The long road to getting fans in the stands

After a long hiatus, major league sports is making a successful return to the US. Intercollegiate sports too have returned in a limited fashion. There have been relatively few hiccups and the COVID-19 protocols implemented have worked well. But one thing remains missing — stadiums full of cheering fans. Although fans have been admitted in limited capacities for certain events, this fan-less experience is expected to remain well into 2021. At some point, the attendance restrictions will begin to ease and gradually more people will be allowed entry to entertainment venues.  When that happens, we know that many new health protocols will be implemented, which could require fans to give up sensitive health information. If fans are required to provide this information in order to get in, venues must be ready to assure people that their health data will remain private and protected.

Unfamiliar Territory

Undoubtedly, there will be health screenings required to enter certain facilities. The novel issue here is going to be the enhanced screening, observation and tracking of the fans themselves as a result of COVID-19. There will likely be temperature checks at gates, increased use of facial recognition technology, health questionnaires and more.

This is health data that sports teams, event organizers and venue operators aren't used to handling, and it's regulated very differently than the consumer data that these organizations typically collect such as fan experience and merchandise data. This new data collection is going to be different. Teams and venues (or their contractors) will have information on a fan’s health status — who has a fever, what symptoms they've experienced and whether other fans have been exposed.

As a result, as part of the reopening process these venues and organizations will need to understand the privacy and anti-discrimination regulations that govern health data. Collecting health data about employees and players is one thing, collecting health information about every fan who walks through the door is quite another.

How entertainment venues will use this data

Health screenings required for entry may take a number of forms. Some venues may opt to gather basic information at the gate – for example in the case of temperature or symptoms checks. More sophisticated processes might involve the use of a “health pass” system under which fans upload test results or vaccine status before their tickets are released. Often this will require venues to engage third parties to manage the system.

Beyond determining whether to permit entry into the venue based on someone's health status, organizations may use fan data for contact tracing or to monitor social distancing onsite.

Some of the people in attendance may be coughing, sneezing or exhibiting other behaviors that could be taken for COVID-19 symptoms. Undoubtedly some fans will report these health-related behaviors and the venues will collect it and have procedures regarding when and how to act on it. 

In most of these cases, the federal health privacy law, HIPAA, won't apply because it has a limited scope and is designed to cover health information generated by healthcare providers and health plans. But HIPAA may be a factor where entertainment venues, or their vendors, obtain COVID-19 test results or information about an individual’s vaccine-status.  In addition, there are federal and state consumer protection, health privacy, biometric information and public health reporting laws that govern the collection and use of health data by companies across the private sector. 

These laws can require notice or consent before health information can be collected, restrict how health data can be used and limit the conditions under which a company can disclose it. Some of the laws give individuals the right to see what health data is being collected about them, to correct it, prohibit sales and request that it be deleted.

There are also data security requirements and data breach notification laws that are triggered by health information. Many teams and venues are familiar with data breach regulations, since they handle online user information, passwords and other fan-related data. But unless credit cards are involved, when such data is compromised it often doesn't rise to the level of a data breach with all of the legal and notification implications that come with that.

Once teams are handling health information about their fans, failing to properly secure it can lead to data breaches and security-based consumer protection actions. Data breaches can be costly. In addition to the reputation damage they inflict, there are significant costs associated with managing a breach and potentially class actions and civil or criminal penalties.

Addressing privacy concerns

As businesses decide which measures will be implemented for fan health and safety, considering privacy will help build trust and create an experience where fans feel safe.

Entertainment venues will need to think about the kinds of data they will collect, how fans will be informed about their data practices, and whether and when they will obtain consent. Consider minimizing access to fan health information by engaging third party intermediaries.

In addition, these businesses must develop processes for handling denial of entry that are discreet and understand when they are required to notify those who have been in proximity to an individual who has screened positive for COVID-19 symptoms and understand when public health authorities need to be notified. Finally, such businesses must put privacy and security protections in place to limit access to sensitive data and ensure it is protected.

At this point, there's a lot the industry does not yet know and a lot that it needs to figure out. Mass gatherings generally aren't back yet, but they will be eventually, and data collection is likely to be a big part of the solution.

Responsible parties should start now getting steeped in the legal issues surrounding COVID-19 health screening, developing plans to navigate these new waters and coming up with ways to manage the risk around it all.

Authored by Marcy Wilder, Craig Umbaugh and Donald DePass.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.