The Massachusetts Gaming Commission recently approved regulations to ensure data privacy and security for sports betters in the Commonwealth. On August 8, 2023, the commissioners approved 205 CMR 257, Sports Wagering Data Privacy, which requires all licensed sports betting operators in the Bay State to limit use and retention of customer data and personal information of their patrons and specifies requirements for keeping that information secure.
Under the approved regulation, sports wagering operators are prohibited from using or sharing patrons’ personally identifiable information or confidential information to promote or encourage specific wagers or promotional offers based on a number of factors, including income and occupation. Additionally, sports wagering operators must only retain patrons’ confidential information and personally identifiable information as necessary to operate a sports wagering area, sports wagering facility or sports wagering platform, or to comply with Massachusetts law. Operators are also prohibited from using any computerized algorithm, automated decision-making, artificial intelligence, machine learning or similar system that is known or reasonably expected to make the gaming platform more addictive under the rule.
Sports wagering operators must also “collect and aggregate patrons’ personal information and confidential information to analyze patron behavior for the purposes of identifying and developing programs and interventions to promote responsible gaming and support problem gamblers.” Operators are also required to provide the Gaming Commission a report at least every six months on their compliance with the requirement.
The regulation also requires sports wagering operators “to develop, implement and maintain comprehensive administrative, technical and physical data privacy and security policies appropriate to the size and scope of business.” Specific requirements include, among others: secure storage, access and transportation of personal information, including the use of encryption and multi-factor authentication; secure and timely disposal of personal information, including data retention policies; employee training on privacy and cybersecurity; reasonable monitoring of systems for unauthorized use of or access to personal information; reasonably up-to-date versions of system security agent software that must include malware protection and up-to-date patches and virus definitions; cybersecurity insurance; data breach investigation and incident response procedures; quarterly information system audits; and a process for reviewing and updating data privacy policies at least annually.
The regulations will become effective on September 1, 2023.
Massachusetts is new to the sports betting scene—land-based and mobile sports betting was legalized on August 1, 2022, and land-based sports betting was launched in January 2023 with online betting launching in March 2023. Nevertheless, the Massachusetts Gaming Commission has established itself as one of the more proactive regulators in the sports betting space over the past year. For example, the Gaming Commission made headlines in June 2023 when it opened an investigation into Barstool Sportsbook’s “Can’t Lose Parlay,” promoted by Barstool personality Dan Katz, also known as Big Cat. The Bay State regulator is also in the process of promulgating regulations that address advertising standards for sports betting operators.
We expect additional regulatory actions in Massachusetts going forward.