4 lessons learned from the NFL’s data privacy breaches
Posted: March 6, 2025
The NFL recently found themselves in the end zone with industry watchdog, Digital Advertising Accountability Program (DAAP), who highlighted significant data privacy missteps across all of the 32 team’s digital touchpoints including mobile apps, exclusively reported by the Wall Street Journal.
The DAAP is a non-profit set up to hold companies accountable to the Digital Advertising Alliance (DAA) and their principles for online privacy. Whilst not legally binding, the report is a red flag for fans that may not realize how their data is being shared, as well as a cautionary tale for similar organizations that manage complex fan databases across multiple networks. There’s a growing list of state-led legislation to restrict how companies use consumer data, particularly when it comes to sharing with third-parties for advertising.
What are the DAA Self-Regulatory Principles for advertising?
- Transparency: Advertisers must clearly inform consumers about data collection practices, including what data is being collected and how it will be used. This includes providing clear disclosures and opt-out mechanisms.
- Control: Consumers should have the ability to control the collection and use of their data. This includes options to opt-out of data collection for interest-based advertising across different devices and platforms.
- Accountability: Companies must adhere to the DAA principles and are held accountable through enforcement programs like the Digital Advertising Accountability Program (DAAP). This program ensures that companies comply with the principles and take corrective actions if necessary.
- Cross-Device Guidance: The principles also apply to data collected across multiple devices, ensuring that consumers have consistent privacy protections regardless of the device they use.
- Political Advertising: The DAA has specific guidelines for political advertising, ensuring transparency and accountability in paid political ads.
The National Football League (and the 32 teams within it) have worked closely with the DAAP for over a year to update their data management practices and comply with the principles.
So, how can brands avoid making the same mistakes made by the NFL?
- Lesson 1: Know what data you’re collecting and be transparent
- Lesson 2: Give users the option to opt out
- Lesson 3: It’s not just the risk of fines
- Lesson 4: Consented data delivers more opportunities
Lesson 1: Know what data you’re collecting and be transparent
The NFL network is huge and so is their database. According to SEMRush, the NFL website itself averages over 80 million visits per month, before you even consider individual clubs. Data is being collected at scale, across multiple systems. Their fan initiative built on AWS integrates 90 billion rows of fan data, with over 250 dimensions per fan.
This will likely include all sorts of data points – from first-party data and PII like email addresses and preferences, to behavioral quantitative data and demographics.
One of the specific examples of malpractice was in early 2023, where the Cleveland Browns’ app collected geolocation data without telling users this data might be shared with advertisers. The app requested access to location to “get access to FirstEnergy Stadium features, receive in-stadium notifications, and unlock content and promotions based on your location.”
However, it didn’t disclose that this data may then be shared with third parties, like advertisers. Location data in particular can be tied back to an individual thus has greater protections and regulations involving how you use it.
Brands need to be fully aware of what data they’re collecting, whether it’s through cookies, SDKs, pixels or any tracking method, and they need to be transparent in what they may then use this data for within their privacy policies and notices. The language used should be clear and easy to understand.
For privacy and legal teams within global sports brands, this can be a challenge – there are constant campaign activations and advertising engagement initiatives that may mean some data collection activities go under the radar. Tracking technologies are often implemented unknowingly of the privacy risks.
Lesson 2: Give users the option to consent and opt out
One of the main issues raised by the DAAP was the lack of standard notices or opt-out options for consumers.
Brands should ensure that they provide clear and transparent information about data collection practices. This includes informing consumers about what data is being collected, how it will be used, and offering them the option to opt out.
More stringent regulations, like the General Data Protection Regulation (GDPR), require explicit opt in consent, whilst many of the US state privacy laws require opt-out options or Do Not Sell and Opt Out Preference Signal recognition.
This type of consent management can be complex to navigate, with users often having multiple profiles, accounts and devices. Many regulatory authorities now expect consent to ‘follow’ an individual. There are also strict guidelines around parental consent, children’s privacy and age-related content restrictions, that sports or entertainment brands in particular need to be cautious of.
Lesson 3: It’s not just risk of fines but reputational damage
Enforcement of data privacy legislation is ramping up around the world. Whilst the NFL has had the opportunity to rectify the issues, other brands may not be given any grace period. Brands like Sephora have seen significant fines as a result of failing to honor opt-out preferences, for example. As consumer awareness grows, the enforcement of legislation will likely go in tandem.
But for brands that want to build trust with their audience, fines aren’t the only risk. Plenty of studies have shown that consumers want to buy from organizations that they trust, which means privacy can become a competitive advantage.
As marketplaces become ever-more saturated, an edge over the competition is always welcome. Brands should be proactive in addressing privacy concerns to avoid damaging their reputation. This involves being transparent about data practices and ensuring that consumers feel their data is being handled responsibly.
Engaging with consumers about data practices can help build trust and loyalty. Brands should consider using explainers and tailored communication to educate consumers about their data practices and the benefits of data collection.
Lesson 4: Consented data delivers more opportunities for innovation
Which leads nicely into the potential of consented data. It should go without saying – when you have consent to use data, you can do a lot more with it. Consent management platforms like Cassie have been designed to enable brands to get more from the data they collect, making sure it’s auditable and compliant whilst also being instantly accessible across your tech stack.
By giving users granular preference management, they can choose exactly what they consent to share, types of content, frequency of communications and more.
With comprehensive audit trails of all activity, you’re not only compliant but able to build a full picture of your end users. You build trust, drive engagement and reduce unsubscribes with more transparent communications powered by preferences.
With a more detailed profile of your customers, your organization can learn from these data-driven insights and discover new ways to innovate.
By understanding customer preferences and behaviors, you can tailor your messages to resonate more effectively with your audience – sending the right message at the right time, using the right channels for higher engagement and conversion.
Leveraging first-party data collected with consent provides enterprises with valuable insights into user preferences and intent. This clean, consented data allows businesses to build engaged audiences, refine segmentation, and personalize content. These insights drive innovation across various technologies, including AI, so that you can create more impactful campaigns with improved ROI.
Exclusive access to Gartner Market Guide for Consent Management
Central to most privacy laws is the challenge of giving users clarity around — and control over — their personal data. This guide helps security and risk management leaders navigate the market for universal consent and preference management capabilities and make informed, forward-looking decisions.
Download now