an athlete as young as 12 years' old medalling at Tokyo 2020. Furthermore, stakeholders have found increasing financial incentives for active engagement with younger fans and athletes to create loyalty and interest at the earliest stages.
Whilst there is a patchwork of legislation in place to protect the personal data of minors – the levels of compliance across the industry are, at best, varied. We look at some of the drivers for the use of data and the compliance requirements particularly under the GDPR, the UK GDPR and the Information Commissioner's Office's (ICO) Children's Code.
Minors' Impact on Sport
The summer of 2021 and the start of 2022 will long be remembered for the glittering displays of talent, across the sporting world, from young athletes on the grandest stages – including Beijing 2022, Tokyo 2020, Euro 2020, and the US Open 2021.
- The podium of the Women's Street Skateboarding at Tokyo 2020 was populated exclusively by teenagers (13-year-olds Momiji Nishiya and Layssa Leal and 16-year-old Funa Nakayama).
- The podium of the Women's Park Skateboarding featured 12-year-old Kokona Hiraki and 13-year-old Sky Brown.
- Chen Yuxi, aged 15, won gold in the Women's 10m Synchronised Diving.
- England football team reached the final of the European Championships with Jude Bellingham, aged 17, in the squad.
- US Open's Women's Singles Final featured Emma Raducanu and Leylah Fernandez (both aged 18 at the start of the tournament).
- US Open's Women's Doubles Final included 17-year-old Coco Gauff.
This success is set against the backdrop of an industry in which the volume of athlete personal data, which is gathered and processed, continues to increase – including by stakeholders for whom the processing of minors' data forms an integral part of their business models and plans.
- clubs, teams and sporting agencies which increase their scouting reach and budget with the hope of identifying global young talent at the earliest opportunity.
- betting agencies and gaming developers utilising athlete data (including that of minors) to set betting lines or create realistic in-game experiences for customers.
- leagues, sporting federations, sponsors and clubs driving interaction and engagement directly with minors to grow audiences.
This raises important questions with respect to the use of minors' data particularly given potential limitations in their capacity and agency.
These questions have been brought to the foreground at Beijing 2022 by the situation involving 15-year-old Russian figure skater Kamila Valieva - whose talents, positive drug test, and following scandal played out in front the entire world's media.
Some of the key stakeholders with respect to the processing of minors' sports data include:
Professional teams/clubs/sporting federations: their data processing of minors' data is broadly two-fold:
Performance: teams and clubs process the personal data of young athletes for: (i) assessing the young athletes to identify ways to improve performance; and (ii) to evaluate potential athletes for specific coaching
Fan engagement: they also process behavioural data and collect personal information to drive interactions with younger fans to increase popularity and monetise their interest at the earliest stages
Sports agencies: process performance data looking for young athletes, with potential, to represent. This is, particularly important in our context given the gating role that agents play in the lives of young athletes and their pastoral role
Data analytics companies: independent specialists who collect, analyse and sell performance data to third parties including agencies and professional teams
Betting companies: process and analyse minors' performance data, shared by data analytics companies, as part of setting betting lines and odds. Betting companies will also process behavioural data to offer new products and increase profitability
Gaming companies: process the performance and personal data of minors (such as their appearances) to create realistic gaming experiences for their consumers. Gaming companies will also process behavioural data and feedback on their gaming experience to improve the overall product on offer
Anti-Doping Organisations: process and analyse sensitive personal data of young athletes, including certain biometric data, to ensure compliance with anti-doping rules.
The State of the Market
Successful recruitment and youth development is lucrative if done well. In football, over the last five years, Ajax, Benfica, Porto, Red Bull Salzburg and Lisbon have generated £1.4 billion in net income from transfer dealings – largely through the recruitment, development and transfer of young players.
Traditionally, such recruiting would be driven by large networks of in-person scouts. However, even before the Covid-19 pandemic, there had been an industry wide shift away from this model with major clubs reducing the size of their scouting departments and moving towards a data driven model.
Indeed, in 2020, Arsenal reshaped their scouting department – letting a number of scouts, including Head of Recruitment Francis Cagigao, depart the club. At the time, Edu Gaspar, the Technical Director, explained that 'the reasons for changing our infrastructure are clear…I want to work more with StatDNA'. It is a sentiment echoed by clubs around Europe. For example, Dries Belaen, Recruitment Director at Anderlecht, recently stated that youth recruitment 'always starts with a large screening phase of possible targets based on performance and non-performance data'.
