Facial Recognition Technology Use in Stadiums: Key Takeaways

5 minute read | November.03.2025

The use of facial recognition technology in stadiums is becoming increasingly popular and has the potential to improve the visitor experience. Venues can use the technology to shorten queues at entrances and concession stands, facilitate the pick-up of mobile orders, and tighten security. Large-scale entertainment has faced increased security concerns over the past few years, with the Manchester Arena bombing in 2017, and the cancellation of three Taylor Swift concerts in Vienna in 2024 due to a terror plot. Facial recognition technology can help stadiums tighten their safety and security practices by enabling the rapid identification and tracking of individuals suspected of committing offenses.

The use of facial recognition technology also triggers privacy and cybersecurity concerns. Threat actors are more likely to target companies they believe to have large data sets of sensitive personal information, such as biometrics. Unauthorized access to this data puts consumers at risk of identity theft. In addition, use of the technology has previously resulted in individuals being subjected to unlawful discrimination and harassment, and there are growing concerns about companies conducting undisclosed surveillance and using the technology unfairly.

Here are some key takeaways venues should consider when deploying the technology:

There are overlapping privacy regimes

U.S. state laws have rules that address biometric use and facial recognition technology in particular. Texas, Washington and Illinois have specific biometric privacy laws. The Illinois Biometric Information Privacy Act is the most stringent, requiring informed written consent for collection of biometrics and providing a private right of action. The Colorado Privacy Act also provides controls on the collection and processing of biometrics of both consumers and employees, including requirements for retention and deletion policies, notice to consumers and informed affirmative consent prior to collection. California’s CCPA covers biometric information (including facial images) and defines it as sensitive personal information, subject to the right to limit use and disclosure, if it is used for the purpose of uniquely identifying the consumer.
Some cities have particular requirements: Portland, Oregon prohibits the use of facial recognition technologies by private entities in public accommodations, and New York City requires commercial establishments using the technology to provide disclosures to consumers. It also makes it unlawful to sell, lease, trade or share the information in exchange for anything of value or otherwise profit from transacting with the data. The New York City law provides for a private right of action if the entity fails to cure a breach.
Venues should be aware of European frameworks that could apply, including the GDPR and UK GDPR. Biometric data is special category data under the GDPR, which means it can only be processed in certain limited circumstances. For private businesses, in most cases, explicit consent from data subjects, and a data protection impact assessment will be required. In addition, the EU AI Act introduces a new layer of complexity to compliance, designating as “high-risk AI” any AI systems intended to be used for remote biometric verification of a specific natural person’s identity and prohibiting AI systems that create or expand facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
The FTC has expressed concerns about the risks posed to consumers by the compilation of large data sets of biometrics, which can lead to identity theft, and flaws in facial recognition technology that can trigger unlawful discrimination and false-positives.

Regulators are active in this space

The FTC brought enforcement action against a retailer, which used facial recognition technology to identify potential shoplifters. It emphasized the importance of issuing appropriate disclosures to consumers about use of the technology, continuous monitoring of its use to mitigate discrimination risks, the need to provide training to employees about the use of the technology and the importance of appropriate security and deletion protocols.
The FTC also took action against a facial recognition software company for making false claims in its marketing related to its model efficacy and lack of racial bias.
The New York Attorney General wrote to a venue owner in relation to the use of facial recognition technology to deny entry to lawyers who worked in law firms that represented parties engaged in litigation against the venues. The Attorney General expressed concern that these activities constituted violations of the New York Civil Rights Law.
The Texas Attorney General also brought actions in relation to the use of facial recognition technology, achieving a $1.375 billion settlement in over alleged collection of biometrics without consent.

Consumers are taking action to enforce their privacy rights

In a 2024 class action lawsuit filed against a sports venue, the plaintiffs alleged that the stadium collected facial scans of over 100,000 visitors since 2021 and then illegally shared and profited from that biometric data. The complaint claims that a facial recognition system scanned fans upon entry, checks them against a database and shares the data with a third-party software provider in violation of New York City laws.
Consumers have also sued over businesses’ use of technology provided by a facial recognition technology company, which allegedly created a database of over three billion images by scraping photos from publicly available websites. Customers could upload the image of an individual (such as a suspected shoplifter) to match it in the database and identify them. In 2020, a class action lawsuit was filed alleging violations of the Illinois Biometric Information Privacy Act. The case settled by plaintiffs receiving a 23% stake in the technology company rather than a cash amount.

