.svg)
The Massachusetts Gaming Commission (MGC) has signed off on the final clarifications to its data privacy rules after sports-betting operators were granted waivers until June to give them more time to comply with the regulations.
“This is coming for further discussion based on the work done between November and February as we were digesting the information from the roundtable (with licensees),” said Mina Makarious, a partner with Anderson & Kreiger and outside counsel to the commission.
The strict data privacy rules, which were adopted in August 2023, are contained in 205-CMR-207. The regulations became effective on September 1, 2023.
“At the time the waivers were granted there was a thought, if there was confusion on any remaining issues, it might make sense to at least propose clarifications to the regulations and then determine if they are necessary,” Makarious told the commission.
In August, the MGC granted its licensed sports-betting operators a temporary 60-day waiver through November, but eventually extended those waivers until June. The version of the regulations approved unanimously on Thursday (April 11) was largely unchanged from what the commission approved in February.
Carrie Torrisi, MGC’s deputy general counsel, noted that commissioners asked staff in February to share a draft of the changes with the state attorney general’s office to make sure there were no concerns with the revisions. The attorney general’s office signed off on the changes to the regulations.
Makarious explained there were no changes to the definitions of personally identifiable information and confidential information, but there were a couple in the first set of standards for data use and retention.
The amendment reads: “In addition, use and retention of a patron’s confidential information or personally identifiable information may be permissible where necessary to conduct commercially reasonable review of a sports wagering operator’s assets in the context of the sale of all or a portion of the sports wagering operator’s business.”
“The changes that are proposed are intended to clarify some unique aspects of business transactions that might require the use of the data,” Makarious said. “One is for potential mergers, acquisitions … between companies.”
“We would have viewed this with in the scope of legitimate business purposes but there was some concern from operators that they did not want to be worrying about that in the middle of due diligence for a transaction and having someone question [whether] they could share that data or not if they needed.”
Makarious said the idea was not to penalize operators for using data in the course of business.
He said there was another section of the regulations that establishes prohibitions on using a patron’s personally identifiable information or confidential information.
Other changes include clarifying language that restricts the use of algorithms or artificial intelligence to make a platform more addictive.
The commission agreed to add the wording “by the sports wagering operator or a vendor to the sports wagering operator”, as well as keeping the words “reasonably expected” in the applicable section of the regulation.
The amended paragraph now prohibits operators from using a player's personally identifiable information or confidential information to promote particular types of bets if based on, among other things, “any computerized algorithm, automated decision-making, machine learning, artificial intelligence, or similar system that is known or reasonably expected by the sports wagering operator or a vendor to the sports wagering operator to make the gaming platform more addictive.”
“We did not think it was fair to be held responsible for something that might be an unknown from the use of a particular computerized system or algorithm that makes something more addictive,” Makarious said.
“However, we did keep reasonably expected because I think it was pretty clear from the commission that you want them thinking of those issues and not burying their heads in the sand,” he added.
Other amendments include a request by the MGC’s Responsible Gaming division to make clear that the commission could request and use individualized data to address responsible gaming issues. A provision was also added to avoid the inadvertent disclosure of confidential information or personally identifiable information.
In addition, an operator’s data privacy policy should not include information that may make the operator’s data privacy program vulnerable to attack.
Makarious said that regulators see the change as clarifications and not changes to what is required under the regulations. The four-member commission did not discuss any of the amendments before approving them.
“I know this is a deep slog getting into the details of it, but it is a regulation we all care a lot about,” said commissioner Eileen O’Brien. “It is important to get clarification out there so we can move forward with compliance.”
