Through the new rules, Massachusetts is carving out a leading role in setting the privacy and cyber expectations for the national gaming industry. Both the Sports Wagering Operator Regulations and the Gaming Licensee Regulations introduce new transparency requirements, grant patrons GDPR-styled rights, regulate automated decision-making, and impose both general and specific cybersecurity obligations on regulated entities.

Sports Wagering Operator Regulations

The Sports Wagering Operator Regulations impose the following obligations on sports wagering operators (operators), which are entities permitted or licensed to offer sports wagering in Massachusetts:

• Privacy Policy Requirements: Privacy policies need to be updated to include specific disclosures. At minimum, policies must address the following: the personal data collected, the purposes and legal basis of processing, the retention period or criteria for determining that period, conditions under which personal data may be disclosed, an affirmation that measures are in place to prevent unnecessary or unauthorized disclosure of personal data, and the identity and contact details of the operator and any sports wagering vendors that may access the personal data. The regulations state that the privacy policy should be readily accessible to patrons both before and after registration, and operators should inform them of any material changes to the policy.

• Patron Data Rights: The regulations require operators to provide patrons with specific rights with respect to their personal data, including the rights to (i) access, export, or transfer; (ii) rectify, erase, or restrict access; (iii) object to processing; and (iv) withdraw consent. These rights need to be described in applicable privacy notices.

• Automated Decision-Making Transparency: Operators that use automated decision-making, including profiling, must also include in their privacy policies information about the logic of the automated decision-making tool, the significance and consequences of automated processing on the patron, and the safeguards in place for the use of solely automated-decision making, including how patrons can contest decisions and require direct human review or intervention.

• Data Security Obligations: Operators are expected to encrypt certain types of patron data including government identifiers, passwords, PINs, authentication credentials, and payment card and financial information. Operators must also give patrons the option to use multi-factor authentication when accessing accounts.

Comments on the Sports Wagering Operator Regulations are due by 5:00PM on February 15, 2023.

Gaming Licensee Regulations

In addition to those obligations on operators, entities licensed to operate a gaming establishment in Massachusetts (gaming licensees), also have additional obligations. Newly added sections to the Gaming Licensee Regulations impose several new requirements:

• Patron Data Rights: Patrons must be provided with methods to confirm, access, delete, and update their personal data. Gaming licensees are also required to have procedures for recording, processing, and complying with these requests, and patrons must be given explanations when requests are denied. Patrons may also have the right to data portability by requesting that the gaming licensee forward the personal data to another entity in a commonly used and machine readable format. Patrons can also object to processing based on legitimate interests, profiling measures, or for certain research purposes.

• Automated Decision-Making: The regulations prohibit gaming licensees from relying solely on automated decision-making technology that produces specific types of legal effects on patrons, such as those that subject them to surveillance by authorities, or technologies that have the potential to influence the circumstances, behavior, or choices of the patron.

• Data Security Obligations: Specific security measures are now required. One or more employees should have primary responsibility for the design, implementation, and evaluation of security measures and practices. There must be procedures in place to determine the nature and scope of collected information, the locations where information is stored, and the storage devices where information may be recorded for storage or transfer purposes. Gaming licensees must also have (i) measures to protect information from unauthorized access and (ii) security procedures in the event of a breach.

The deadline for comments on the Gaming Licensee Regulations has yet to be determined.

Next steps

Operators and gaming licensees may wish to consider commenting on the Commission’s ongoing rulemaking proceedings. In the meantime, operators and gaming licensees must start taking steps toward complying with these novel privacy, security, and automated decision-making regulations. These steps can include:

• Updating as necessary published privacy policies

• Revising contracts with business partners, vendors, and third parties to address privacy, security, and automated decision-making requirements

• Establishing processes to respond to patrons data requests

• Reviewing security practices for alignment with the regulations

• Identifying instances of automated-decision making, including profiling, and considering compliance

Organizations who partner with operators and gaming licensees may wish to work with their partners to confirm compliance with relevant regulations. Organizations may also wish to consider whether updates to relevant contracts are warranted.

[View source.]