There are many misconceptions about face biometrics in sports, especially regarding clubs allegedly violating the GDPR. The first step in addressing these concerns is to understand the key difference between biometric verification and identification, which can apply in different use cases.
1. Biometric verification
Biometric verification is a security method which uses a person’s unique physical characteristics to confirm their identity. You can refer to it as 1:1 matching. This means that it compares one reference image cropped from the ID document with one submitted selfie. If the two images match, the system returns a positive result.
This use case may be known from verifying one’s identity at ticket purchase required by governments, Football Acts, or league regulations. Importantly, it doesn’t involve storing personal data.
2. Biometric identification
Biometric identification takes a different approach, known as 1:N matching. In this case, the system relies on a central database that stores registered faces. When a new face is captured, the system searches the database to find a match. This enables the identification of one individual from a crowd of thousands. The system compares the newly captured face against all the faces in the database, identifying a match if it finds one.
The most common use case for biometric identification is in-stadium surveillance, where the football club’s security team monitors the stands to spot individuals engaging in disruptive behavior like throwing objects, fighting, or lighting fireworks. However, under the EU Artificial Intelligence Act, this type of implementation is prohibited unless the club receives special permission from the Data Protection Agency (DPA), as was the case with Danish football club Brøndby IF.
Biometrics don’t have to be considered a special category of personal data under GDPR
Now that we understand the difference between biometric verification and biometric identification, we can consider the impact of GDPR regulation on biometric solutions that can be used in sport events.
The processing of biometric data falls under GDPR Article 9(1). It requires fans to provide explicit consent for the processing of their personal data for specific purposes. This refers to the process of converting a face image into a unique string of numbers, which cannot be reversed back to the original image.
However, it’s important to understand that Article 9 GDPR does not categorize all biometric data processing as ‘sensitive.’ The regulation defines biometric data as sensitive only when used to uniquely identify a person, which typically involves a database or list (biometric identification). Therefore, biometric verification does not fall under this restriction. As a result, the solution requires only standard consent as outlined in GDPR Article 6. It must be freely given, informed, and unambiguous according to GDPR Article 7.
How GDPR – compliant biometric verification enhances your ticketing process
There are 3 key main areas where football clubs can benefit from biometric verification to provide a more secure, efficient, and fair way to handle ticket sales. These aspects ensure that only legitimate fans are purchasing tickets while simultaneously preventing fraudulent activity.
1. Blocking scalper bots
Ticketing systems have long struggled with scalpers and fraudsters who use bots to gain an unfair advantage. These bots automate notifications about new sales, monitor supply and demand, unlock pre-sale codes, autofill personal data, or bypass anti-bot measures.
As a result, scalpers can buy thousands of tickets before fans even finish typing their email.
They then resell the tickets on their own platforms for inflated prices, sometimes up to 10 times the original value.
Firstly, it harms the fan who ends up paying for overpriced tickets. Secondly, it also deprives the club of revenue as the resale profit doesn’t go to them.
Biometric verification during ticketing can help clubs prevent this issue, as bots lack a face to match and authenticate.
2. Stopping hooligans from buying a ticket
Currently, clubs perform stadium ban checks using basic information such as the banned person’s full name and address. However, this method is highly inefficient, as fans can enter any details when purchasing tickets or creating an account, leaving room for inaccuracies.
With biometric verification, fans scan their identity documents, and the system extracts the data. This ensures that clubs can accurately check if the person is on a ban list, with 100% confidence that the data is correct.
This approach enhances stadium safety, helping clubs avoid fan-related fines and improving fan perception. It can also attract new fan segments, leading to higher attendance rates.
3. Complying with UEFA regulations
UEFA mandates that clubs deny entry to away fans during high-risk European games. To enforce this, clubs use IP address tracking and block foreign payment cards. However, these methods are limited, as fans can bypass them using VPNs or have locals buy tickets on their behalf.
With biometric verification, clubs can deny ticket purchases based on the country of issuance of the fan’s ID. This ensures compliance with the regulation while respecting expats living in the country and staying GDPR – compliant.
Extend biometric verification for stadium access while staying compliant with GDPR
TruCrowd helps you leverage biometric technology for stadium entry while ensuring full GDPR compliance. The key is offering your fans an alternative to biometric verification. If any fans choose not to use this technology, they can visit the box office to have their identity verified manually by a club employee. This manual verification step is allowed under GDPR, as it is seen as less intrusive than the online process, although debatable.
The online biometric process, however, only involves the minimum necessary data and is pseudonymized to protect privacy. Several precautions are in place:
- Face images are converted into character strings to avoid processing real facial data
- Personal data is not stored, limiting the process to data processing only
- Use of highly encrypted hosting providers to ensure privacy during verification
We can confidently state that using TruCrowd’s biometric verification system is safer than sharing photos on social media. Additionally, since neither we nor the club retain biometric data, it cannot be misused or used for surveillance purposes.
Communication is the key to implementation of biometric ticketing in football
Your club can have multiple reasons for implementing biometric solutions, from those mentioned above to increasing entry speed or improving convenience for fans. In any case, the top priority should be to communicate these changes clearly and transparently to your fans. Explain the reasoning behind the decisions and how they will impact the activities fans are used to.
There are 2 key psychological phenomena at play:
1. Cognitive dissonance
This occurs when someone encounters new information or a solution that contradicts what they already know or are accustomed to.
The natural response to something unfamiliar is often fear, criticism, avoidance, or outright rejection.
To address this, fans need clear, step-by-step guidance on how biometric ticketing works and assurances about how their data privacy will be protected.
2. Habituation
When fans first experience something new, they tend to analyze it closely, comparing it to the status quo and acting cautiously. However, after about 5-6 uses, the new process becomes the norm, and they no longer give much thought to using face biometrics.
Understanding these behaviors can help clubs introduce biometric solutions more effectively and ensure fan adoption.
You can’t please everyone. There will always be a group unhappy with identity verification. Unsurprisingly, this group often represents a security risk to other fans, frequently causes fines for clubs, and is known to be a source of fraudulent ticketing practices.
Yes, biometrics will discourage them from entering stadiums. We believe that is a positive outcome for clubs. Some people simply do not belong at sports events, and that is a good thing.
Therefore, the implementation process should be divided into multiple phases, allowing fans time to adapt to the new technology. If done correctly, as in the case of Palmeiras, Brazil, a club can gradually transition its entire fanbase to face biometrics. Palmeiras successfully convinced 740,000 fans to join biometric ticketing and access control in just one year.
We believe that, fundamentally, fans are the same worldwide. Once fans in one country appreciate the solution, it can easily be replicated in other countries.
Summary of GDPR, data privacy, biometric ticketing, and fan adoption
Navigating through the nuances of biometrics can be complex, especially for people without expertise in the area. Therefore, we offer guidance and help to ensure the best possible outcome for the clubs while maintaining compliance with GDPR. The use of biometric ticketing and access control is possible with alternatives for people who prefer to complete their verification on-site. Clubs should however not only put emphasis on legal analysis, but spend equally enough time on planning communication towards their fanbase. We know that you might have more questions and we will be happy to answer them if you write to us.
