Sports-betting operators took advantage of a Massachusetts Gaming Commission regulatory workshop to express their concerns over newly approved data privacy rules that govern the use of customer information and allow patrons to request operators erase their data.
David Prestwood, manager of government affairs and public policy with DraftKings, testified before the Massachusetts regulator on Tuesday (September 19) that the rule “flips the way consent operates, potentially requiring patrons to opt-in to each individual use of data.”
During the commission meeting in August in which 205-CMR-257 was adopted, commissioner Nakisha Skinner asked operators which other jurisdictions offer opt-out as opposed to opt-in.
“The basic answer is that every jurisdiction in the U.S. that have dealt with this issue has an opt-out regime. So this is something that is entirely new for domestic U.S. operators,” Prestwood told the commission on Tuesday.
Another unique challenge the law creates is imposing a blanket prohibition on using certain information for promotional and analytics purposes.
“The result of that is it makes it practically unfeasible to conduct a lot of legitimate business practices like marketing, analytics and consumer outreach because vendors need data for all of these services,” Prestwood said.
Operators also expressed concern that the regulation does not allow critical data sharing with third-party vendors even when consent is obtained, requires all personal information to be encrypted or protected by multi-factor authentication, and applies to a single industry in Massachusetts rather than being reflective of a more general regulatory requirement in the state.
The regulation also requires consumers to opt into individual uses of data one-by-one, which Prestwood argued could mean that every individual has their own menu for individual uses that would be extraordinarily difficult to implement.
Prestwood added that no existing law on data privacy does this.
“When the CCPA (California Consumer Privacy Act) was passed it applied to all industries and of the benefits of that was that there were incentives for third parties to develop tools that were designed to streamline compliance and assist businesses in managing data in a compliant way,” he said of perhaps the most advanced U.S. state law on data privacy generally.
Prestwood added that because the Massachusetts sports wagering data privacy regulation applies to just eight to ten companies, “no such tools exist and so as we build processes we are on our own, which can lengthen the compliance timeline.”
DraftKings executives were not alone in expressing their concerns over data requirements in Massachusetts.
Prestwood was joined by Jennifer Roberts, general counsel of Wynn Interactive and WynnBET, Alexis Cocco, associate general counsel with BetMGM, Cory Fox, vice president of government affairs at FanDuel, along with a half-dozen other executives.
Jared Rinehimer, division chief for data privacy and security with the Massachusetts Attorney General’s Office, also participated in the workshop that lasted almost three hours on Tuesday.
“It is not that we disagree about the importance of data privacy … it has just felt like we weren’t speaking the same language,” said Prestwood.
“When we say [the regulation] is unprecedented, I think the commission has taken that as the strength of the consumer protections are unprecedented and we are intending to communicate that is not the case.”
Prestwood said DraftKings' concern is that the rule will be so challenging to implement because it is entirely unique.
“It is not an extension of any existing legal framework in the U.S.,” he added.
On August 24, the commission approved a temporary waiver until November 17 for sports-betting operators to implement the data privacy rules.
DraftKings, along with several other companies, said they also intend to seek waivers beyond the initial term to fulfil the requirements, saying that it could take a year or more to fully comply with the new rules.
“Our provisional view is that, given how dramatically the privacy regulations differ from any other privacy law or regulation in the United States, it may take up to two years of extensive and costly work to reach a state of full compliance with them,” DraftKings wrote in its waiver filing submitted for the August meeting.
On Tuesday, operators asked a number of clarifying questions, including how operators would deal with threatened or reasonably anticipated litigation, and whether operators really would not be permitted to use personal identifiable information to defend themselves prior to a lawsuit.
Operators also questioned whether the commission intends to establish a database of Massachusetts sports bettors who would not transfer in any merger or acquisition involving a licensed operator, as well as how operators would be supposed to encrypt publicly available personal identifiable information.
“This is a work in progress,” said commissioner Eileen O’Brien. “We did put a lot of thought into this when we looked at it the first time and when we voted. We’ve asked for other information from the operators in terms of what’s implemented now and possible timelines.”
O’Brien said operators may need more information from the commission, to “guide where we need to go prior to November 17 because it may be a very tailored waiver … really speaking to what is needed to figure out what the timeline is going to be.”
O’Brien stressed to her colleagues and attendees that the regulation may need to come back in front of the commission a series of times for minor tweaks, before it is completed.