When the Massachusetts Gaming Commission gathered operators for a roundtable discussion Tuesday on modifying current data privacy regulations in sports betting, it received rarely heard in an industry that has moved at breakneck speed since states began legalizing five years ago: “Slow down,” operators said.
While operators clearly favor massaging the state’s data privacy standards that apply to customers’ information, they take issue with the commission’s desire to move fast. The concept of data privacy and the reality of it — developing the technology to meet Massachusetts’ unique regulations — are two different things.
One industry representative told Sports Handle that while “every operator wants to protect customer privacy and ensure trust in the operator,” the latest Massachusetts offering has been “cooked up in a short amount of time.”
Data privacy rules were approved in June with a Nov. 17 deadline to comply. But after Tuesday’s meeting, it’s clear that the MGC now understands that a five-month runway to comply may not be realistic, and it appears open to working with operators to extend the deadline.
“We put a lot of thought into this when we first voted on it,” Commissioner Eileen O’Brien said. “It may be that this regulation comes back in front of us multiple times” for tweaks.
Operators are to provide updated information to the commission as the next step.
High interest in modifying rules 6s5b1u
The nearly three-hour roundtable came at the request of operators and included representatives from FanDuel, MGM Springfield, PENN Entertainment, and WynnBET, all of which have live retail or digital platforms in Massachusetts. They were ed by Jared Rinehimer of the Massachusetts Attorney General’s Office, Joe Bunevith and Mark Robertson of Gaming Laboratories Inc., and Michael Wohl, a professor of psychology at Canada’s Carleton University who focuses on responsible gambling.
When the MGC approved its data privacy rules earlier this year, it opened the proposed regulations to comment, but it was clear Tuesday that operators felt the commission didn’t seriously consider much of what operators had to say. DraftKings’ David Prestwood, on behalf of BetMGM and FanDuel as well, made a presentation describing “our compliance processes and what some of the timelines and the limitation challenges here would be.”
Prestwood pointed to the California Consumer Protection Act (CA) as the gold standard for data privacy. He referred to what the MGC has put in place as unique, creating a situation in which operators would have to craft technology specific to Massachusetts to comply.
Separate from specific issues, Prestwood said that the the current data privacy regulations don’t include a clear enough compliance timeline and that the process will be “daunting.” While operators spent considerable time last summer reviewing the proposed rules, Prestwood said they believe that their “written comments were not deeply evaluated” by the MGC and that some “comments were disregarded completely and not mentioned at all” during the regulation adoption process.
According to multiple speakers at the meeting, the CA and other stringent data privacy rules in other states or countries took years to develop and implement. The MGC approved its data privacy regulations over the summer with the expectation that operators can and will comply within months.
“There is not enough time to comply,” said Betr’s Alex Ursa, who told the commission that in Europe it took two years. “In other jurisdictions, it is years — this is weeks or months.”
A look at how operators would comply q6n20
BetMGM’s Alexis Coco followed up Prestwood’s slide with a look at how operators are already trying to comply with the regulations, including reworking existing consent platforms, “renegotiating contracts,” working with outside software developers or other technology companies to find solutions, and considering “redeg” everything from encryption to cybersecurity.
The simplified 14-point list included many highly technical and time-consuming elements, and FanDuel’s Cory Fox offered that it may not be possible for his company to conform to the opt-in regulations, if it properly interpreted the rule. Caesars’ Chris Willard agreed that the technical challenges would be monumental while GLI’s Bunevith confirmed that operators would need time, more than anything, in order to meet the “massive demand technically.”
As a group, operators sounded open to continued discussion and finding ways to implement the regulations.
“I think a lot of these things could be managed if the commission is open to revisiting some of these,” Prestwood said. “The operators are broadly in agreement that the process to date has not represented the seriousness of some of these concerns and how challenging it would be to implement them.”
Beyond the key issues, Prestwood said the rules would apply to the gaming industry only, leaving it on an island to solve complex problems. Below is a look at the issues.
Opt in vs. opt out 402l44
On the issue of customer “opt in” vs. “opt out” for certain information, Prestwood pointed out that “every other” jurisdiction allows consumers to opt out of protecting certain information while the MGC rules require an “opt in.” That distinction requires every customer to opt in to individual pieces of data one by one, which Prestwood said “no other privacy law does.” Each customer could then have his or her own “menu” of options, meaning an operator would have thousands, or in some cases millions, of individual choices to manage.
One operator pointed out that not only would new technology be needed to address this issue, but also that it would create a conundrum as to how to handle existing customers who have already been through the know-your-customer process.
Information sharing 271aj
The current rules include a section that would not allow operators to share information with any other business, including vendors and suppliers. This restriction, operators said, would be all but unmanageable, as sportsbooks often use third parties for marketing.
“It’s alarming,” FanDuel’s Fox said, “because some of our mailers go out through third-party vendors, so we do share information with them.”
According to Prestwood’s presentation, under the Massachusetts regulation, operators wouldn’t even be able to share data with a customer’s consent. In response, MGC staff and commissioners said the intention of the regulation wasn’t to keep operators from doing their job, but to protect consumers.
“I thought that the company that mails the mailers should be able to do their job,” Commissioner Jordan Maynard said, “but if Lexus wanted to get a hold of this information, that the consumer should know.”
Coco, of BetMGM, said that gambling operators are not “data brokers” who are trying to sell data, and that she believes a compromise could be rewording the regulation to allow “reasonably anticipated” or “necessary” uses of data.
PII 295wd
Prestwood maintained that Massachusetts’ requirements for Personally Identifiable Information (PII) is above and beyond what is required in other jurisdictions. The Massachusetts regulations require, for example, that all PII be protected, but Prestwood said that certain PII, like an IP address, is not actionable or usable. In “other privacy regimes,” he said, there are “exceptions” for publicly available information and regulations often include the phrase “sensitive PII,” and that is the information that must be protected.
“Sensitive information” would be defined as a name, date of birth, or Social Security number.
Targeted marketing 6q6x51
The current regulations prevent operators from marketing to some of their own customers. While one operator told Sports Handle that it would never target a player who is coming off of a self-exclusion list, it would market to a player whose has been dormant for a certain period of time. Such s may be held by players who have chosen to bet elsewhere or whose preferred wagering sport is out of season.
The MGC rules appear to ban sportsbook operators from marketing to customers with dormant s on their platforms, which is a departure from regulations in other industries. As an example, it is not out of bounds in Massachusetts (or any other state) to get a “Hi, we’ve missed you” offer from an online store, coffeehouse, hotel, or airline that a customer may have not patronized for many weeks or months.
