On March 6, 2017, Major League Baseball (“MLB”) announced that it has officially approved a wearable biometric monitoring device (the “Device”) for in-game use by athletes. Created by WHOOP Inc. (“WHOOP”), the Device is the first of its kind to gain approval to be worn in competition by any major American sports league. The Device, which is intended to be worn by athletes at all times on and off the field, monitors heart rate, heart rate variability, ambient temperature, motion, and sleep data, and can store that data for up to three days. As a result, the approval of the Device has raised concerns over the privacy implications for players who decide to wear it.

Since neither the MLB nor WHOOP are classified as a “covered entity” under the Health Insurance Portability and Accountability Act (“HIPAA”), the biometric data collected by technologies like the Device do not appear to be covered under the privacy protections of HIPAA. Aside from the basic applicability of general privacy laws, such as a possible violation of Section 5 of the Federal Trade Commission Act in the event of any deceptive practices of WHOOP with respect to its privacy or security policies, there is no clear statutory protection for the privacy of the data generated by use of the Device. As a result, the metes and bounds of how such data is protected will largely be determined on a contractual level. Reports state that the MLB’s agreement with WHOOP does not provide WHOOP with any rights to the data being collected, and that the player and the team have equal rights of use over the analysis of data where data collection is permitted by the player. Additionally, consent of both the player and the team is required before any data generated by the Device can be used for commercial or public purposes. The Device also has 27 different privacy settings that allow a player or a team to share various pieces of information, while keeping other data private.

Nevertheless, the primarily private, non-governmental nature of these protections means they are always subject to negotiation.  In a sport where statistical analysis of available data can impact personnel and hiring decisions, the refusal of a player to wear something like the Device or engage in similar biometric monitoring could mean that player is at a negotiating disadvantage compared to players who are more willing to engage in such biometric monitoring.  This creates the potential for a situation where a player’s livelihood is subject to his willingness to disclose sensitive information about his health.

This collection of sensitive player health information also raises security concerns. The MLB already has witnessed unauthorized intrusions into the computer system of a baseball team. An employee of the St. Louis Cardinals was charged with and pled guilty to five counts of computer hacking when he repeatedly accessed another professional baseball team’s proprietary database without authorization. As of now, however, the perceived gains from player biometric monitoring and data analysis appear to outweigh the myriad concerns over players’ privacy and the protection of their sensitive information. The Device will be used by MLB players across the league when the baseball season starts on April 3.