Academies and Selection
Many professional sports, across Europe, follow a system by which players are assessed at specific ages and either promoted or released. This is particularly pronounced in football where athletes often leave traditional schooling at young ages to join academies and pursue their footballing careers.
There has been a welcome increase, over recent years, in the discussion surrounding the mental health effects of releasing athletes at such formative parts of their lives but, what is less discussed, is the fact that these decisions are being made, at least in part, on the basis of performance data and statistics.
Clubs are, understandably, cautious about publicising too much information on how they analyse their young athletes but interviews with former players and coaches highlight the fact that decisions, about who to play and who to offer contracts, are often determined by levels of success articulated by personal performance data.
Marketing to minors is, increasingly, being seen as a crucial way for clubs, leagues and sporting federations to expand their current fanbases and to drive loyalty from an early age to ensure future engagement and revenues.
For example, a survey done by ESPN in 2014 found that 77% of children in the USA, between the ages of 7 to 11, considered themselves to be fans of the NBA.
Similarly, Nuria Tarre, chief Marketing Officer for City Football Group, of which Manchester City FC is a part, stated, in June 2021, that its biggest target audience, in the US, is fans under 13 years old.
At the same time, the mediums through which young fans consume sport is changing – a recent YouGov poll found that 49% of football fans under 34 would follow games by watching online live streams, as opposed to 29% of fans over 34.
Similarly, 51% of fans under 34 actively use social media to follow sport but only 30% of fans over 34 do the same.
Many sporting federations and clubs have started to focus their attention on driving engagement from young fans using new mediums
According to Dr. Sandra Calvert 'children and youth are heavy media users and early adopters of new technology' so clubs must 'adopt campaigns using both television and newer media'. For example, all 20 Premier League football teams have active Instagram, YouTube and TikTok channels.
In 2016, Arsenal became the first Premier League club to launch an app specifically targeted at young supporters.
The GDPR / UK GDPR and Children
The processing of personal data of minors is subject to enhanced protection under the General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR). Legislation makes clear that particular care must be taken when collecting and processing the personal data of children as they may be less aware of the risks involved.
Key Concepts: A Refresher
Personal Data: the GDPR/UK GDPR defines 'personal data' as any data relating to an identified or identifiable individual (the data subject). A data subject, here the athletes themselves, will be identifiable if they can be directly or indirectly identified using this data. This definition is broad enough to include almost all types of performance data.
Controllership: the GDPR/UK GDPR defines a 'controller' as any natural or legal body which determines the purposes and means of processing personal data. This would typically be the organisation who is collecting, storing and analysing the data for their own benefit.
System design: the GDPR/UK GDPR places an obligation on data controllers to put in place 'data protection by design and by default' - meaning appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights at the design phase of any product or service. The GDPR/UK GDPR emphasises the importance where children's data is processed.
Data Protection Impact Assessments (DPIA): Under the GDPR/UK GDPR there is an obligation to conduct DPIAs, for any type of processing activities that are likely to put the rights and freedoms of individuals at a high risk.
The ICO states that it is mandatory to complete DPIA when using children's personal data for marketing purposes, profiling or other automated decision-making, or if intending to offer online services directly to children. DPIAs will help assess and mitigate any identified data protection risks to the rights and freedoms of the minor.
Legal basis: as with all processing of personal data under the GDPR/UK GDPR, children's personal data may only be processed if there is a lawful basis for processing under Article 6 GDPR/UK GDPR. Whilst all bases provided for in the Article are available for children's data, there are some bases that have important additional considerations that need to be considered where the data subject is a child.
Consent: Article 8 GDPR sets out the age of digital consent in relation to information society services at 16. However, Article 8 GDPR allows Member States to provide for a lower age. In the UK, the age of consent has been set such that children over the age of 13 can provide consent to processing and, for those under 13, consent must be provided by whoever has parental responsibility. It is only appropriate to rely on consent as a legal basis where a data controller is able to give children or their parents truly informed choice and control over how the personal data is used and processed.
For example, a controller must take into account whether the child has the capacity to understand the implications of the processing of their personal data, taking into account the imbalance of power in the relationship between an adult and a child.
Legitimate interests: the GDPR/UK GDPR allows controllers to process personal data under the lawful basis of legitimate interests. This requires a controller to perform an assessment, weighing up the legitimate interests of the controller against the fundamental rights and freedoms of the data subject. The GDPR/UK GDPR makes a point of stressing that controllers need to place particular weight on the rights and freedoms where children are the data subjects.
