Code of Massachusetts Regulations
205 CMR - MASSACHUSETTS GAMING COMMISSION
Title 205 CMR 257.00 - Sports Wagering Data Privacy
Section 257.04 - Patron Access

Universal Citation: 205 MA Code of Regs 205.257

Current through Register 1518, March 29, 2024

(1) Patrons shall be provided with a method to make the requests in 205 CMR 257.04(1)(a) through (e). The request must be clearly and conspicuously available to the patron online through the Sports Wagering Operator's Sports Wagering Platform. A patron shall not be required to confirm their request more than once, and no intervening pages (other than those needed to confirm withdrawal of consent) or offers will be presented to the patron before such confirmation is presented to the patron.

(a) A description as to how their Confidential Information or Personally Identifiable Information is being used, including confirmation that such Confidential Information or Personally Identifiable Information is being used in accordance with 205 CMR 257.00;

(b) Access to a copy of their Confidential Information or Personally Identifiable Information maintained by the Operator or a Vendor, Subcontractor, or Registrant of the Operator;

(c) Updates to their Confidential Information or Personally Identifiable Information;

(d) The imposition of additional restriction on the use of their Confidential Information or Personally Identifiable Information for particular uses; and

(e) That their Confidential Information or Personally Identifiable Information be erased when it is no longer required to be retained by applicable law or Court order.

(2) A Sports Wagering Operator shall provide a written response to a request submitted pursuant to 205 CMR 257.04(1) that either grants or denies the request.

(a) If the Sports Wagering Operator grants the patron's request to access a copy of their Personally Identifiable Information, the Sports Wagering Operator shall provide the patron their Confidential Information or Personally Identifiable Information in a structured, commonly used and machine readable format.

(b) If the Sports Wagering Operator denies the request, the Sports Wagering Operator shall provide in its written response specific reason(s) supporting the denial and directions on how the patron may file a complaint regarding the denial with the Commission.

(3) A Sports Wagering Operator shall grant the patron's request to impose a restriction or erase their Confidential Information or Personally Identifiable Information if it is no longer necessary to retain the patron's Confidential Information or Personally Identifiable Information (or to retain the patron's Confidential Information or Personally Identifiable Information without the requested restriction) to operate a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform, or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena or civil investigative demand of a governmental entity, to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity, debug to identify and repair errors, to investigate, respond to and defend against filed legal claims, and for other reasonable safety and security purposes; and

(a) It is no longer necessary to retain the patron's Confidential Information or Personally Identifiable Information to operate a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform, or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena or civil investigative demand of a governmental entity;

(b) The patron withdraws their consent to the Sports Wagering Operator's retention of their Confidential Information or Personally Identifiable Information;

(c) There is no overriding legal interest to retaining the patron's Confidential Information or Personally Identifiable Information;

(d) The patron's Confidential Information or Personally Identifiable Information was used in violation of 205 CMR 257.00; or

(e) Restriction or erasure is necessary to comply with an order from the Commission or a court.

(4) If the Sports Wagering Operator grants the patron's request to erase their Confidential Information or Personally Identifiable Information, the Sports Wagering Operator shall erase the patron's Personally Identifiable Information or Confidential from all storage media it is currently using to operate a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform, including HDD, SDD, flash, mobile, cloud, virtual, RAID, LUN, hard disks, solid state memory, and other devices. The Sports Wagering Operator shall also request commercially reasonable confirmation of deletion from any Vendor, Registrant, or Subcontractor who received the patron's Confidential Information or Personally Identifiable Information from the Sports Wagering Operator. Notwithstanding, the foregoing, the Sports Wagering Operator shall not erase a patron's Confidential Information or Personally Identifiable Information on backup or storage media used to ensure the integrity of the Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform from technology failure or to comply with its data retention schedule or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena or civil investigative demand of a governmental entity.

(5) An Operator, or a Vendor, Registrant or Subcontractor of an Operator shall not require a Patron to enter into an agreement waiving any of the Patron's rights under 205 CMR 257.04.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.