Gaming & Hospitality Legal News: Volume 11, Number 4

by Dickinson Wright

Dickinson Wright

Virtually every significant gaming operator in the United States has some form of “free to play” online casino offering. Because no purchase is necessary to play (no consideration) and no valuable prizes are offered (i.e., you cannot trade your free play credits for a comped hotel stay), these offerings have generally met with green lights from state gaming regulators.

Enter the Big Fish Casino decision: On March 28, 2018, the 9th Circuit Court of Appeals released an opinion that found the Big Fish site to be an illegal gambling game under Washington law.

If the Big Fish casino offers free play, how did this happen?

The Big Fish Opinion

Similar to most online “free-play” casinos, the Big Fish site uses virtual coins as the basis for game play. The virtual coins, which are issued for free at signup and replenished for free at periodic intervals, cannot be converted to money or valuable prizes through the Big Fish site. If a player runs out of virtual coins, the player cannot play games on the Big Fish site until the virtual coins are again replenished. As mentioned, replenishment occurs at various times for players with a zero balance, but players may also purchase virtual coins as a convenience rather than waiting.

The state of Washington, however, has a very liberal definition of “thing of value” for the purposes of consideration in gaming. Its state law defines a “thing of value” as:

[A]ny money or property, any token, object or article exchangeable for money or property, or any form of credit or promise, directly or indirectly, contemplating transfer of money or property or of any interest therein, or involving extension of a service, entertainment or a privilege of playing at a game or scheme without charge.

Therefore, the Court held that the virtual coins were a form of credit involving the extension of a service, entertainment, or a privilege of playing at a game or scheme. The Court supported its opinion by stating that when a player ran out of virtual coins the privilege of playing was withheld; thus, the virtual coins had “value” because they allowed continued play and games could not be played when a player ran out of virtual coins.

Additionally, the Big Fish site allows transfers of virtual coins between players, with a transfer fee being collected by the site operator. This creates a risk of third-party markets where virtual coins can be sold for money. Such a third-party market was an indicator that the virtual coins had value, and the transfer fee collected by Big Fish supported such an argument.

Big Fish Aftermath

Following the Big Fish decision, many online free-play casino operators have blocked Washington State residents from their sites or changed the way their free-to-play sites operate. But with more Big Fish-style lawsuits pending – two more Washington State residents have filed lawsuits against free-play casino sites, including Double Down Interactive, Playtika, High 5 Games, and Huuuge Games – is that enough?

The Big Fish decision is not the first time that the legality of the free-play casino offerings has been tested. Over the years, there have been a number of regulatory and court opinions on the topic, with most courts and regulators finding that the games lack the elements of either consideration and/or prize.

As many gaming law scholars may know, there were opinions from the early days of coin-operated video games that held games like Pong, Asteroids, and Space Invaders to be gambling machines, because players paid to play and could win extra lives. Ultimately, courts moved away from viewing free lives or extended play as a valuable prize; however, such older court opinions remained apparently good law. Big Fish, however, is the first case in recent history where a court has found this to apply to an online free-play site.

Because gaming is largely governed by state laws, the Big Fish decision is, on its face, limited to the state of Washington. This means that blocking play by Washington residents is a good first step. Any companies that participate in the free-play casino space should also update their state-by-state legal research to reevaluate where the risks are highest (for example, which states have similar definitions of “thing of value” to Washington and/or case law where their courts have found free play to be a “thing of value”) and review their online game rules of play to help determine the best strategy to minimize risk.

by Sara H. Jodka

The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, and so do the significant fines against businesses that are not in compliance. Failure to comply carries penalties of up to 4 percent of global annual revenue per violation or $20 million Euros – whichever is higher.

This regulatory rollout is notable for U.S.-based hospitality businesses because the GDPR is not just limited to the EU. Rather, the GDPR applies to any organization, no matter where it has operations, if it offers goods or services to, or monitors the behavior of, EU individuals. It also applies to organizations that process or hold the personal data of EU individuals regardless of the company’s location. In other words, if a hotel markets its goods or services to EU individuals, beyond merely having a website, the GDPR applies.

The personal data at issue includes an individual’s name, address, date of birth, identification number, billing information, and any information that can be used alone or with other data to identify a person.

The risks are particularly high for the U.S. hospitality industry, including casino-resorts, because their businesses trigger GDPR-compliance obligations on numerous fronts. Hotels collect personal data from their guests to reserve rooms, coordinate event tickets, and offer loyalty/reward programs and other targeted incentives. Hotels with onsite casinos also collect and use financial information to set up gaming accounts, to track player win/loss activity, and to comply with federal anti-money laundering “know your customer” regulations.

Privacy Law Lags in the U.S.

Before getting into the details of GDPR, it is important to understand that the concept of privacy in the United States is vastly differently from the concept of privacy in the rest of the world. For example, while the United States does not even have a federal law standardizing data breach notification across the country, the EU has had a significant privacy directive, the Data Protection Directive, since 1995. The GDPR is replacing the Directive in an attempt to standardize and improve data protection across the EU member states.

Where’s the Data?

