FIFA World Cup 2026 & Data Privacy

FIFA World Cup 2026 and Data Privacy: What Happens to the Data Behind the World’s Biggest Tournament

The group stage of FIFA World Cup 2026 closed with 4,644,549 fans across 72 matches at 99.7% occupancy, the highest in World Cup history, shattering the previous record of 3,587,538 set in the United States in 1994. Behind those numbers sits something less celebrated: the largest civilian biometric data collection operation ever conducted at a sporting event, spread across three countries, involving dozens of private vendors, and governed by no single consistent data protection framework.

For any organisation processing the personal data of EU residents (ticketing platforms, sponsor apps, stadium operators, loyalty scheme providers), GDPR obligations follow the data subject, not the venue’s postcode.

Principales conclusiones

The 2026 World Cup generated personal data across at least five distinct streams: Fan ID identity data, biometric entry data, app location and behavioural data, loyalty programme profiling, and incidental device data from security technology.

FIFA Fan ID is mandatory for ticket access, which creates a genuine question about whether consent obtained through it can be considered freely given under GDPR Article 7(4).

Biometric entry systems process special category data under Article 9. Before deploying them, a DPIA is required. No clear retention or deletion policy for tournament biometric data has been made public.

Fan personalisation through apps and loyalty programmes constitutes profiling. The lawful basis must be identified in advance, not assumed after the fact.

VAR reviews every significant call before it stands. Data compliance needs the same: documented checks on consent, lawful bases, retention, and data subject rights. This means regular review, not a one-time policy document.

Storage limitation under Article 5(1)(e) means data collected for entry verification at a match cannot be kept indefinitely. Controllers should review retention periods now.

What personal data is generated by attending the FIFA World Cup 2026?

Attending the tournament produces multiple distinct data streams, most of which fans do not consciously register as data collection.

The FIFA Fan ID requires each ticket holder to provide their full legal name as it appears on their passport, date of birth, nationality, email address, phone number, passport number, passport expiry date, and a passport-quality photograph. Every ticket purchased or received is directly linked to this identity record.

Stadium entry at multiple US venues, including Gillette Stadium in Boston, Hard Rock Stadium in Miami, and Mercedes-Benz Stadium in Atlanta, uses facial recognition. Mexico implemented 100% digitised biometric turnstile access across its host venues.

The official FIFA World Cup 2026 app collects location data to personalise recommendations across all 16 host cities: restaurants, fan festivals, activities, and local events, calibrated to the fan’s trip itinerary and real-time position.

The FIFA Rewards programme logs digital engagement: content views, app interactions, attendance check-ins, and merchandise activity, building a behavioural profile that determines tier and gives access to tiered benefits.

Counter-drone technology deployed across tournament venues (a $115 million component of the $365 million total US government security investment) uses radio frequency monitoring that may incidentally sweep data from nearby mobile devices, not as a deliberate feature, but as a consequence of how the technology operates.

No single privacy notice covers all of this. Each stream involves different controllers, different processors, and potentially different lawful bases.

What GDPR issues does the FIFA Fan ID raise?

The Fan ID is not optional for ticket holders. Without it, no one can purchase, receive, or transfer a ticket. That structural requirement has direct implications for how GDPR lawful basis applies to the data collected.

What lawful basis applies to Fan ID data?

FIFA’s privacy policy states it complies with the GDPR and the Swiss Federal Act on Data Protection, and will collect sensitive personal data only where a lawful basis exists under applicable law. The specific basis selected for each category of Fan ID data is not publicly disclosed in detail.

For a DPO reviewing this, the question is of practical importance. If FIFA processes Fan ID data on the basis of contract (Article 6(1)(b)), the argument being that identity verification is necessary to fulfil the ticket agreement, that basis covers the operational processing but does not extend to downstream uses like personalisation, marketing, or third-party sharing. Those require separate grounds.

If the basis is legitimate interests (Article 6(1)(f)), a legitimate interests assessment must have been carried out and must be documentable. If it is consent, that consent must be specific, informed, and freely given. Consent obtained as a condition of accessing a ticket is not freely given under GDPR Article 7(4).

What applies when a Fan ID includes a passport photo?

A passport-quality photograph processed to verify identity through facial comparison becomes biometric data under GDPR Article 4(14) when it is processed through technical means that allow unique identification of a natural person. Biometric data is a special category under Article 9, which requires both a lawful basis under Article 6 and a specific condition under Article 9(2), most commonly explicit consent or substantial public interest.

