Data Privacy Meets Sports Betting in the Bay State

Data Privacy Meets Sports Betting in the Bay State

Blog WilmerHale Privacy and Cybersecurity Law

The Massachusetts Gaming Commission recently approved regulations to ensure data privacy and security for sports betters in the Commonwealth. On August 8, 2023, the commissioners approved 205 CMR 257, Sports Wagering Data Privacy, which requires all licensed sports betting operators in the Bay State to limit use and retention of customer data and personal information of their patrons and specifies requirements for keeping that information secure.  

Under the approved regulation, sports wagering operators are prohibited from using or sharing patrons’ personally identifiable information or confidential information to promote or encourage specific wagers or promotional offers based on a number of factors, including income and occupation. Additionally, sports wagering operators must only retain patrons’ confidential information and personally identifiable information as necessary to operate a sports wagering area, sports wagering facility or sports wagering platform, or to comply with Massachusetts law. Operators are also prohibited from using any computerized algorithm, automated decision-making, artificial intelligence, machine learning or similar system that is known or reasonably expected to make the gaming platform more addictive under the rule. 

Sports wagering operators must also “collect and aggregate patrons’ personal information and confidential information to analyze patron behavior for the purposes of identifying and developing programs and interventions to promote responsible gaming and support problem gamblers.” Operators are also required to provide the Gaming Commission a report at least every six months on their compliance with the requirement.  

The regulation also requires sports wagering operators “to develop, implement and maintain comprehensive administrative, technical and physical data privacy and security policies appropriate to the size and scope of business.” Specific requirements include, among others: secure storage, access and transportation of personal information, including the use of encryption and multi-factor authentication; secure and timely disposal of personal information, including data retention policies; employee training on privacy and cybersecurity; reasonable monitoring of systems for unauthorized use of or access to personal information; reasonably up-to-date versions of system security agent software that must include malware protection and up-to-date patches and virus definitions; cybersecurity insurance; data breach investigation and incident response procedures; quarterly information system audits; and a process for reviewing and updating data privacy policies at least annually.  

The regulations will become effective on September 1, 2023.  

Massachusetts is new to the sports betting scene—land-based and mobile sports betting was legalized on August 1, 2022, and land-based sports betting was launched in January 2023 with online betting launching in March 2023. Nevertheless, the Massachusetts Gaming Commission has established itself as one of the more proactive regulators in the sports betting space over the past year. For example, the Gaming Commission made headlines in June 2023 when it opened an investigation into Barstool Sportsbook’s “Can’t Lose Parlay,” promoted by Barstool personality Dan Katz, also known as Big Cat. The Bay State regulator is also in the process of promulgating regulations that address advertising standards for sports betting operators.  

We expect additional regulatory actions in Massachusetts going forward.  

Authors

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.