Sports sponsors can exploit personal data from spectators and fans in ways which were unimaginable even a few years ago, but with this growth in potential has come an increasing amount of regulation to protect individuals. As the Olympic and Paralympic Games and the UEFA Euro Championships approach, those collecting and using associated personal data have to make sure they don't break the rules in the sprint to the finish.

Data is part of the deal

Spectators are a source of valuable data each time they interact with each other, their fan clubs, venues, ticket sellers or sponsors and sometimes retailers. Historically, the spectators provided a substantial part of the revenues for any sporting event through their purchase of tickets, however, very little was known about them individually. Tickets were either purchased from the box office or through re-sellers, often anonymously.

As more and more of the public buy their tickets online, contact information is collected from individuals and repeat purchases can be tracked to determine all kinds of consumption and behavioral information. Ticket sales aren't the only source of data. Many organisations (e.g. UEFA) have built online environments where fans can create profiles by providing personal data and can play games, interact with their peers, receive benefits through promotions etc. This is a far cry from the fan clubs of the past which tended to be organised by enthusiasts at a local level. Again, this creates a wealth of personal data on each user of such platforms which is extremely valuable to teams, sponsors, and advertisers. Sponsors are no longer satisfied with simple registration data but instead want to know more about the preferences and interests of individuals through data analytics. Access to and the ability to exploit that level of personal data is likely to be a key part of sponsorship deals for sports events.

Using personal data for marketing

The use of personal data in Europe is governed by the Data Protection Directive 1995 and the Directive on Privacy and Electronic Communications (e-Privacy Directive). In the UK, these are respectively implemented by the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The UK's ICO has recently updated its guidance on direct marketing and UK organisations should also consider the Direct Marketing Code of Practice and the UK Code of Non-broadcast, Advertising, Sales Promotion and Direct Marketing and the Consumer Protection from Unfair Trading Regulations 2008.

The DPA requires that personal data be processed fairly and lawfully and in accordance with data protection principles. The most relevant to marketing data are:

  • the first principle requirement to process personal data fairly and lawfully: in other words to be transparent with people and always act within their reasonable expectations;
  • the second principle requirement to only use personal data for specified purposes - this would prevent, for example, using data for marketing purposes if the data was not originally collected with that purpose in mind; and
  • the fourth principle obligation to maintain the quality of personal data - meaning that marketing lists must be accurate.

In addition, the DPA also gives individuals a right to object (in writing) to direct marketing.

The scope of PECR goes beyond this in some ways as it covers people whose name the organisation carrying out the marketing doesn't know. It also includes more detail on the rules on electronic marketing communications.

The role of consent

One of the grounds on which personal data will be considered to be fairly and lawfully processed is where the data subject has given consent to the processing and this is the basis on which sponsors of sports events will often seek to justify the processing of personal data for marketing purposes.

The Data Protection Directive says consent must be "freely given, specific and informed". Consent is also relevant in PECR in terms of sending direct marketing materials. Rules around marketing texts and emails usually consent to be specific to the type of marketing communication in question. The ICO issued lengthy guidance on direct marketing which it has recently updated and this considers in some detail what, exactly, is meant by consent in particular circumstances.

Because sponsors rely so heavily on consent in terms of utilising the personal data they get through their sponsorship deals, they need to have a good understanding of what they can and can't do. Key compliance points include:

  • making sure anyone from whom you receive marketing lists has permission to pass the data to you for the purposes you want to use it for;
  • making sure you have consent to the specific purpose for which you are processing data;
  • making sure relevant privacy policies are sufficiently transparent about what you are using data for (see below).

Even when the data being collected is not personal data, rules will apply. For example, consent is needed to place cookies on a user's device except where they are strictly necessary.

Recommendations for sponsors

Privacy policies:

  • Use a clear, informative and simple privacy policy.
  • Make sure the privacy policy is prominent and easy for the user to find.
  • Tell the users, who you are and give them your contact information, don't be anonymous; the users may want to request information as to how their personal data is being used or object to the use of their personal data for direct marketing purposes.
  • Provide truthful and clear information to the users as to why you want to use their personal data;
  • Inform the users of the consequences of not providing their personal data. Give them a choice; don't imply that the provision of personal data is mandatory when it is voluntary.
  • If you intend to share personal data, assess what the recipient is going to do with the personal data (e.g. will the recipient use the data for the purposes for which you process the data) and the potential consequences of sharing of the data; don't share personal data recklessly.
  • If you intend to share personal data, be clear with the users about who the personal data will be shared with and why; don't be vague and don't mislead the users into believing that their personal data won't be shared with others.
  • Inform the users if you transfer personal data abroad; don't omit that information.

If you intend to use personal data for direct marketing purposes:

  • Keep marketing databases separate from other databases.
  • Don't use users' details for direct marketing purposes if you collected the data for completely different purposes.
  • Obtain users' informed consent before sending them direct marketing e-mails, texts and/or before making marketing calls; be specific to the type of marketing communication in question; don't send an e-mail unless the user consents to receiving an e-mail;
  • Use unticked opt-in boxes to obtain online consent (especially for sending marketing texts and e-mails to individuals). Opt-out boxes can only be used under certain restricted circumstances.
  • Don't count on generic consent.
  • Don't penalise individuals who do not consent to receiving marketing communications and don't make consent to marketing a condition of subscribing to your service.
  • If an individual asks you to stop using his/her personal data for direct marketing purposes, stop processing that data for direct marketing purposes within 28 days of receiving the request; don't disregard the request because you may suffer significant fines (up to GBP 500,000 for persistent breach of that requirement).


  • Inform the users that the cookies are there.
  • Explain what the cookies are doing and why.
  • Get the user’s consent to store a cookie on its device.

What's next?

European data protection law is changing. The General Data Protection Regulation 2016 (GDPR) has just come into effect and will apply from 25 May 2018. The e-Privacy Directive is also under review and the UK recently announced that the Digital Economy Bill will bring in additional protections for consumers in relation to unsolicited marketing communications.

Among the many changes being brought in by the GDPR is an enhanced definition of "consent" as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". This means that silence and pre-ticked boxes will be unlikely to satisfy consent requirements. When the processing covers various purposes, consent will be needed for all of them. Further guidance is expected on consent under the GDPR from the ICO and at a European level.

The intention behind the GDPR is to provide a harmonised, 'future-proof' European framework for the protection of personal data but it seems likely that technology will move quickly enough to disrupt our current expectations, even just looking at the issues for sponsors of sports events. Increasingly the line between physically present spectators and distant fans will be blurred; indeed, many people will find themselves in both of these groups. Virtual and enhanced reality will bring the events to our living rooms. The rise of facial recognition technology could vastly complicate the control of personal data at large events, particularly with the rise of user generated content and the blurring of the distinction between private and public data. Apps will increasingly to provide tickets and pay for food, drinks and souvenirs. In short, the amount of data available from sponsorship of sports events will only grow and the challenges to those looking to harness the power of such data are likely to grow alongside the benefits.