Organisations operating fan-facing systems that process passport photographs for identity matching should have a clear record of which Article 9(2) condition they rely on, documented before processing begins.

What GDPR obligations apply to biometric stadium entry?

Facial recognition at turnstiles is high-risk processing by any measure. It is processing of special category data at scale, in a context where the practical ability to decline is limited, with outcomes (entry or denial) that directly affect individuals.

What does GDPR require before deploying facial recognition at scale?

A Data Protection Impact Assessment is required before deploying biometric identification at this scale under Article 35 GDPR. The DPIA must identify the risks, assess proportionality, and document measures taken to reduce those risks. Where residual high risks remain after mitigation, the controller must consult the relevant supervisory authority before proceeding.

Biometric identification systems are also classified as high-risk AI under the EU AI Act, which brings additional obligations: transparency requirements, accuracy testing, human oversight mechanisms, and incident logging. The provisions covering high-risk AI systems represent one of the most significant compliance obligations for operators running these systems across EU-connected contexts.

What rights do fans have when facial recognition is used at the turnstile?

Under the GDPR, data subjects have the right to be informed (Articles 13 and 14), the right of access (Article 15), the right to object to processing based on legitimate interests (Article 21), and, where consent is the lawful basis, the right to withdraw that consent at any time.

The practical question at a stadium turnstile is whether any of these rights are exercisable in context. Research into the 2026 tournament’s biometric entry systems found that transparency for fans is effectively absent: there is no accessible way to learn how long facial data is retained, where it is stored, who has access to it, or what happens to it when the tournament ends. That gap is a direct compliance failure for any controller processing EU fan data under those systems.

What happens to biometric data when the tournament ends?

No clear public policy exists covering deletion of biometric data collected during the tournament. In Seattle, local authorities have confirmed that the city has no control over how surveillance footage is stored or who can access it; the data is stored in a private vendor’s database that can be subpoenaed by third parties outside the state. In the State of Mexico, authorities have stated that the surveillance infrastructure installed for the tournament will remain operational after it ends.

For EU fans whose biometric data was collected at these venues, the storage limitation principle under Article 5(1)(e) requires that data not be kept longer than necessary for the purpose for which it was collected. Entry verification at a match does not justify indefinite retention. A controller who cannot identify a retention period or demonstrate that deletion has occurred is in breach.

What does fan engagement data mean for GDPR compliance?

The commercial layer of the tournament runs on personal data. FIFA Rewards logs fan behaviour across the FIFA ecosystem (digital content, match attendance, app interactions, merchandise purchases) and uses that data to place fans in tiers that give access to tiered benefits. The FIFA World Cup app personalises venue recommendations, fan festival information, and matchday content based on location and trip profile.

What lawful basis applies to personalisation and profiling?

Personalisation at this level involves profiling: the automated processing of personal data to evaluate aspects of a person’s behaviour and preferences. Profiling requires a lawful basis and, where it has a significant effect on individuals, may trigger the right not to be subject to solely automated decisions under Article 22.

For a fan engagement programme, the most commonly used bases are consent and legitimate interests. Legitimate interests can cover personalisation where the fan would reasonably expect it, the processing is proportionate, and it does not override the individual’s rights and freedoms. A legitimate interests assessment must document that balance. Where explicit consent is obtained, it must be granular: separate consent for location tracking, for content personalisation, and for third-party data sharing, not a single bundled checkbox.

The app store listing for the FIFA World Cup 2026 notes that data collected may be shared with third parties. Which third parties, under what conditions, and with what contractual protections in place for EU fan data should be answered in the privacy notice and reviewed by any organisation that feeds fan data into FIFA’s ecosystem.

What can VAR technology teach us about data compliance?

VAR (the Video Assistant Referee) exists because a match official’s single-moment judgement can be wrong, and the consequences of that error matter. Before a decision stands, VAR reviews the footage, checks the data, and either confirms or corrects the call.

This tournament’s VAR system is more data-intensive than any previous edition. The official TRIONDA ball contains a 500Hz inertial measurement unit sensor that captures its movement 500 times per second. Sixteen optical tracking cameras feed into an AI system that works with three-dimensional player avatars generated from body scans of every participating player, allowing the semi-automated offside system to determine limb positions to the centimetre.

The question VAR asks before every decision is: are we sure? The technology exists precisely because confidence without verification is not enough when it matters.

Data compliance works the same way. Organisations processing personal data at scale, whether running a ticketing platform, a loyalty scheme, or a stadium entry system, need their own version of VAR: documented checks that verify consent was obtained correctly, that lawful bases are recorded, that retention periods are set and followed, and that data subject requests are being handled within the one-month window.

