Massachusetts: Massachusetts Gaming Commission approves regulations on data privacy and sports betting
On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257: Sports Wagering Data Privacy in Public Meeting no. 470. The regulation enters into effect on September 1, 2023.
In particular, the regulation defines 'personally identifiable information' as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular patron, individual, or household. Notably, personally identifiable information may also include 'confidential information,' also defined under the regulation.
The regulation stipulates that a sports wagering operator shall only use confidential information and personally identifiable information as necessary to operate a sports wagering area, sports wagering facility, or sports wagering platform, or to comply with the law.
More specifically, if a sports wagering operator seeks to use a patron's confidential information or personally identifiable information beyond the specified purposes, they must obtain the patron's consent, which may be withdrawn at any time. Consent must be clear, conspicuous, and received apart from any other agreement or approval of the patron, not be deemed a waiver of the patron's other rights, while the option to withdraw consent must be clearly and conspicuously available to the patron on the sports wagering operator's sports wagering platform.
In addition, sports wagering operators must not use patron's personally identifiable information or confidential information, or information derived from it, to promote or encourage specific wagers or promotional offers, based on, among other things:
- a period of dormancy or non-use of a sports wagering platform;
- the wagers made or promotional offers accepted by other patrons with a known or predicted social connection to the patron;
- the communications of the patron with any third party other than the operator;
- the patron's actual or predicted:
- income, debt, net worth, credit history, or status as a beneficiary of governmental programs;
- medical status or conditions; or
- occupation; and
- any computerized algorithm, automated decision-making, machine learning, artificial intelligence (AI), or similar system that is known or reasonably expected to make the gaming platform more addictive.
Sports wagering operators must not share a patron's confidential information or personally identifiable Information with any third party except as necessary to operate the sports wagering area, sports wagering facility, or sports wagering platform, or to comply with the law. Where the sports wagering operator deems it necessary to share confidential information or personally identifiable information, they must, among other things:
- protect such information that comes into a third party's custody or control against a data breach;
- implement and maintain a comprehensive data security program;
- implement, maintain, and update security and breach investigation and incident response procedures; and
- require all vendors, subcontractors, or registrants to meet the above requirements.
The regulation notes that sports wagering operators must encrypt or hash and protect, through multi-factor authentication the incomplete transmission, misrouting, unauthorized message modification, disclosure, duplication of confidential information, and personally identifiable information.
Finally, the regulation details data subject rights, including the right to be informed, access, update information, restriction of processing, and erasure. The regulations also establish mechanisms and procedures for sports wagering operators to respond to such requests.