Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SIDEARM Sports is a US based content management and digital publishing platform used by college athletics departments and sports organizations to power official websites, video streaming, ticketing integrations, and fan engagement. The platform deploys analytics tags, video telemetry, social embeds, and integrated advertising networks that collect significant visitor data. Under GDPR and the ePrivacy Directive, prior informed consent is required before any non essential identifier is set, especially given systematic transfers to the United States.
SIDEARM Sports is a content management and digital publishing platform owned by Learfield and used by hundreds of college athletics departments, conferences, and sports organizations in the United States. It powers the public facing athletics website, the mobile experience, the live and on demand video player, schedule and roster pages, ticketing integrations with partners such as Paciolan or Ticketmaster, donor and fan analytics dashboards, and email or push marketing tools. From a privacy perspective, SIDEARM Sports is not a single tag but a full hosting and CMS stack that loads first party scripts together with a substantial set of third party tags covering audience measurement, video telemetry, advertising, social embeds, and conversion tracking.
Because SIDEARM Sports renders the entire site, almost every visitor interaction can be observed: pages viewed, videos started or completed, ticket purchase funnels, donor form submissions, newsletter sign ups, and social referrals. This places it in a different category from a simple analytics SDK: the platform is both the publisher infrastructure and a data collection layer for the athletics department and its commercial partners.
A standard SIDEARM Sports deployment typically sets first party cookies for session management, authentication of donor or fan accounts, CSRF protection, and language or display preferences. Alongside these strictly necessary cookies, the platform integrates analytics and advertising identifiers, video player telemetry (for example heartbeat events, quartile completion, autoplay state), social network pixels when official accounts are embedded, and frequently a tag manager that loads further third party scripts under the athletic department''s configuration.
The personal data processed typically includes IP address, user agent and device characteristics, referrer, granular page and video event timestamps, account identifiers for logged in fans or donors, and behavioural signals that can be linked across sessions through persistent identifiers. Combined with ad network pixels, these signals enable cross site profiling, which under GDPR is non essential processing requiring consent.
Article 5(3) of the ePrivacy Directive, transposed in each EU and EEA member state, requires prior informed consent before storing or accessing any information on a user''s device that is not strictly necessary to deliver the service explicitly requested. Audience measurement, advertising, video engagement profiling, and social pixels loaded through SIDEARM Sports fall squarely within that scope. The European Data Protection Board has confirmed in its 2023 guidance on technical scope that consent is required regardless of whether the identifier is a cookie, a local storage entry, or a fingerprinting signal.
Under GDPR, consent must be freely given, specific, informed, and unambiguous (Article 4(11)) and demonstrable (Article 7). In practice, the third party tags injected by SIDEARM Sports must be blocked until the visitor has actively accepted the relevant categories, the refusal must be as easy as acceptance, and the consent state must be logged with proof. Legitimate interest is not an adequate basis for advertising or cross site analytics, and is unlikely to survive a balancing test when processing involves minors, which is common on college athletics audiences.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
SIDEARM Sports and its parent company Learfield operate from the United States and host the majority of their infrastructure there. Any access by a European visitor results in a transfer of personal data to a third country within the meaning of Chapter V of the GDPR. Since the Schrems II ruling of 16 July 2020 (CJEU C 311/18), transfers to the US require a valid transfer mechanism such as the EU U.S. Data Privacy Framework certification of the recipient, or Standard Contractual Clauses combined with a transfer impact assessment and supplementary measures.
Controllers must verify whether Learfield is certified under the Data Privacy Framework for the categories of data processed, document the contractual safeguards, and assess US surveillance laws (FISA 702, Executive Order 12333) that may compel disclosure. The outcome of this analysis should be recorded in the record of processing activities and made available to data subjects on request.
To operate a SIDEARM Sports powered site in line with GDPR and ePrivacy, deploy a Consent Management Platform that blocks all non essential tags (advertising, social, non anonymous analytics, video telemetry beyond what is required for playback) until consent is captured. Configure the CMP to map each SIDEARM injected vendor to a granular purpose, retain proof of consent for at least the duration of the processing, and surface a persistent preferences link to enable easy withdrawal.
Update the privacy notice to disclose Learfield and SIDEARM Sports as processors or joint controllers depending on the configuration, list the categories of third party recipients, specify retention periods, and describe the rights of access, rectification, erasure, restriction, portability, objection, and lodging a complaint with a supervisory authority. Where the athletics department targets minors, apply enhanced safeguards consistent with Article 8 GDPR and, in the US, FERPA when the audience overlaps with enrolled students.
Organizations that cannot meet consent obligations or that wish to reduce exposure to US transfers can consider European hosted CMS platforms (for example Drupal or Strapi on EU infrastructure) paired with EU based audience measurement tools such as Matomo, Plausible, or AT Internet, video hosting via a European provider, and a separate ticketing partner with an EU establishment. For organizations that keep SIDEARM Sports, minimise the third party footprint by disabling unused advertising integrations, restricting social embeds to click to load patterns, and serving anonymous, aggregated analytics in the pre consent state.
Websites using SIDEARM Sports must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is recommended when SIDEARM Sports is deployed on websites accessible to EEA or UK visitors. The platform combines first party content delivery with third party advertising, video telemetry, and donor or fan analytics, which can amount to large scale monitoring of behaviour. Document the lawful basis (consent for non essential cookies, legitimate interest only where strictly justified), the purposes pursued, retention periods, recipients including Learfield and US based subprocessors, and the safeguards used for transfers to the United States such as Standard Contractual Clauses and supplementary technical measures.