A DSAR process without a tracking system is an official without a VAR feed. The decision gets made, but there is no check. In football, a wrong offside call costs a goal. In data protection, the equivalent costs significantly more.

The principle extends to automated decision-making: where AI systems make decisions that affect individuals (entry denied, profile flagged, risk score assigned), there must be a human oversight mechanism, a way to challenge the outcome, and a documented process for corrections. That is what VAR does for football. It is also what Article 22 GDPR requires for decisions about people.

What should controllers processing World Cup fan data do now?

If your organisation operates any system that processed the personal data of EU fans during the 2026 World Cup (ticketing, apps, CRM, sponsor activations, loyalty programmes), the following questions need documented answers.

What lawful basis applies to each category of data you collected? Contract, legitimate interests, and consent each carry different obligations and cannot be applied interchangeably after the fact.

Did you carry out a DPIA before deploying any biometric or high-risk processing? If not, that assessment needs to happen now, with a remediation plan for any gaps identified.

What are your retention periods? Data collected to verify entry to a June match should not still be on your systems in December unless there is a documented reason it needs to be.

Can you respond to data subject requests? EU fans have rights of access, rectification, erasure, and objection. Your systems need to be able to find, retrieve, correct, or delete an individual’s data on request within one month.

Have you reviewed your processor agreements? If you used any third-party vendor, whether a ticketing platform, a stadium operator, or a loyalty scheme provider, that vendor is a processor. Your agreement with them must meet the Article 28 requirements, including provisions covering where the data is held and what happens to it when the relationship ends.

GDPRLocal’s team can conduct a gap analysis of your fan data processing, review your lawful basis documentation, and help you design retention and deletion schedules that meet GDPR requirements. Contact us to discuss GDPR compliance support or AI governance services for organisations running AI-driven fan engagement systems.

Conclusión

The 2026 World Cup brought together 4.6 million fans and, in doing so, created one of the most complex personal data processing environments in sporting history. The biometrics, the apps, the loyalty programmes, and the surveillance infrastructure raise questions that will outlast the tournament itself. Some of those questions concern FIFA directly. Many more concern the organisations (sponsors, ticketing platforms, stadium operators, app providers) that processed EU fan data as part of the ecosystem around it.

GDPR does not pause for the group stage. The obligations that apply to a data controller on any other day apply across every match. If your organisation was part of that ecosystem and has not reviewed its position, now is the time.

Additional Resources

Frequently Asked Questions

Does GDPR apply to data collected at World Cup stadiums in the US, Canada, and Mexico?

Yes, where the data subjects are EU residents. GDPR applies to organisations processing the personal data of individuals in the EU or EEA, regardless of where the processing takes place. A controller based outside the EU that processes EU fan data must comply with the GDPR under Article 3(2) if it offers goods or services to EU residents or monitors their behaviour.

Is facial recognition at stadium entry legal under GDPR?

Facial recognition processed to uniquely identify individuals constitutes biometric data under Article 4(14), which is special category data under Article 9. Processing it requires both a lawful basis under Article 6 and a specific condition under Article 9(2). Explicit consent is the most common route. A DPIA under Article 35 is also required before deploying biometric identification at scale.

What lawful basis does FIFA use for Fan ID data?

FIFA states in its privacy policy that it complies with the GDPR and will process sensitive personal data only where a lawful basis exists. The specific basis for each category of Fan ID data is not publicly detailed. Organisations processing EU fan data through systems linked to Fan ID should independently identify and document their own lawful basis, as FIFA’s basis does not automatically extend to downstream processors.

How long can World Cup biometric data be retained?

The GDPR storage limitation principle (Article 5(1)(e)) requires that personal data be kept no longer than necessary for the purpose for which it was collected. Biometric data collected to verify stadium entry lacks a legitimate basis for indefinite retention. Controllers should establish and document specific retention periods, and have a deletion process in place that can be demonstrated to a supervisory authority on request.

What should organisations do if they processed EU fan data during the tournament?

Review lawful basis documentation for each data category; confirm that DPIAs were completed for any high-risk processing; verify that processor agreements meet Article 28 requirements; check that data subject rights requests can be handled within one month; and audit retention periods against the purpose for which the data was collected. GDPRLocal can support this review through a structured gap analysis.

Zlatko Delev

About the Author

Zlatko Delev

Country Manager & Head of Commercial — GDPRLocal

Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.