alerts & publications
Data Privacy in a Post-Murphy LandscapeJanuary 7, 2019
This alert is the sixth in a series of alerts discussing updates and potential developments in light of the Supreme Court’s decision in Murphy v. National Collegiate Athletic Association. The first installment outlined the Murphy decision itself, and the second installment focused on potential state and federal legislation following Murphy. The third installment identified potential revenue opportunities that may emerge following Murphy. The fourth installment outlined risks related to money laundering and key aspects of an anti-money laundering compliance program as they apply to established businesses that may now expand into sports betting as well as to those that may be new entrants into the market post-Murphy. The fifth installment focused on the right to publicity in a post-Murphy landscape, where sportsbooks and sports betting platforms may seek to use athletes’ likenesses in connection with their enterprises, in light of the Indiana Supreme Court’s guidance in Daniels v. FanDuel, Inc. This installment focuses on the unique consumer data privacy issues that may arise in connection with legalized sports gambling post-Murphy.
The Supreme Court’s decision in Murphy v. National Collegiate Athletic Association (Murphy), which removed the barrier to legalized sports betting, has not only opened the door to traditional sports betting in casinos but, in certain states, has allowed for the expansion of sports betting to online and mobile platforms. Central to sports betting, regardless of platform, is the use of data, including personal data of bettors. As potential bettors flood the market, sportsbooks and casinos must be cognizant of the sorts of data being collected, as well as their obligations under both federal and state law in order to protect users’ data. This alert analyzes the existing regulatory framework and unique privacy issues that may arise in the context of sports betting.
Sports Gambling – Consumer Data Background1
The first step to data protection compliance is identifying the types of personal data that are collected in the sports-betting environment. Sports betting typically involves the collection and processing of a variety of personal information belonging to prospective bettors, including information relating to the bettor’s identity and certain banking and financial information, that is necessary to process betting transactions and comply with applicable legal requirements. Additionally, some states, such as New Jersey, have authorized online and mobile sports gambling such that consumer data will be entered and secured on mobile sports betting apps and online platforms. For example, the DraftKings app, operating in New Jersey, requires a user to confirm their age and location within the state.2 Additionally, bettors using the DraftKings app seeking to withdraw earnings can only withdraw via a physical check or by getting cash at the cashiers’ cage at Resorts Atlantic City.3 The FanDuel app requires users to provide their name, date of birth, physical address, email address, phone number, and Social Security number.4 Bettors are also required to create a username and password, as well as create two security questions in order to protect their account.5 Bettors can fund accounts via bank transfer, e-check, FanDuel pre-paid card, check, PayPal, or cash.6 Bettors can withdraw funds via e-check or direct checks.
In addition to data that a bettor may provide directly, online and mobile applications may collect additional data about bettors automatically through various tracking technologies. As online and mobile applications develop, operators may want to collect data regarding the behavior, habits, and preferences of their customers. Operators may also need to track their bettors’ geographical location to ensure that they are not offering sports betting in jurisdictions where it is prohibited. Both federal and state regulators have issued guidance on the types of disclosures and consents that should be obtained for such tracking.
The scope and extent of data that is or could be collected by sports-betting operators can create significant compliance requirements and risks. Operators must be careful to meet the notice, transparency, and consent requirements of state, federal, and international laws, as applicable. In addition, there are significant security risks because the data is potentially quite valuable; a security breach that leads to the theft of user accounts and passwords could result in the diversion of funds, unauthorized betting, or even alteration of odds. Operators must be sure they have security measures in place to protect against such incidents and plans for dealing with and reporting such incidents should they occur.
