Data protection warning as stadiums look to ramp up biometric features

Los Angeles FC is the latest to roll a fully integrated biometric system for fans attending games at their BMO Stadium, following in the footsteps of fellow MLS side Columbus Crew in a series of switches to biometric access systems for stadia.

But while the move is starting to find traction outside the US for clubs and bodies looking to provide holistic digital engagement with supporters, stricter regulation about data protection and governance in the UK and EU will mean operators looking to follow LAFC’s approach face much greater scrutiny from regulators.

Dom White, a data protection expert with Pinsent Masons, said that the use of technology such as facial recognition to grant stadium access would put it within the scope of special category personal data under GDPR rules for the UK and EU data regimes.

“Even it is optional or designed to improve the fan experience, clubs must meet the higher compliance threshold that applies to biometric processing,” he explained.

“There are issues around transparency and how biometric data is stored, particularly given the sensitivity of the data and the general expectation that fans can attend matches without providing biometrics.

“For UK and European clubs, while biometric access systems can deliver operational benefits, their long‑term success will hinge on getting compliance right, tightly defining how the data is used, and being open and clear with fans from the outset,” he explained.

“There is also a clear cultural difference compared with the US. In the UK and much of Europe, football has a long‑standing tradition of fan autonomy, and there is generally far less tolerance for technologies that feel like surveillance or that control access to the game.”

Facial recognition systems, operated with ticket providers, have also increasingly found favour in other US sport venues, where they have been deployed to speed up access through ticket gates or allow fans to pay at the cash-free concession stands.

But Europe’s stricter legislation means clubs and bodies must take greater care – with Spanish football giants Barcelona fined €500,000 earlier this year by the country’s data protection authority (AEPD) for failing to carry out appropriate data protection impact assessments when gathering biometric data during its mandatory census of 143,000 club members.

The census collated biometric selfie and ID scan data, along with optional voice data, leading to complaints the club had included minors, that consent had not been explicitly asked for and that previous members who did not complete the census had lost their membership with the club.

Spain’s football league, La Liga, was also fined €1 million last year for similarly breaching rules around implementing impact assessments when trialling facial recognition to improve stadium security and safety – a ruling the league has since appealed.

The case highlights that, while new legislation regarding ticketless entry to matches and the use of facial recognition to identify trouble in stadium crowds reflects the strengthening of legal frameworks around match day safety, clubs are still required to introduce solutions proportionally.

Malcolm Dowden, a technology and privacy expert with Pinsent Masons, warned that the sanctions for unauthorised stadium entry do not alone justify deploying biometric identification systems.

“Clubs still need to demonstrate that biometric systems are necessary, effective and proportionate compared with less intrusive alternatives, and that their deployment is supported by appropriate safeguards for supporters’ rights,” he added.

“If a similar system were introduced in the UK or EU, it will be assessed through a stricter regulatory lens. Facial recognition ticketing is high‑risk processing, and embedded systems would attract scrutiny. Justifications would need to be carefully balanced against fundamental data protection principles.

“Enhanced enforcement powers do not remove the need for clubs to assess proportionality when introducing new technologies.”