Don’t Gamble on Compliance with Massachusetts’ New Industry-Specific Privacy Regulation

Privacy has come into play with Massachusetts’ new Sports Wagering Data Privacy regulation. On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257, Sports Wagering Data Privacy (SWDP), and the regulation went into effect on September 1, 2023.  Massachusetts sports wagering operators now have obligations to secure and protect “confidential information” and “personally identifiable information” of patrons, as well strict reporting obligations in the event of a data breach. 

But regulators in Massachusetts are not the first to deem it necessary to regulate the way in which operators handle the personal data of their patrons. Other states, like Maryland and Ohio, have implemented regulations that impose similar privacy-related obligations on sports wagering operators.  At this time, only a handful of states have comprehensive privacy laws that would nullify the need for an industry-specific law such as SWDP.  Sports wagering regulators in states without comprehensive privacy laws are now attempting to fill the gaps with regulations that mirror the provisions of the comprehensive state laws, and they sometimes go beyond what is required by the comprehensive laws.

Massachusetts’ SWDP is the perfect example of this.  To start, the definitions of “personally identifiable information” (PII) and “confidential information” are broad.  Similar to the definition of PII under CPRA, the definition under SWDP includes information which is “reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular patron, individual, or household.”  The definition of “confidential information” is very broad and generally includes information about the amount of money in accounts or being wagered, patron authentication credentials, the name of events on which patrons wager, and the location from which a patron wagers.

SWDP contains other provisions similar to, and sometimes more stringent than, those found in comprehensive state privacy laws, such as the following:

  • Data use and retention restrictions – Confidential information and PII may be used only as necessary to operate a Sports Wagering Area, Sports Wagering Facility, or Sports Wagering Platform, or to comply with various laws. Use for any other purpose requires consent of patron. There are also restrictions on the use of information for promoting wagers/promotional offers.

  • Data sharing restrictions – Confidential information and PII may not be shared with third parties except as necessary to operate a Sports Wagering Area, Sports Wagering Facility, or Sports Wagering Platform, or to comply with various laws, and if necessary to share with a sports wagering vendor, operators must ensure protection of data and implementation of data security and breach programs.

  • Patron rights – This includes the right to request a description of how data is being used, right to access, right to update/amend data, right to impose additional restrictions on use of data, and right to erasure.

  • Data privacy and security – Operators must have comprehensive policies, both internally (for employees to follow) and externally (for patrons to learn) regarding privacy and security.

  • Data breaches – Operators must immediately notify the Commission of a suspected data breach and commence an investigation within five days. “Data breach” is defined to mean “the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.”

It is likely that more states will begin to pass regulations similar to SWDP to close the gap left by the state’s lack of a comprehensive privacy law.  Understanding SWDP’s definitions and provisions can help sports wagering operators ensure compliance with current regulations and prepare for those that are to come.  Sports wagering operators can bet on the fact that the road to privacy compliance will be a challenge.

 Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.

Chloé NelsonPrivacy Law, Sports Wagering Data Privacy