Data Privacy Regulatory Framework – Federal and State
Sportsbooks and other sports-betting platforms should be cognizant of the federal framework7 in place designed to protect consumer data. All sportsbooks that are operating pursuant to state casino licenses and that have gross annual gaming revenues greater than $1 million are “financial institutions” subject to the requirements of the Bank Secrecy Act (BSA), 31 U.S.C. § 5311, et seq.8 The BSA, as amended by the USA PATRIOT Act, Pub. L. No. 107-56, 115 Stat. 272 (2001), is designed to help law enforcement identify the source, volume, and movement of funds within the United States and/or transmitted across its borders in order to prevent money laundering and the financing of terrorism. In order to do this, the Financial Crimes Enforcement Network, or “FinCEN,” an agency of the Department of Treasury, requires a financial institution to undertake customer due diligence, including:
- Identify and verify the identity of customers;
- Identify and verify the identity of the beneficial owners of companies opening accounts;
- Understand the nature and purpose of customer relationships to develop customer risk profiles; and
- Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.9
In order to formulate a customer risk profile, financial institutions should gather sufficient information about the customer to understand the nature and purpose of the customer relationship.10 This understanding can be based on assessments of individual customers or on categories of customers.11 The level and type of customer information collected should be commensurate with the customer’s risk profile; for customers with greater risk, financial institutions should obtain more customer information.12 Financial institutions should document how customer information may be used with respect to any other regulatory requirements, such as identifying suspicious activity.13 Once the customer relationship is established, financial institutions must also implement risk-based procedures to monitor the relationship, including updating any customer information.14
Sportsbooks and casinos may also fall within the regulatory ambit of other federal privacy requirements. The FTC has been a primary source of guidance and enforcement relating to privacy in the United States under its enforcement powers in Section 5 of the FTC Act. The FTC has identified certain efforts it considers critical in protecting consumer data, including the following key elements:
- Companies should understand the personal information they are collecting and where that data resides. Moreover, companies should be cognizant of how personal information travels within the business, including the transmitters and recipients of sensitive personal information.
- Businesses should only keep personal information for as long as there is a business purpose for doing so. Once the customer’s personal information is no longer needed, companies should properly dispose of this information. If a company develops a mobile app, the app should only access the consumer data and functionality as necessary. If a company must keep personal information for business reasons, the FTC advises that the company develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to properly dispose of it.
- Businesses should develop effective data security plans comprised of physical security, electronic security, employee training, and security practices of contractors and service providers.
- Companies should devise appropriate plans to properly dispose of consumer personal information after it is no longer needed.
- Businesses should develop a plan for responding to any security breaches in order to protect consumers.15
Sportsbooks and casinos may also be subject to the Gramm-Leach-Bliley Act to the extent they operate as businesses with customers to whom they extend or arrange lines of credit.16 Pursuant to the Gramm-Leach-Bliley Act, financial institutions must notify their customers about information-sharing practices and provide customers with the opportunity to opt-out if they do not want their information shared with third parties.17
At the state level, there are a number of states that have issued generally applicable privacy-related laws. First, a number of states, including California18, Nevada19, and Delaware20, require companies to post privacy policies describing their data collection practices. Second, several states require companies to institute “reasonable security measures” to protect personal data, although such laws are not very specific as to what that actually requires.21 Finally, all 50 states have security breach disclosure requirements that would need to be met in the event of a security breach involving personal data. All of these laws need to be considered in developing policies for sports betting to the extent data is collected from residents of those states.
The scope of these protections is likely to increase and become stringent in the coming years. Just this year, California passed the California Consumer Privacy Act (CaCPA), imposing significant new obligations on certain businesses doing business in California and affording new rights to California consumers.22 This new law, which could take effect as early as January 2020, has been likened to the EU’s General Data Protection Regulation in terms of the rights given to the data subjects. First, CaCPA expands the definition of personal information to include information about a person’s protected status, biometric data, transaction history, and browsing history.23 Second, pursuant to CaCPA, consumers will be able to request that a business disclose the personal information the business has collected, the sources from which the information was collected, with whom the information has been shared or sold, and the business purpose for collecting or selling the information.24 Moreover, businesses must inform consumers as to the categories of information being collected and the purposes for which personal information shall be used.25 Under CaCPA, businesses may not sell a consumer’s personal information unless they give notice to the consumer and provide the opportunity to opt-out.26 Third, consumers have the right to request that a business delete any personal information that has previously been collected.27 Fourth, CaCPA prohibits a business from charging a consumer a different price or rate, or providing a different level of service to the consumer, if the difference is reasonably related to the value provided by the consumer’s data.28 However, CaCPA permits businesses to offer financial incentives for the collection, sale, or deletion of personal information.29 Finally, CaCPA provides a new private right of action in connection with data security breaches.30 CaCPA reflects a growing trend in strengthening consumer data protections, which may be replicated across other jurisdictions.
