Staying Ahead of the Game: Massachusetts Implements Data Privacy and Security Standards for Gambling Industry
31 January 2023
The Massachusetts Gaming Commission (“MGC“) has recently established new rules and standards for the gambling industry in the field of data privacy and data security (regulation 205 CMR 138.00; 205 CMR 248.00; “Regulations“). The Regulations, which resemble some of the key provisions of the European General Data Protection Regulation (GDPR), would significant affect gambling and sports wagering operators licensed to operate in the state of Massachusetts. The Regulations were published as emergency regulations with effective dates in December 2022, while in parallel they are now open for final public comments.
The Regulations impose the following key requirements:
- Comprehensive privacy policy: Operators must provide their players with a comprehensive and easily accessible privacy policy, which includes, inter alia –
- Information about the collection, use and storage of personal data, both before and after players’ registration;
- Clear purpose and legal basis for collection and processing of players’ personal data;
- Specific storage period or the criteria used to determined such period;
- Accurate conditions under which personal data may be disclosed;
- Affirmation that security measures are in place to protect player’s personal data;
- Detailed description of the identity and contact details of the operator and third parties who may have access to player’s personal data.
- Players’ data rights: Gambling operators must ensure that players’ rights are respected, including –
- Informing players of their rights, such as the right to (i) access, export or transfer; (ii) rectify, erase, or restrict access; (iii) object to the processing; (iv) withdraw consent, where the processing is based on consent; (v) data portability; and (vi) lodge a complaint with the MGC or applicable public authority. For sports wagering operators, the MGC requires that these rights to be detailed in the privacy policy;
- Providing players with methods to (i) confirm, (ii) access, (iii) update; and (iv) erase personal data when it’s no longer required for the processing activities;
- Implementing procedures for recording and processing players’ requests to exercise their rights.
- Automated decision-making: Gambling operators are prohibited to utilize solely automated decision-making, namely a decision-making process that is totally automated (excluding any human influence on the outcome) that have a legal or similarly significant effect on players. For sports wagering operators, the logic, consequences and safeguards (such as requesting for direct human intervention or review, or appealing the automated decision) should be included in the privacy policy.
- Data security: Gambling operators must implement physical, technical and organizational security measures to safeguard player’s data, including –
- Adopting written information security policy related to the implementation of common physical, technical and organizational security practices (such as access control, physical security, data classification and storage, data breach management and response, data breach notification, encryption methods, employee training) and following security standards relevant to the type of personal data;
- Appointing relevant and qualified personnel to be responsible for the design, implementation and review of security procedures and practices. Generally, such function is performed by the Chief Information Security Officer (CISO) or appropriate IT personnel;
- For sports wagering operators, providing the players with an option to use multi-factor authentication process when accessing their account or if authentication information is lost, as well as automatic encryption of certain data (such as social security number, credentials and passwords).
This regulatory development is made on the backdrop of substantial state privacy legislation across the US (notably in California, Virginia, Colorado, Connecticut and Utah), which further reflect the increased regulatory scrutiny in the US regarding privacy and data protection.
Gambling companies operating in Massachusetts or processing personal data of Massachusetts’ residents should ensure that their data and security practices are aligned with the Regulations, and within this scope:
- Updating privacy policies;
- Reviewing and amending agreements with business partners, vendors, and other third parties to ensure they address the applicable data privacy, security, and automated decision-making requirements;
- Putting in place procedures and processes for responding to data subjects requests;
- Reviewing security practices;
- Identifying processes involving automated-decision making, including profiling, and addressing the respective compliance requirements.
As always, we encourage you to contact us if you have any questions regarding the Regulations and their potential effect on your operations.