Sample consent text
We use SIDEARM Sports to power this athletics website, including video playback analytics, audience measurement, advertising performance, and integrated social and donor features. These tools set cookies and similar identifiers that may be shared with Learfield and partners in the United States. With your consent, we may use this data to personalise content, measure engagement, and serve relevant advertising. You can accept, refuse, or customise your choices at any time from the cookie preferences link in the footer.
Third-party domains contacted
sidearmsports.comsidearmstats.comsidearmdev.comlearfield.comcdn.sidearmsports.comstatic.sidearmsports.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ASP.NET_SessionId | http_cookie | session | First party session identifier used to maintain state across page requests on the SIDEARM Sports application stack. Strictly necessary for site functionality. |
| .SIDEARMAuth | http_cookie | 30 days | First party authentication cookie issued when a fan or donor signs in to gated areas of the athletics site such as ticketing accounts, donor portals, or premium content. Required to maintain the authenticated session. |
| __RequestVerificationToken | http_cookie | session | First party anti CSRF token used to validate form submissions against the SIDEARM Sports backend. Strictly necessary for site security. |
| sidearm_culture | http_cookie | 1 year | First party preference cookie that stores the visitor's selected language and display preferences for the athletics site. |
| _ga | http_cookie | 2 years | Third party Google Analytics identifier commonly deployed through SIDEARM Sports for audience measurement. Requires prior consent under the ePrivacy Directive for non essential analytics. |
| _gid | http_cookie | 24 hours | Third party Google Analytics identifier used to distinguish users within a 24 hour window. Requires prior consent. |
| sidearm_video_session | http_cookie | 30 days | First party video player telemetry cookie used to track playback events, quartile completion, and resume points across SIDEARM hosted streams. Beyond basic playback, requires consent. |
| _fbp | http_cookie | 90 days | Third party Meta Pixel identifier loaded when the athletics department enables Facebook advertising or social embeds. Strictly requires consent for advertising and conversion tracking. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
A SIDEARM Sports deployment typically sets first party session cookies, authentication cookies for donor or fan accounts, CSRF tokens, and language preferences. It also injects third party identifiers used for audience measurement, video player telemetry, social embeds, and integrated advertising. The exact list depends on the modules enabled by the athletics department, but expect a combination of first party operational cookies and a substantial set of analytics, advertising, and tag manager identifiers that fall outside the strictly necessary category.
Yes. Article 5(3) of the ePrivacy Directive requires prior informed consent before any non essential identifier is set or read. The advertising tags, audience measurement, video engagement profiling, and social pixels integrated through SIDEARM Sports are non essential. Only strictly necessary cookies (session, authentication for explicitly requested account features, CSRF) can be loaded without consent. The advertising and analytics layers must be blocked by a Consent Management Platform until the user actively accepts.
Consent under Article 6(1)(a) GDPR is the appropriate lawful basis for the advertising, cross site analytics, video telemetry, and social pixel components. Strictly necessary first party operational cookies can rely on Article 6(1)(b) (performance of a contract) or Article 6(1)(f) (legitimate interest) where appropriate. Legitimate interest is generally not adequate for advertising or third party analytics, particularly when the audience can include minors, where Article 8 GDPR adds further constraints.
SIDEARM Sports and Learfield are US based, so visitor data, including IP addresses, device characteristics, and behavioural signals, is transferred to the US. EEA and UK controllers must rely on a valid Chapter V mechanism: the EU U.S. Data Privacy Framework if Learfield is certified for the data categories involved, or Standard Contractual Clauses paired with a transfer impact assessment and supplementary measures. The Schrems II ruling requires controllers to consider US surveillance laws such as FISA 702 and Executive Order 12333.
Yes, a Data Protection Impact Assessment is strongly recommended. SIDEARM Sports involves large scale, systematic monitoring of online behaviour combined with third party advertising integrations and US data transfers, which meet several of the criteria in Article 35 GDPR and the EDPB guidelines on DPIA. Document the categories of data, recipients including Learfield and subprocessors, retention periods, the safeguards used for transfers, the risks for data subjects, and the technical and organisational mitigations applied.
Deploy a Consent Management Platform that places SIDEARM injected advertising and analytics tags in a deferred state at page load. On consent, release the scripts category by category (advertising, analytics, social, video telemetry). Provide granular accept, reject, and customise controls, log consent with a timestamp and the proof of choice, and expose a persistent preferences link. The refusal pathway must be as visible and as easy as the acceptance pathway, in line with EDPB Guidelines 03/2022 on dark patterns and consent.
For organizations that need to reduce US transfers, a stack composed of a European hosted CMS (Drupal or Strapi on EU infrastructure), an EU based analytics tool such as Matomo, Plausible, or AT Internet, a European video hosting provider, and a ticketing partner with an EU establishment can replace most SIDEARM Sports modules. The trade off is a higher integration effort and the loss of the all in one experience, in exchange for clearer GDPR alignment and reduced exposure to US surveillance laws.
List SIDEARM Sports and Learfield by name, indicate that they act as the publishing platform and as commercial partners for analytics and advertising, describe the categories of data processed (technical identifiers, behavioural signals, account data when applicable), specify the storage location in the United States, list the transfer safeguards used, give the retention periods per category, and provide clear instructions for accepting, refusing, and withdrawing consent. Keep the description up to date when modules are added or removed.