Probably the most difficult part of the GDPR is understanding what data a company has, where it got it, how it is getting it, where it is stored, and with whom it is sharing that data. Depending on the size and geographical sprawl of the company, the data identification and audit process can be quite mind-boggling.

A proper data mapping process will take a micro-approach in determining what information the company has, where the information is located, who has access to the information, how the information is used, and how the information is transferred to any third parties. Once a company fully understands what information it has, why it has it, and what it is doing with it, it can start preparing for the GDPR.

What Does the Compliance Requirement Look Like in Application?

One of the key issues for GDPR-compliance is data subject consent. The concept is easy enough to understand: if a company takes a person’s personal information, it has to fully inform the individual why it is taking the information; what it may do with that information; and, unless a legitimate basis exists, obtain express consent from the individual to collect and use the information.

In terms of what a company has to do to get express consent under the GDPR, it means that a company will have to review and revise (and possibly implement) its internal policies, privacy notices, and vendor contracts to do the following:

  • Inform individuals what data you are collecting and why;
  • Inform individuals how you may use their data;
  • Inform individuals how you may share their data and, in turn, what the entities you shared the data with may do with it; and
  • Provide the individual a clear and concise mechanism to provide express consent for allowing the collection, each use, and transfer of information.

    At a functional level, this process entails modifying some internal processes regarding data collection that will allow for express consent. In other words, rather than language such as, “by continuing to stay at this hotel, you consent to the terms of our Privacy Policy,” or “by continuing to use this website, you consent to the terms of our Privacy Policy,” individuals must be given an opportunity not to consent to the collection of their information, e.g., a click-box consent versus an automatically checked box.

    The more difficult part regarding consent is that there is no grandfather clause for personal information collected pre-GDPR. This means that companies with personal data subject to the GDPR will no longer be allowed to have or use that information unless the personal information was obtained in line with the consent requirements of the GDPR or the company obtains proper consent for use of the data prior to the GDPR’s effective date of May 25, 2018.

What Are the Other “Lawful Basis” to Collect Data Other Than Consent?

Although consent will provide hotels the largest green light to collect, process, and use personal data, there are other lawful basis that may exist that will allow a hotel the right to collect data. This may include when it is necessary to perform a contract, to comply with legal obligations (such as AML compliance), or when necessary to serve the hotel’s legitimate interests without overriding the interests of the individual. This means that during the internal audit process of a hotel’s personal information collection methods (e.g., online forms, guest check-in forms, loyalty/rewards programs registration form, etc.), each guest question asked should be reviewed to ensure the information requested is either not personal information or that there is a lawful reason for asking for the information. For example, a guest’s arrival and departure date is relevant data for purposes of scheduling; however, a guest’s birthday, other than ensuring the person is of the legal age to consent, is more difficult to justify.

What Other Data Subject Rights Must Be Communicated?

Another significant requirement is the GDPR’s requirement that guests be informed of various other rights they have and how they can exercise them including:

  • The right of access to their personal information;
  • The right to rectify their personal information;
  • The right to erase their personal information (the right to be forgotten);
  • The right to restrict processing of their personal information;
  • The right to object;
  • The right of portability, i.e., to have their data transferred to another entity; and
  • The right not to be included in automated marketing initiatives or profiling.

Not only should these data subject rights be spelled out clearly in all guest-facing privacy notices and consent forms, but those notices/forms should include instructions and contact information informing the individuals how to exercise their rights.

What Is Required with Vendor Contracts?

Third parties are given access to certain data for various reasons, including to process credit card payments, implement loyalty/rewards programs, etc. For a hotel to allow a third party to access personal data, it must enter into a GDPR-compliance Data Processing Agreement (DPA) or revise an existing one so that it is GDPR compliant. This is because downstream processors of information protected by the GDPR must also comply with the GDPR. These processor requirements combined with the controller requirements, i.e., those of the hotel that control the data, require that a controller and processor entered into a written agreement that expressly provides:

  • The subject matter and duration of processing;
  • The nature and purpose of the processing;
  • The type of personal data and categories of data subject;
  • The obligations and rights of the controller;
  • The processor will only act on the written instructions of the controller;
  • The processor will ensure that people processing the data are subject to duty of confidence;
  • That the processor will take appropriate measures to ensure the security of processing;
  • The processor will only engage sub-processors with the prior consent of the controller under a written contract;
  • The processor will assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • The processor will assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments;
  • The processor will delete or return all personal data to the controller as required at the end of the contract; and that
  • The processor will submit to audits and inspections to provide the controller with whatever information it needs to ensure that they are both meeting the Article 28 obligations and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Other GDPR Concerns and Key Features

Consent and data portability are not the only thing that hotels and gambling companies need to think about once GDPR becomes a reality. They also need to think about the following issues: 

  • Demonstrating compliance. All companies will need to be able to prove they are complying with the GDPR. This means keeping records of issues such as consent. 
  • Data protection officer. Most companies that deal with large-scale data processing will need to appoint a data protection officer.
  • Breach reporting. Breaches of data must be reported to authorities within 72 hours and to affected individuals “without undue delay. ”This means that hotels will need to have policies in procedures in place to comply with this requirement and, where applicable, ensure that any processors are contractually required to cooperate with the breach-notification process.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright

Dickinson Wright on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.