Following the March 2023 rollout of mobile sports wagering in Massachusetts, the Massachusetts Gaming Commission has been hard at work promulgating the various regulations needed to oversee Massachusetts’ burgeoning sports wagering industry, which includes both brick-and-mortar locations as well as mobile apps. The quick pace of regulatory implementation following the sports wagering statute’s passage last August has found the Commission wanting to promulgate some more complex regulations after having had time to further consider them – among these are the currently-proposed regulations (page 14) on data privacy, which will complement the Commission’s existing regulations on sports wagering account management that likewise include some privacy provisions.
The regulations are interesting from a sports wagering perspective due to the significant scope of restrictions they propose, as discussed further below. But they are also interesting from a more general privacy perspective because they impose on the sports wagering industry many of the types of restrictions that other states, particularly those following California’s lead, impose through more generally applicable privacy laws.
At a high level, the regulations contain five basic provisions:
- Where sports wagering firms share customer info with service providers, they would be required to conclude “a written agreement” with the service provider that binds the provider to protecting that information, including through comprehensive written policies.
- Customers would have substantial data rights with respect to sports wagering firms, including requesting information on what confidential or personal information has been shared and requests to restrict the use of confidential or personal information.
- Sports wagering firms will need to develop, implement, and maintain comprehensive administrative, technical, and physical data privacy and security safeguards. Although MA regulations already require firms holding certain personal info on MA residents to have written information security policies, the Commission’s regulations are considerably more stringent and require actions more akin to the administrative, technical, and physical safeguards required of healthcare providers and their business associates under Federal law.
- Sports wagering firms will need to report data breaches to the Commission. This obligation will be in addition to existing MA law on data breach reporting.
The Commission discussed and approved the regulations at its June 1, 2023 open meeting, and authorized its staff to begin the formal promulgation process. Although the regulations are not yet listed on proposed rulemaking section of the Commission’s website, it is likely that the Commission will continue to accept feedback on the regulations in the normal course of regulatory promulgation.