In practice this means that the controller has a responsibility to protect children from risks they may not fully appreciate and from consequences they may not envisage. Additionally, controllers have a responsibility to identify and implement appropriate safeguards and to demonstrate that the children's rights and freedoms are sufficiently protected.
Marketing to children: the ICO considers direct marketing to children as an activity which is likely to result in a risk to the rights and freedoms of the data subjects. As such, data controllers seeking to market to children must do a DPIA to assess risk. Additionally, controllers must ensure, when provided with personal data by children, that they explain, in terms understandable to the child, what they intend to do with the data. 
Automated decision making: the GDPR/UK GDPR states that controllers should not make decisions based solely on the automated processing of personal data where those decisions have a legal or similarly significant effect unless an exception applies.
It is also within the GDPR/UK GDPR's rationale that particular care must be taken, with respect to the exceptions, where the data subject is a child. As such, the ICO considers that where controllers do seek to rely on an exception to the automated data processing rules, they must be able to demonstrate that there are appropriate measures in place to protect the interests of the children and explain to the child, in language understood by them, that they intend to use their personal data to make automated decisions about them.
Privacy Notices: the same principles with respect to fairness and transparency of data processing, which apply to adults, also apply to children. However, one of the reasons that the GDPR/UK GDPR builds in additional protections for children is that they may be less aware of the risks and implications of their data being processed.
As such, in order for processing to be fair and transparent, privacy notices to children must be delivered in an intelligible manner. This means information about their data processing must be provided in a clear and concise style that is age appropriate and appeals to the relevant age group. This may include the use of graphics, videos or diagrams.
Rights: under the GDPR/UK GDPR, children have the same rights as adults over their personal data. Children are able to exercise these rights on their own behalf as long as they are deemed competent to do so.
A UK example: The ICO's Children's Code
Further to the protections for children already provided in the GDPR/UK GDPR, a legislative and regulatory movement, focused on ensuring that children can grow in a safe digital environment, has started. The ICO's 'Children's Code', which came into effect in September 2021, is one of the first results of this trend, but, since its publication, there have been a number of other examples including the 'Fundamentals for a child-oriented approach to data processing', published by the Irish Data Protection Commission, and the European Data Protection Board including draft 'Guidelines on Children's Data' in its two-year Work Programme for 2021 and 2022.
Focusing on the UK, the Code applies to information society services (ISS) that are likely to be accessed by children. ISS are defined as any service: (i) usually provided for remuneration; (ii) at a distance; (iii) by electronic means; and (iv) at the request of a recipient of the service, i.e. the child. As such, the Code will apply in a wide variety of situations, for example, to professional teams that use apps to engage with fans (including minors), sporting federations that use their websites or advertising to seek engagement of minors or sports agencies using online advertising to offer services to young athletes.
The test for whether the Code applies is broad and is based on whether children are 'likely to access' the service. As such, the Code may apply even where a service is not specifically aimed at children. However, the Code recommends a common sense approach to the 'likelihood of access' test, meaning that if a service should not be accessed by children (e.g. betting services), companies offering that service should focus on preventing access to children, thus taking it out of the scope of the Code.
To comply with the Code, the service provider will have to conform to the 15 Code standards in a proportionate and risk-based approach. Examples of standards include:
- Best interests of the child: taking into account the "best interests of the child" when designing, developing and providing the services (this is an overarching principle of the Code).
- DPIAs: undertaking DPIAs that cover how a service conforms with the 15 standards of the Code.
- Transparency: making sure that the privacy information provided to child users is understood by them (e.g. depending on the age of child users these could be done through a cartoon video).
- Default settings: default setting should be set at "high-privacy" mode.
- Geolocation: where the service can collect geolocation, this should be switched off by default.
- Parental Controls: where the service provides parental controls, the child needs to be informed about this in a way that the child would understand, i.e. in an age appropriate way.
As discussed, marketing to young fans is becoming an increasingly common practice for various stakeholders. From this perspective, there are two crucial Code standards to consider:
- Detrimental use of data: refraining from using children's' personal data in a manner that will negatively affect their wellbeing. The Code provides examples – such as referencing guidance which address issues such as exploiting children's gullibility.
- Profiling: where a service uses profiling, this should be switched off by default, with limited exceptions.
The shift towards processing large amounts of personal data has, inevitably, meant that a greater amount of children's data is processed in the context of the wider sports industry – from performance analysis to betting and fan engagement. Under the GDPR/UK GDPR and other Codes and guidance, such as the Children's Code, this data processing is subject to a number of protections.
