Massachusetts Approves Sports-Betting Data Privacy Regulation

August 9, 2023
Although U.S. market leaders DraftKings and FanDuel made it clear in comments submitted to the Massachusetts Gaming Commission that they were opposed to a proposed sports-wagering data privacy regulation, commissioners brushed aside most of their concerns adopting the rules.


Although U.S. market leaders DraftKings and FanDuel made it clear in comments submitted to the Massachusetts Gaming Commission (MGC) that they were opposed to a proposed sports-wagering data privacy regulation, commissioners brushed aside most of their concerns adopting the rules.

The regulation, Massachusetts 205 CMR 257, governs the use of customer information, as well as setting out a process for patrons to request that operators erase their data.

In the event of a data breach involving customer information, a sports-betting licensee would need to notify the commission and begin an investigation no more than five days after discovery.

“DraftKings respectfully submits that sports wagering regulations are not the appropriate place to create a brand new comprehensive, far reaching data privacy regime,” wrote David Prestwood, director legal and government affairs at DraftKings, in comments submitted to the MGC prior to a public meeting on Tuesday (August 8).

Prestwood reminded commissioners that the state does not have a comprehensive data privacy policy, and whether to adopt one is a decision for the legislature.

“There is no mandate in the underlying statute requiring the commission to adopt comprehensive data privacy regulations,” he added. “Any comprehensive data privacy regime should only be adopted after an exhaustive debate in the [legislature].”

Andrew Winchell, director of government affairs at FanDuel, said the Flutter-owned company was concerned that multiple provisions of the data privacy regulation do not mirror standards in generally applicable regulations found in other jurisdictions, such as Colorado and Virginia, which operators have already developed their systems to comply with.

“We strongly urge the commission to mirror the requirements found in other jurisdictions in order to ensure a uniform user experience and protections,” Winchell wrote.

Mina Makarious, a partner with Anderson Kreiger who has worked with the MGC to craft gaming and sports-betting regulations, said that the state attorney general’s office strongly supported the proposed regulation as an important source of privacy protection.

“Our view is they there are some unique circumstances for sports wagering that warrant moving forward with the [regulation], recognizing if it is superseded by state law that is what it is and if it is not entirely superseded or requires clarification because of future state law there will be ample opportunity for that,” Makarious said.

Both commissioners Brad Hill and Eileen O’Brien agreed that the MGC does not have to wait for the state legislature to come up with new laws when the commission has the ability to establish requirements through regulation.

“I feel the industry needs it,” O’Brien said. “We have an obligation to do it and perhaps inform the legislature if they want to move forward on something that is more comprehensive.”

Some operators expressed concern that a regulatory requirement that they only use confidential information and personally identifiable information as necessary to operate their business was too narrow and could restrict operators’ ability to use data in legitimate ways such as creating loyalty and advertising programs.

According to the regulation, if a sports-betting operator seeks to use a customer’s confidential information or personally identifiable information for purposes beyond those laid out in the regulation, they “shall obtain the patron’s consent, which may be withdrawn at any time.”

Prestwood wrote that DraftKings already provides users with a means of opting out of having their personal identifiable information shared with third parties for non-required purposes like marketing or advertising, as well as opting out of receiving promotional materials.

This type of opt-out regime is what has been uniformly adopted by the states that have passed comprehensive data privacy laws, he wrote. In creating an opt-in regime, Prestwood said, the commission would create an unprecedented burden on operators that goes dramatically further than all other U.S. jurisdictions.

“This would substantially inhibit the ability of operators to function the way they do in every other jurisdiction in the U.S., which will have a direct negative effect on the commonwealth’s tax revenue,” he warned.

“The cost to operators and the commonwealth would far outweigh the minimum benefit to consumers, given the opt-out regimes that sports wagering operators are already operating under.”

Under the regulation, operators would also be barred from using a patron’s personal identifiable information to “promote or encourage” specific wagers or promotional offers based on a period of dormancy or non-use of an app.

The use by operators of any computerized algorithm, automated decision-making, artificial intelligence, machine learning or similar system that is known or reasonably expected to make the gaming platform more addictive is also banned under the rule.

Carrie Torrisi, associate general counsel with the MGC, confirmed the regulation will go into effect on September 1.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
No items found.