Massachusetts Regulators Grant Further Extensions For Data Privacy Rules

November 17, 2023
Massachusetts regulators have agreed to waive certain parts of their new data privacy regulations through next June, as operators continue to push for more time to implement the complex rules.

Massachusetts regulators have agreed to waive certain parts of their new data privacy regulations through next June, as operators continue to push for more time to implement the complex rules.

The Massachusetts Gaming Commission voted to approve waivers through June 30 for sports-betting operators to comply with provisions that include the use and retention of customer data, as well as the sharing of data with third parties.

Two of the key rules that have left operators scrambling include rules that restrict sportsbooks from using customers' personally identifiable information beyond what is “necessary to operate” a sportsbook, and from sharing that data with third parties without the customer specifically opting in to allow the company to do so.

Mina Makarious, an attorney representing the commission, said that some operators were mollified by a clarification that the “necessary to operate” language is intended to be broad.

“It is everything that an operator has to do to provide the product that they're providing to patrons in a safe way, to be able to ensure that the folks who are using it are not subject to fraud, that the operator itself or the Commonwealth isn't being opened up to fraud or the use of fraudulent accounts, certainly would include any of the anti-money laundering provisions or protections that folks have,” Makarious said.

“The reason it matters in the regulation is that outside of that 'necessary to operate' is where operators would need to seek consent for use of data.”

However, one operator not satisfied with the clarification was DraftKings, which still asked for a waiver of more than a year to ensure compliance with the new rules, including the provision that bars operators from using personally identifiable information to promote or encourage specific bets based on information, such as a period of non-use.

“We scoped this with those clarifications in mind, and that didn't give our team peace of mind that this is something we could have accomplished immediately,” said David Prestwood, manager of government affairs and public policy for DraftKings.

Prestwood said that the company would likely have to build a customer relationship management system specifically for Massachusetts to comply with the regulations, outside its normal marketing automation process.

“We don't have our existing services to operate on a per-jurisdiction level,” Prestwood said. “One of the things we may gather from this, I'm just not sure, because we don't know, the comparison is that our platform may operate significantly differently from other operators and may be a platform issue.”

Sharing with third parties also continues to be raised as an issue by operators, although complaints are somewhat operator-specific.

Makarious said that somewhat clear examples would be a marketing partnership with a hotel chain that would require a customer to opt-in to share customer data, whereas a security vendor would be considered "necessary to operate" the sportsbook.

However, one notable complication Makarious flagged was integrated products under the same company umbrella, pointing to Fanatics as an example of a company that may be adversely affected.

“If you need to provide information or if you want to provide the data about a patron to the marketing arm not for the sports wagering side of Fanatics … but for the sportswear portion, is that sharing with a third party, or is that covered by [the rule]?” he said. “And I think the issue there is that, I think reading the regulation, our reading of it and our intent drafting it was those would not be operations necessary to operate a sportsbook.”

“I would hesitate to get into too many details here, but, as you can imagine this might affect Fanatics in a way that doesn't hit other operators as hard,” said Alex Smith, vice president of regulatory affairs and compliance for Fanatics. 

“There are a lot of ways our business works with our affiliate businesses, and some of that was disclosed in our application process, both on a technological perspective and of course, marketing as well.”

FanDuel and BetMGM also flagged issues with language requiring specific provisions to be included in contracts with third-party vendors, arguing that amending all existing agreements to include the specific language may not be feasible, particularly in a short window of time.

Ultimately, the commission voted to require that the language be included in all new contracts with third-party vendors by December 14 and that operators make “commercially reasonable efforts” to ensure the existing agreements conform with the new regulations.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.
No items found.