There are a number of takeaways for stakeholders operating in the sports data industry:
- the incentives for processing minors' performance and behavioural personal data are unlikely to go away – the rewards for driving early engagement or identifying young talent are increasingly valuable.
- the global regulatory matrix already imposes significant obligations on stakeholders with respect to the use of children's data – with material penalties for non-compliance.
- however, regulators and governments around the world are increasingly focused on this area – with a bevy of additional regulations and restrictions being proposed and introduced to further protect minors.
- there is also an increasing media and customer focus on appropriate corporate custodianship and practices.
Businesses, in this context, should, therefore, look to:
- map where, when and why they are collecting and processing minors' data.
- design practices and processes to meet existing regulatory requirements as merely introducing policies will not be enough.
- horizon scan and be mindful of further emerging regulation to ensure they can react quickly to maintain compliance.
Whilst some stakeholders have acknowledged and responded to this issue, the extent to which it is being thoughtfully considered and built into the everyday processes of the sports industry still lags behind other industries.
This article is also published on Law in Sport under the title A Guide To Using Young People's Data In Sport
This article is also published on Law in Sport under the title A Guide To Using Young People's Data In Sport
 Mordor Intelligence - SPORTS ANALYTICS MARKET - GROWTH, TRENDS, COVID-19 IMPACT, AND FORECASTS (2022 - 2027) https://www.mordorintelligence.com/industry-reports/sports-analytics-market#:~:text=Market%20Overview,period%20(2021%20%2D%202026)
 How five of Europe's 'talent factories' have raked in £1.4BILLION in just five years by supplying the next world class stars - including Haaland, Fernandes, Ziyech, Keita and Dias - to the super-rich elite – Daily Mail https://www.dailymail.co.uk/sport/football/article-9072871/Europes-biggest-talent-factories-earned-1-4-billion-transfers-just-five-years.html
 Stat DNA is a data analytics company, operating globally, that provides detailed statistical analysis of performance data to professional football teams. Their service includes reviewing recordings of matches and providing analytical reports.
 Edu: StatDNA will come more to the fore as part of Arsenal revamp - Training Groud Guru https://trainingground.guru/articles/edu-statdna-will-come-more-to-the-fore-as-part-of-revamp
 Scouting Sessions: How RSC Anderlecht use data-driven insights in player recruitment - Scisports https://www.scisports.com/how-anderlecht-use-data-driven-insights-player-recruitment/
 Developing Diehards: The Power of Marketing Sports to Children - Samford University https://www.samford.edu/sports-analytics/fans/2017/Developing-Diehards-The-Power-of-Marketing-Sports-to-Children
 A top Premier League executive broke down a key difference between marketing sports to Americans and Europeans - Insider https://www.insider.com/premier-league-executive-marketing-soccer-to-americans-vs-europeans-2021-6
 Has football really lost its way with younger fans? - YouGov https://yougov.co.uk/topics/sport/articles-reports/2021/06/17/has-football-really-lost-its-way-younger-fans
 Has football really lost its way its way with younger fans? - The Drum https://www.thedrum.com/opinion/2021/06/07/has-football-really-lost-its-way-its-way-with-younger-fans
 Arsenal in engagement push as it launches first Premier League app for kids - Marketing Week https://www.marketingweek.com/arsenal-in-engagement-push-as-it-launches-first-premier-league-app-aimed-squarely-at-kids/
 Recital 38 GDPR/UK GDPR
 Article 4(1) GDPR
 Article 4(7) GDPR
 What should our general approach to processing children’s personal data be? - ICO https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/what-should-our-general-approach-to-processing-children-s-personal-data-be/
 What if we want to profile children or make automated decisions about them? - ICO https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/what-if-we-want-to-profile-children-or-make-automated-decisions-about-them/
 Recital 58 GDPR/UK GDPR
 Recital 38 and 71 GDPR/UK GDPR
 Age appropriate design: a code of practice for online services - ICO https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/
 Children front and centre - e Fundamentals for a Child-Oriented Approach to Data Processing - DPC https://www.dataprotection.ie/sites/default/files/uploads/2021-12/Fundamentals%20for%20a%20Child-Oriented%20Approach%20to%20Data%20Processing_FINAL_EN.pdf
 EDPB Work Programme 2021/22 https://edpb.europa.eu/our-work-tools/our-documents/strategy-work-programme/edpb-work-programme-20212022_en
 Published by the Committee of Advertising Practice.