The Massachusetts Gaming Commission approved data privacy regulations under the 2022 Massachusetts Sports Wagering Act earlier this
fall. While directed to a narrow group of companies, the
restrictions around use of artificial intelligence, profiling and
breach notification suggest the types of concerns that we may see
other regulators focus on in other industries.
The law was passed last year to legalized sports betting in the
state. It also placed obligations on how covered entities handle
personal information. Entities covered by the law, and thus
impacted by these regulations, are those who run physical or
virtual sports wagering establishments in or directed towards those
in in Massachusetts. Under the law, the gaming commission was given
regulatory authority. The regulations from this fall spell out how
to meet the protection obligations of the law. Namely:
- Limit how information is used. Operators may
use and keep patrons’ information only to operate their sports
wagering platforms. If they wish to use information for other
reasons, they must get consent. Consent must be “clear and
conspicuous” and not part of another agreement. The rules
specifically prohibit relying on acceptance of terms for this kind
of consent. Operators are also prohibited from using actual or
predicted behaviors to encourage wagers or to serve marketing. Of
particular concern was putting patron information into AI systems
to make gaming more addictive.
- Protect information. Operators must develop
and maintain data privacy and security policies. These policies
must address employee training, incident response procedures, and
technical and organization measures for protecting
- Notify in the event of a breach. Operators
must notify the Massachusetts Gaming Commission and begin an
investigation within 5 days of a suspected data breach. A
breach is the same as under the state’s breach notification
law, namely unauthorized acquisition or use of computerized
personal information. (That law, as many know, and like most breach
notification laws, has a specific definition of personal
- Limits on data sharing. Under the regulations,
operators can share patrons’ information only as necessary to
operate the sports wagering establishment or platform and only if
there is a written agreement in place with the recipient. That
agreement must include, inter alia, a promise that the
vendor will protect the information and have data security program
and incident response procedures in place. Operators must also
encrypt or hash information before sharing.
- Patron rights. Similar to rights found in state comprehensive laws,
patrons have the right of access and correction. The law also
provides for the right to have information deleted and to have use
limited. These rights need to be communicated online.
- Promoting responsible gaming: The law requires
sports wagering operators to compile and aggregate patrons’
personal information and analyze it for purposes of developing
programs to help people with gambling addiction.
Putting it into Practice: While applicable only to those
sports wagering operators, these requirements highlight concerns
that are on the minds of all regulators. This includes restrictions
on use of artificial intelligence and concerns about using
behaviors and profiling to influence behavior.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.