Privacy & Information Security Law Blog

On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257: Sports Wagering Data Privacy, a set of regulations designed to create new rights and obligations with respect to sports betting operators’ use of patrons’ Confidential Information or Personally Identifiable Information. The regulations took effect on September 1, 2023.

The Sports Wagering Data Privacy regulations (the “Regulations”) apply to sports wagering operators’ use of Confidential Information (“CI”), defined as “information related to a Sports Wagering Account, the placing of any Wager or any other sensitive information related to the operation of Sports Wagering,” and Personally Identifiable Information (“PII”), defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular patron, individual or household.”

The Regulations include provisions related to:

• Data Use and Retention: Operators must use and retain CI and PII only as necessary to perform certain specified purposes, such as the operation of a “Sports Wagering Area.” If an operator seeks to use a patron’s CI or PII for purposes beyond those specified in the Regulations, the operator muse obtain the patron’s consent. An operator also may not use a patron’s CI or PII, or any information derived from them, to promote or encourage specific wagers or promotional offers. The Regulations require that an operator collect and aggregate patrons’ CI and PII to analyze patron behavior to identify and develop programs to promote responsible gaming, support problem gamers, and deter wagering violations. Every six months, operators must report their findings to the Massachusetts Gaming Commission.
• Data Sharing: Operators may not share CI or PII with a third party except for certain specified purposes. Where an operator shares CI or PI with a third party, the operator must (1) take commercially reasonable measures to ensure the third party keeps the information private and confidential; (2) enter into a written agreement with the third party that contains certain specified provisions; and (3) encrypt or hash and protect CI and PII from incomplete transmission, misrouting, unauthorized message modification, disclosure, duplication or replay.
• Patron Rights: Patrons have the right to request:
  • A description as to how their CI or PII is being used, including confirmation that the information is being used in accordance with the Regulations;
  • Access to a copy of their CI or PII maintained by the operator or a vendor, subcontractor, or registrant of the operator;
  • Updates to their CI or PII;
  • Restriction of the use of their CI or PII for particular uses; and
  • Erasure of their CI or PII when it is no longer required to be retained by applicable law or court order.
• Data Privacy & Security Program: Operators must develop, implement and maintain comprehensive administrative, technical and physical data privacy and security policies appropriate to the size and scope of the business.
• Data breaches: In the event of a suspected data breach, operators must immediately notify the Massachusetts Gaming Commission and commence an investigation of the suspected breach within five days of discovery.