Film Room: Managing program GM and data risks
August 13, 2025
In this week’s Film Room, we:
- flag risks associated with the football program general manager (GM) position
- update you on a recent surge of data privacy lawsuits targeting the sports industry
We also outline steps for reducing related exposure.
The football program GM, its risks, and how to manage them
Amazingly, the college football season kicks off just a week from Saturday, with Week Zero headlined by the Aer Lingus College Football Classic in Dublin.
Camp is well underway, and student-athletes are receiving institutional payments. Football program GMs can be a first stop for student-athletes and representatives with questions about payments and related performance.
As a result, program GMs—mostly nonlawyers—are fielding legal questions. Institutions can take action to limit related risk, including by developing, instituting, and training staff on internal controls. We took a deep dive on this topic in an article published in Sports Business Journal earlier this week.
The VPPA and why you should pay attention
The New England Patriots, Formula 1, and several other sports entities have faced recent lawsuits alleging violations of the 1998 Video Privacy Protection Act (the VPPA). According to the above-linked reports, the Patriots and Formula 1 have agreed to multimillion-dollar payments to plaintiffs to settle the claims.
The decades-old VPPA targeted the rental video industry, imposing liability on a video rental company for sharing rental history with a third party. The wave of nostalgia conjured by the thought of trips to Blockbuster (not to mention the puzzled looks on the faces of younger readers—Blockbuster??) is brought to a screeching halt by the recent VPPA lawsuits.
Those lawsuits allege that sports organizations are liable for not observing VPPA restrictions as they relate to apps. Plaintiffs argue that apps that note who’s watching videos on them and then share that data with a third party are liable under the VPPA—even if that data is shared with a third-party vendor embedded in the app or if the third party in receipt of the information does nothing with it. The lawsuits claim that the transfer of information alone is enough to establish liability.
Organizations can take various steps to limit VPPA and other data privacy risk. We outline those steps in this recent article. They include:
- understanding data flows in great detail
- updating privacy policies and consent language
- conducting diligence on third-party vendors
- implementing data processing agreements with vendors
- conducting privacy audits
__________
If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.
Latest Insights
- legal updatesConsumer Lens - Session 1 | The Rise of European Class Actions
- podcasts and webcastsTax NOLs in Cross-Border Structures Webinar
- legal updatesEU Pay Transparency Directive
- legal updates