At a roundtable discussion this week with the Massachusetts Gaming Commission, sportsbook operators and other key stakeholders expressed concerns about the group’s data privacy policy.
The policy is inspired in part by the European Union’s General Data Protection Regulation (GDPR), the policy is the most far-reaching set of regulations put on sportsbook operators by a state regulator. The extensive rules include mechanisms like requiring customers to opt-in to sharing personal data unless that data is integral to operating a sports betting business.
What is necessary to operate a sportsbook business?
The vague nature of “necessary to operate business” was the subject of many of the concerns operators voiced. When pressed for examples of situations that might cause concern, they used the example of direct mail about their product. In order to issue that mail, they provide customer addresses to a third-party printer. If they cannot pass along those addresses to the printers, it would be unrealistic for them to invest in their own in-house print shop for a single state.
The commission and its legal counsel assured that would fall under the scope of operating the business, but there were nonetheless discussions about clarifying the language in future drafts.
Per a slide presented by the operators, these are the primary concerns with the policy as they see it:
- Flips consent on its head
- Imposes blanket prohibitions on using certain personal information for promotional and analytical purposes
- Does not allow critical data sharing with third-party vendors even when consent is obtained
- Requires consumers to opt into individual uses of data one by one
- Requires all personal information to be encrypted or protected by multi-factor authentication
- Applies an extremely expansive definition of PII to each of these obligations
- Applies only to a single industry, requiring that industry to go it alone
- No clear timeline for compliance
Regulators and operators clash over feasibility of data implementation
DraftKings Director of Legal and Government Affairs David Prestwood led most of the discussion from a cohort of the operators and expressed some frustration with the process, saying that MGC’s outside counsel working on the policy was overly dismissive of operator concerns.
Jared Rinehimer, Division Chief of Data and Security for the Massachusetts Attorney General’s office, expressed some surprise that operators weren’t more prepared for these implementations given how many have parent companies in Europe and have already adapted to GDPR.
Betr’s Head of Product Alex Ursa, who previously worked with European operator Betfair, pointed out that GDPR took several years to take effect, while these regulations were only being rolled out in five months.
Given that the regulations want to enable users to create a highly customized privacy profile, the ability to be compliant in a short amount of time is just not feasible.
“Honestly, from my vantage point, the notion of each user being able to design their own individualized privacy regime for themselves–I don’t know if that is at all possible. I think the only way we would be able to comply would be to implement a much broader opt-out than the player was asking for,” explained FanDuel Vice President of Product and New Market Compliance Cory Fox.
Representatives from the independent testing lab GLI concurred that reorganizing how data is stored would be a massive undertaking that is only made more complicated by the fact this data will continue to be collected differently in other states where these sportsbooks operate.
The industry experts on the panel projected it would take one to two years to develop the infrastructure necessary to be fully compliant with the regulations as they stand today. There is a deadline in November for operators, but given the conversation, it is clear that nobody will be fully compliant by then but that they could have certain parts of their product compliant by that date.