Data Privacy Regulatory Framework – State Sports-Betting Regulations
Recognizing the specific and unique data privacy issues associated with sports gambling, states that have legalized sports gambling have also imposed regulations seeking to verify consumer information and secure consumer data. For example, Nevada has devised specific requirements for “data collectors,” including casinos that collect and store personal information.31 Data collectors that maintain records that contain the personal information of a Nevada resident are required to implement and maintain reasonable security measures to protect such personal information.32 Additionally, if Nevada data collectors disclose personal information to others, any contract governing such disclosure must include a provision requiring the person to whom the data is disclosed to implement and maintain reasonable security measures.33 Nevada also mandates certain requirements for encrypting personal information once data collectors obtain personal information.34 Consistent with the FTC’s guidance, Nevada law also imposes certain requirements in case of a security breach.35 Data collectors in Nevada must disclose any breach of the security of system data following discovery or notification of the breach to any Nevada resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.36 Regulations geared specifically to legalized sports betting also mirror federal guidance on data security. For example, Pennsylvania requires licensed sportsbooks to implement internal controls, in part designed to address data security concerns.37 Specifically, Pennsylvania requires sports-betting licensees to establish procedures for the security and sharing of personal identifiable information of a registered player, including the means by which a licensee is to provide notice to a registered player related to the sharing of personal identifiable information.38
States that have authorized mobile and online sports betting have similarly imposed regulations designed to protect consumer personal information. Before a bettor can even place a bet with an online sportsbook or sports-betting app, the bettor generally must register in person at a licensed casino in order to verify his or her identity. In Nevada, part of the registration process requires providing the sportsbook with a government-issued ID and a Social Security or Tax ID Number.39 Verification of a bettor’s identity is particularly important, as the states to have legalized sports betting require that bettors must be located within state lines in order to place a bet. Once registered, a number of states require sports-betting licensees to create an electronic patron file. In West Virginia, for example, the electronic patron file must include a variety of personal information identifying the bettor, including address, telephone number, identity verification method, and financial information.40 Similarly, New Jersey regulations require that, before establishing an Internet or mobile gaming account, the licensee must also create an electronic patron file.41 Additionally, New Jersey requires that licensees encrypt personal information contained in the electronic patron file, including Social Security numbers, passwords, and personal financial information.42
In order to ensure that bettors are located within a given state before placing a wager on an online or mobile sports-betting app, licensees may implement geolocation methods, which in turn require collection of information pertaining to a bettor’s physical location. In fact, Nevada has a statewide geofence consisting of a set of coordinates that define the “shape” of the state.43 The user’s geolocation is compared to the geofence to determine if they are inside the border or not. This geofence facilitates mobile sports betting.44 Similarly, in Pennsylvania, bettors’ locations will be verified via IP address and/or mobile geolocation to ensure they are located within the state’s borders when placing bets.45
Key Privacy Principles
Given the volume of personal information casinos may be required to collect pursuant to federal and state law, it will be critical for sportsbooks and other market participants to be cognizant of core privacy principles and regulatory requirements, balanced against the need to collect consumer data:
- Notice: Sportsbooks and sports-gambling enterprises should ensure they inform bettors as to what personal information is being collected and how bettors’ personal information will be used and potentially shared.
- Consent: Bettors should have the opportunity to consent to the collection, use, or disclosure of their information provided to sportsbooks and sports-betting platforms described in a specific notice. Mobile sports-betting platforms should also implement privacy policies pertaining to the collection of consumer information over their mobile apps, such as geolocation information. Such policies are consistent with state and federal guidance.46 Any use or disclosure of personal information outside of the notice requires explicit consent from the bettor, except in certain instances as required by law enforcement. In addition, certain kinds of tracking, such as geolocation, require a special notice and affirmative opt-in before they are implemented.
- Data Retention: Sportsbooks and sports-betting platforms should strike an appropriate balance between data collection requirements and the destruction and deletion of users’ personal information. To the extent bettor data is no longer necessary for business or regulatory purposes, a sportsbook should consider deleting such personal information to protect it from potential hacking.
- Data Security: Sportsbooks and sports-betting platforms should be cognizant of federal and state regulations governing the oversight and maintenance of consumer data generally, in addition to the state regulations authorizing sports gambling. In particular, sportsbooks and sports-betting platforms should implement measures designed to secure consumer data and prevent the loss of such data or unauthorized access to such data.