Steps to consider before implementing the technology

Ensure there is a comprehensive cybersecurity program in place commensurate to the sensitivity of the data being collected.
Create and implement a data deletion policy to ensure that biometrics are deleted when they are no longer required.
Provide clear and conspicuous notice to consumers attending the venues that the technology is being deployed and provide information about their rights (such as the ability to opt out).
Ensure all necessary consents are obtained, if required under local law.
Implement training programs for staff so they understand the potential limitations of the technology, particularly in relation to its accuracy, and are able to answer questions from visitors about the use of the technology if asked.
Implement audit procedures to monitor closely the efficacy of the technology and make adjustments where needed.

Authors

Elizabeth McGinn 合伙人, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.; New York

See my bio

D:+1 202 349 7968
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Elizabeth McGinn 合伙人

Washington, D.C.; New York

In conjunction with this work, she develops policies and procedures, records retention schedules and training materials. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent such breaches from occurring, and advising clients in responding to regulatory inquiries, investigations and enforcement actions related to privacy, information security and cybersecurity issues. She also assists numerous professional sports teams comply with data privacy concerns, consumer financing laws and payment system issues.

Beth also represents financial institutions, corporations and individuals in a wide range of matters. She advises clients in investigations, examinations and litigation initiated by the Consumer Financial Protection Bureau (CFPB), the New York Department of Financial Services (NYDFS), the Department of Justice (DOJ), the Federal Trade Commission (FTC), state attorneys general and bank regulatory agencies. She has represented financial institutions in class action litigation concerning federal and state fair lending laws, mortgage fraud, unfair and deceptive trade practices statutes, consumer fraud statutes and consumer privacy laws. She has extensive experience counseling clients in response to federal and state subpoenas and handling all aspects of e-discovery.

Over the course of her career, Beth has represented clients in matters involving simultaneous criminal, civil administrative and congressional proceedings. She has defended clients in matters relating to money laundering compliance issues and investigations and litigation by the U.S. Attorney’s Office for the Southern District of New York (SDNY), the Manhattan District Attorney’s Office, the Department of Treasury, the Securities and Exchange Commission (SEC), and various congressional committees, including the U.S. Committee on Homeland Security and Government Affairs Permanent Subcommittee on Investigations, the U.S. House Financial Services Committee and the U.S. House Committee on Oversight and Government Reform.

Beth has published and spoken on a variety of topics, including privacy, cybersecurity, electronic discovery, vendor management and consumer financial services litigation. She authored the chapter on “Oversight of Compliance and Control Responsibilities” for Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers. She has been recognized for her work in Cyber Law (Data Protection and Privacy) by Legal 500 since 2013, which describes her as “outstanding on privacy and e-discovery issues,” “able to advise both on the regulatory and litigation sides of problems,” an attorney who "exceeds expectations on response and turnaround times,” “has strong industry knowledge in data security and privacy, and is able to walk the fine line between operational efficiency and regulatory compliance' when developing IT policies.” It also described her as “top notch, incredibly responsive, thoughtful, and provides advice that is both practical and efficient.”

Prior to joining Orrick, Beth was a partner at Buckley LLP where she was Co-chair of the firm’s Privacy, Cyber Risk & Data Security practice and E-discovery Committee. Previously she was an associate at Skadden, Arps, Slate, Meagher & Flom. She clerked for Federal Magistrate Judge P. Trevor Sharp of the United States District Court for the Middle District of North Carolina after law school. Beth is a Certified Information Privacy Professional (CIPP/US).

Shannon Yavorsky 合伙人, Cyber, Privacy & Data Innovation, Technology Transactions

旧金山; 伦敦

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
政府调查与执法行动
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky 合伙人

旧金山; 伦敦

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.

Thora Johnson 合伙人, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson 合伙人

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Anna Booth 律师, Cyber, Privacy & Data Innovation, Artificial Intelligence (AI)

Boston

See my bio

D:+1 617 880 1826
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Artificial Intelligence (AI)

vCard

See full bio

Anna Booth 律师

Boston

Anna has advised clients, including artificial intelligence companies, e-commerce platforms, insurers, pharmaceutical companies, healthtech, and edtech providers based in the UK, Europe, US, and China. Her work includes drafting policies and designing global compliance programs, negotiating data processing and business associate agreements, and drafting data impact assessments. She also assists with corporate transactions, providing specialist input on privacy and artificial intelligence matters.

Prior to joining Orrick, Anna practiced as a barrister in London for ten years, representing clients in cross-border disputes and enforcement proceedings, both in court and international arbitration. Her experience has included matters in India, Japan, Russia, Egypt, Australia, Thailand, and Europe.

Related Areas

Cyber, Privacy & Data Innovation