The Massachusetts Gaming Commission approved data privacy regulations under the 2022 Massachusetts Sports Wagering Act earlier this fall. While directed to a narrow group of companies, the restrictions around use of artificial intelligence, profiling and breach notification suggest the types of concerns that we may see other regulators focus on in other industries.

The law was passed last year to legalized sports betting in the state. It also placed obligations on how covered entities handle personal information. Entities covered by the law, and thus impacted by these regulations, are those who run physical or virtual sports wagering establishments in or directed towards those in in Massachusetts. Under the law, the gaming commission was given regulatory authority. The regulations from this fall spell out how to meet the protection obligations of the law. Namely:

  • Limit how information is used. Operators may use and keep patrons’ information only to operate their sports wagering platforms. If they wish to use information for other reasons, they must get consent. Consent must be “clear and conspicuous” and not part of another agreement. The rules specifically prohibit relying on acceptance of terms for this kind of consent. Operators are also prohibited from using actual or predicted behaviors to encourage wagers or to serve marketing. Of particular concern was putting patron information into AI systems to make gaming more addictive.
  • Protect information. Operators must develop and maintain data privacy and security policies. These policies must address employee training, incident response procedures, and technical and organization measures for protecting information.
  • Notify in the event of a breach. Operators must notify the Massachusetts Gaming Commission and begin an investigation within 5 days of a suspected data breach. A breach is the same as under the state’s breach notification law, namely unauthorized acquisition or use of computerized personal information. (That law, as many know, and like most breach notification laws, has a specific definition of personal information.)
  • Limits on data sharing. Under the regulations, operators can share patrons’ information only as necessary to operate the sports wagering establishment or platform and only if there is a written agreement in place with the recipient. That agreement must include, inter alia, a promise that the vendor will protect the information and have data security program and incident response procedures in place. Operators must also encrypt or hash information before sharing.
  • Patron rights. Similar to rights found in state comprehensive laws, patrons have the right of access and correction. The law also provides for the right to have information deleted and to have use limited. These rights need to be communicated online.
  • Promoting responsible gaming: The law requires sports wagering operators to compile and aggregate patrons’ personal information and analyze it for purposes of developing programs to help people with gambling addiction.

Putting it into Practice: While applicable only to those sports wagering operators, these requirements highlight concerns that are on the minds of all regulators. This includes restrictions on use of artificial intelligence and concerns about using behaviors and profiling to influence behavior.