The expected increase in the volume of sports bettors, combined with the variety of sports-betting platforms, requires significant attention to securing bettors’ personal information. Such data will be increasingly valuable to advertisers and other market participants seeking to capitalize on the sports-betting marketplace. New market participants should ensure they are compliant with federal and state data security regulations as well as best practices in order to ensure that bettor data is protected. Failure to do so may subject sportsbooks and sports-betting platforms not only to fines or enforcement actions by federal and state authorities but, to the extent states institute private rights of action, as California has, these companies may face litigation exposure for failure to protect consumer data.
1 In addition to consumer data, sportsbooks and sports betting platforms will also host a significant amount of data and personal information pertaining to athletes. Moreover, there may be a growing incentive to obtain and release athletes’ personal information, such as injury reports, as legal sports betting flourishes. Sportsbooks should be cognizant of these pressures and seek to protect athletes’ personal information as well as consumer data.
2 DraftKings Sportsbook Promo Code & Review, LEGAL SPORTS REPORT.
4 FanDuel Sportsbook Promo Code & Review, LEGAL SPORTS REPORT.
7 Currently, states that have legalized sports gambling do not permit cross-border betting, including from international bettors. However, sportsbooks and sports-betting platforms should be cognizant of the EU’s General Data Protection Regulation (GDPR), to the extent they extend operations internationally.
8 31 U.S.C. § 5312(a)(2)(X).
9 Press Release, FinCEN, FinCEN Reminds Financial Institutions that the CDD Rule Becomes Effective Today (May 11, 2018).
10 FFIEC BSA/AML Examination Manual: Customer Due Diligence, (May 5, 2018).
15 Protecting Personal Information: A Guide for Businesses, FTC (Oct. 2016).
16 Privacy Act Issues Under Gramm-Leach-Bliley, FTC (Jan. 29, 2009).
18 California Consumer Privacy Act of 2018 (“CaCPA”), CAL. CIV. CODE §§ 1798.100, 1798.110 (2018).
19 NEV. REV. STAT. ANN. § 601A.340 (2017).
20 DEL. CODE ANN. tit. 6 § 1201C et seq.
21 See, e.g., CAL. CIV. CODE § 1798.81.5 (2018); MD. CODE COM. LAW § 10-1304 (2016).
22 CaCPA, CAL. CIV. CODE § 1798.198(a) (2018).
23 Id./em> § 1798.140(o)(1).
24 Id. § 1798.100(b), 1798.110(c).
26 Id. § 1798.120(a).
27 Id. § 1798.105.
28 Id. § 1798.125(a)(1).
29 Id. § 1798.125(b).
30 Id./em> § 1798.150(b)(1).
31 NEV. REV. STAT. ANN. § 603A.330 (2017).
32 Id. § 603A.210 (2006).
34 Id. § 603A.215 (2011).
35 Id. § 603A.220 (2006).
37 PA. CODE § 1408.
38 Id. § 1408.3(b)(13).
39 NEV. GAMING COMMISSION REG. 5.220.
40 W. VA. CODE § 179-9-13.
41 N.J.A.C. § 13.69O-1.3(b).
43 Nevada, LEGAL SPORTS REPORT.
45 See PA. CODE CH. § 1402.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Irwin Raij, an O’Melveny partner licensed to practice law in the District of Columbia, Florida, and New York, Scott W. Pink, an O’Melveny special counsel licensed to practice law in Illinois and California, and Marjorie B. Truwit, an O’Melveny associate licensed to practice law in the New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.
Thank you for your interest. Before you communicate with one of our attorneys, please note: Any comments our attorneys share with you are general information and not legal advice. No attorney-client relationship will exist between you or your business and O’Melveny or any of its attorneys unless conflicts have been cleared, our management has given its approval, and an engagement letter has been signed. Meanwhile, you agree: we have no duty to advise you or provide you with legal assistance; you will not divulge any confidences or send any confidential or sensitive information to our attorneys (we are not in a position to keep it confidential and might be required to convey it to our clients); and, you may not use this contact to attempt to disqualify O’Melveny from representing other clients adverse to you or your business. By clicking "accept" you acknowledge receipt and agree to all of the terms of this paragraph and our Disclaimer.