Every year, hundreds of thousands of people suffer a momentary lapse of reason and sign up for a running competition – anything from a mile to a marathon. But far fewer of them consider the information that they share while registering, and the potential consequences of doing so.

When registering for a race, there’s a long list of personally identifiable information that must be provided. Some of it is essential: name, address, phone number, and email are obviously required, so that the race can contact the runner. In addition, athletes must provide age and gender, so as to be placed in the right category – races segment runners into five- or 10-year age groups, divided by gender – i.e. “women 35-39.” Races will also often require date of birth, so as to ensure that the athlete is placed into the correct category on race day. Finally, some races allow the runner to opt in to a special weight-based category. Runners who exceed certain bodyweight thresholds can choose to compete in the “Clydesdale” or “Athena” categories. (Some readers will be relieved to learn that this final category is always opt-in.)

That’s the first cut of the informational harvest. Runners are sometimes asked to provide information on current health issues, or to provide an emergency contact’s name and phone number. Registrants are also polled on how they learned about the race and their previous racing history. For some races, it doesn’t end there. 

The Competitor Group is a for-profit event-management group focused on running and triathlon events, including the Rock ‘n’ Roll series of races.  The Rock ‘n’ Roll races, each named after the location of the race, are massive – more than 30,000 competed in the 2010 Rock ‘n’ Roll Arizona Half and Full Marathons. When one registers for a Rock ‘n’ Roll race, one submits the standard runner’s PII – name, address, birth date, gender. And, of course, a credit card number. This registration is conducted exclusively online, with an extensive privacy policy available via link at the bottom of the website.

However, later in the process, Competitor requests additional information from each runner. In order to compete in a race, a runner must have a “bib” – a paper number issued by the race that is safety-pinned to the front of one’s clothes, and accompanied by an RFID chip for tracking on race day. A few days before the race, Competitor emails each participant a link to a website where the runner can download a confirmation sheet. This sheet must be completed and presented before the runner can receive his or her bib. 

The sheet includes a waiver at the bottom that must be signed, sheltering the race from legal liability from the athlete’s participation in an “inherently dangerous” activity. However the sheet also requires that the athlete provide additional information not previously requested. This information is described as “mandatory info,” with the clear implication that the athlete must provide it in order to collect the bib, and thus compete in the race. The form requires that runners provide information on their travel plans, including the airline they flew on, the hotel that they are staying at, and the number of traveling companions accompanying them. There is no statement on the sheet as to why the information is collected, or how it may be used. 

Several runners, when queried as to why the information might be collected, assumed that it was so that the race could demonstrate the economic benefits from the event for the local community.  According to runner Kathryn Neeper:

“It seemed like they were trying to collect the information they’d need to demonstrate a positive economic impact of the race on the city … it was the strong impression that the questions gave me.” 

However, privacy pros know differently – the information is a potential additional source of revenue for Competitor, and most likely being used for marketing purposes. As Stacey Gray, a legal and privacy fellow at the Future of Privacy Forum, notes: “across most industries, the sharing of personally identifiable information (PII) for marketing and other commercial purposes, subject to a consumer opt-out, is the default.” 

The Competitor Group’s privacy policy confirms this practice.  It states that Competitor may “link or combine [the information collected] with other personal information we get from third parties” and that they “may create aggregate or de-identified information from your personal information [and they] may use this information for any purpose.” The privacy policy, which is clearly linked at the bottom of Competitor’s registration page, also includes an opt-out provision.

Despite this privacy policy, Neeper and other race registrants would be (and are) surprised to learn how their personal information is used.  Not all registrants review the privacy policy when they register. And the paper confirmation sheet, which asks for additional information, does not offer the choice to opt out. In fact, the additional information is “mandatory,” indicating that runners must provide it in order to run the race. 

According to Gray, “if companies are going to share or sell data, there should be an easy way for consumers to (1) know it’s happening; and (2) opt out.”  Though Competitor does provide notice and a chance to opt out, not all runners are aware of this. And there are runners willing to provide a great deal of personal information without understanding what will be done with the information, or their rights regarding that information. In this aspect, the average runner is no different from the average consumer.

photo credit: DSC_0395 via photopin (license)