.svg)
Body
Regulators in Massachusetts have begun accepting industry comment on a proposed sports-wagering data privacy regulation that will govern the use of customer information, as well as setting out a process for patrons to request that operators erase their data.
The proposed regulation also sets out guidelines in the event of a data breach and what a licensee is required to do in terms of investigating and reporting the incident in a timely manner.
The Massachusetts Gaming Commission (MGC) met Thursday (June 1) and unanimously voted to move the proposed regulation forward, a procedural move which allows commission staff to accept public comments and make potential changes based on that input before a final commission vote for adoption in two or three months.
Commissioner Eileen O’Brien questioned why the five-member commission was not adopting the proposed data privacy regulation by the state’s emergency process.
“We had included some data provisions in other regulations for protection of patron data. That provides a level of protection,” said Mina Makarious, a partner with the law firm of Anderson Kreiger who has worked with the MGC to craft gaming and sports-betting regulations.
Makarious said the MGC was taking a similar approach with this regulation as it did with advertising, “where first we surveyed all of the other states to see what they were doing on these issues.”
“[We tried] to take the best of the bunch and try and fit it into the model or framework you have,” he said. “We also had some input from the attorney general’s office.”
According to the proposed regulation, Massachusetts 205 CMR 257, operators can use and retain a consumer’s confidential information and personally identifying information to operate their business or to comply with any applicable law, regulation, court order, subpoena, or civil investigative demand of a government entity.
“To the extent an operator seeks to use a patron’s data for other purposes, an operator is required to obtain the patron’s consent, which may be withdrawn at any time,” it adds.
Operators are also prohibited from certain uses of a patron’s data to promote or encourage specific wagers or promotional offers based on information which might suggest a propensity for irresponsible gaming.
To further promote responsible gaming goals, the regulation requires operators to collect and analyze patron data for the purposes of identifying patrons who may benefit from responsible gaming interventions and developing those interventions.
Massachusetts regulators are also proposing to require sports-betting licensees, such as DraftKings or BetMGM, to provide customers with a process by which they can request to have their data erased.
Licensees are also prohibited from sharing a customer’s data with “any third part except as necessary to operate” mobile or retail sports betting. If an operator does share patron data, the regulation makes them responsible to ensure the third party keeps that data private and confidential.
There are exceptions within the regulation, including allowing customer personal data to be shared under a court order, subpoena or civil investigative demand of a governmental entity.
“The attorney general’s office continues to think that strong privacy protections are needed here and that there are a lot of risks that are assumed with the use of consumer data,” Jared Rinehimer, division chief data privacy and security division with the Massachusetts Attorney General’s Office, told the commission.
Rinehimer said the other thing the attorney general’s office feels is important about this approach is “really giving the patrons the chance about how their information is used and presenting that in a clear and understanding way, so that they … understand what the operators are doing.”
“It’s the approach that a lot of privacy laws have taken in other jurisdictions,” he said. “For example, California is approaching this in a similar way.”
On January 1, 2020, the California Consumer Privacy Act went into effect providing for a protective framework in relation to consumers’ personal data held by businesses and the use of such data.
The regulation in Massachusetts also ensures operators must develop, implement and maintain policies to protect their customers’ confidential and personally identifiable information.
Gaming regulators are also requiring operators to have cybersecurity insurance, which shall include, at a minimum, coverage for data compromise response, identity recovery, computer attack, cyber extortion and network security.
In the event of a suspected data breach involving customer information, a sports-betting licensee would need to notify the commission immediately and begin an investigation no more than five days after discovery.
Rinehimer added that the attorney general’s office was encouraged by this proposed regulation and “fully appreciate the innovative approach that is being taken here, especially around the work that is being done to identify problem gamblers.”
“We would certainly like to work on that a little more,” he added.
