Published: May 29, 2024

New Bill May Require iGaming, Betting Companies to Change Data Policies

Companies involved in the regulated US online casino industry are used to navigating a patchwork of various rules across disparate states. However, a national standard could be forthcoming in at least one facet of their business.

The American Privacy Rights Act, a proposed bill in the US Congress, would establish a uniform policy across the country when it comes to online privacy, data rights and businesses’ use of customer information. While it’s too early to get into the minutia of exactly how online casinos and their vendors might have to adjust their practices, it seems obvious that the new standards would apply to at least the operators of those online gambling platforms.

American Privacy Rights Act codifies several policies

While the bill has not been formally filed in either chamber of Congress, a draft of the legislation1 has been worked up for members of Congress to scrutinize. Additionally, the bill’s sponsors have been publicizing their intent widely.

A summary from the US Senate’s Committee on Commerce, Science, and Transportation2 breaks the various tenets of the proposal down. US Sen. Maria Cantwell (D-WA) is the sponsor in the Senate and the chair of that committee. From the summary:

“This measure would establish national consumer data privacy rights and set standards for data security. The bill also would require covered entities to be transparent about how they use consumer data and give consumers the right to access, correct, delete, and export their data, as well as opt out of targeted advertising and data transfers. The measure would set standards for data minimization that would allow companies to collect and use data only for necessary and limited purposes and prohibit the transfer of sensitive covered data to third parties without the consumer’s affirmative express consent. The Act would prohibit the use of covered data to discriminate against consumers and provide consumers with the right to opt out of the use of algorithms for consequential decisions.”

With about five months left before voters determine the framework of the next Congress, there is some urgency. There is also some skepticism. At the same time, the bill’s sponsors tout support as well.

Voices spring forth on both sides of the issue

Those members of Congress who have reviewed the draft are hesitant to support it as it currently reads. For example, Rep. Anna Eshoo (D-CA) stated in a memo to Cantwell that she does not want a federal law to pre-empt stricter privacy standards in her state, according to Scott Wong of NBC News3.

KREM reports4 that some small business owners in Cantwell’s state also have expressed concerns about the proposal restricting their trade. Meanwhile, a separate release from the Senate Commerce committee5 lists examples of praise for the draft from entities like Microsoft and the Lawyers’ Committee for Civil Rights Under Law.

Wong also shared optimism from Sen. Ben Ray Lujan (D-NM) about getting the bill passed before 2024 ends. If Lujan is correct, the operators of online casinos will need their in-house counsel and other staff to look carefully over the new law’s tenets and their practices.

Bill would probably apply to most US online casino operators

The American Privacy Rights Act defines which entities would be subject to its standards. The bill specifies that a designation of a “large data holder” would subject businesses like online casino operators to potential prosecution if they do not comply. Currently, to qualify as a large data holder, an entity has to fit one of the following descriptions:

  • An entity that collects, processes, retains, or transfers the covered data of more than 5 million individuals, 15 million portable devices, or 35 million connected devices that are linked to an individual; or the sensitive data of at least 200,000 individuals or 300,000 portable devices or 700,000 connected devices
  • Have $250 million or more in annual revenue

The act defines covered data as “information that identifies or is linked or reasonably linked to an individual or device” while sensitive data is “a subset of covered data that includes government identifiers.” The term “government identifiers” generally applies to anything a governmental entity uses to identify or locate a person.

On both counts, companies like BetMGM, Caesars, DraftKings and FanDuel would qualify as large data holders. While they won’t have to seriously dig into what policies they would need to alter until the American Privacy Rights Act actually becomes law and takes effect, there are some likely scenarios.

Where US online casino privacy policies might need to adjust

Currently, online casino players can view the individual policies for the apps they play on whenever they wish. These policies tend to be quite uniform from one operator to the next. A review of the policies turned up that they make quite clear that the casino operators may share your information with their partners.

The American Privacy Rights Act would not necessarily outlaw such sharing. It would require companies like BetMGM and Caesars to show that they got your consent to share specific data points with partners.

That could result in a more detailed consent process when registering or using an online casino. Currently, using those gaming platforms is tantamount to consent to their privacy policies in most states.

Players’ options for controlling what information the casinos can share about them might also increase. However, some of these apps already provide such options to an extent. For instance, BetMGM’s privacy policy lists an email address that players can use to express their wishes to “opt out of receiving marketing communications” and to restrict BetMGM from sharing “your personal information for marketing purposes with our business partners.”

Perhaps the biggest change that might be forthcoming is that instead of the user restricting the usage of their data, that responsibility could shift to the entity that would use that information in many ways. The American Privacy Rights Act draft could still see revisions, though, perhaps significantly so.

This is just one area in which the US government could enact a rare national standard that would apply to online gambling companies.,targeted%20advertising%20and%20data%20transfers.

© Public Gaming Research Institute. All rights reserved.