Section 238.45 - Confidential Information and Personally Identifiable Information Security(1) Any information obtained in respect to Sports Wagering or the Sports Wagering Account, including Confidential Information and Personally Identifiable Information and authentication credentials, shall be collected, maintained, stored and secured in compliance with the privacy policies and 205 CMR 138.73: Uniform Standards of Accounting Procedures and Internal Controls and any other policies in 205 CMR, M.G.L. c. 93H, M.G.L. c. 93I, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, and any other applicable law, regulation or order of a governmental body. Confidential Information, Personally Identifiable Information and the Sports Wagering Account funds shall be considered as critical assets for the purposes of risk assessment.(2) No employee or agent of the Sports Wagering Operator shall divulge any Confidential Information or Personally Identifiable Information related to a Sports Wagering Account, the placing of any Wager or any other sensitive information related to the operation of Sports Wagering except as required or permitted by 205 CMR 238.45 or elsewhere explicitly permitted in 205 CMR, the Commission or other authorized governmental agencies, including:(a) The amount of money credited to, debited from, withdrawn from, or present in any particular Sports Wagering Account;(b) The amount of money Wagered by a particular patron on any event or series of events;(c) The unique patron ID or username and authentication credentials that identify the patron;(d) The identities of particular Sporting Events on which the patron is Wagering or has Wagered; and(e) Unless otherwise authorized by the patron, the name, address, and other Personally Identifiable Information or Confidential Information in the possession of the Sports Wagering Operator that would identify the patron to anyone other than the Commission or the Sports Wagering Operator, provided, however, that such authorization must be clear, conspicuous, and received apart from any other agreement or approval of the patron. Acceptance of general or broad terms of use or similar documents that purport to permit the sharing of Personally Identifiable Information or Confidential Information in the same document shall not constitute adequate authorization, not shall hovering over, muting, pausing, pre-selecting, or closing a given piece of content without affirmatively granting consent; or purported agreement. Further, no authorization shall be deemed to be a waiver of any of the patron's other rights. The option to withdraw such consent must be clearly and conspicuously available to the patron online through any patron account page on the Sports Wagering Operator's website and within any Sports Wagering mobile application. A patron shall not be required to confirm withdrawal of consent more than once, and no intervening pages or offers will be presented to the patron before such confirmation is presented to the patron.Adopted by Mass Register Issue 1486, eff. 12/21/2022 (EMERGENCY).Amended by Mass Register Issue 1492, eff. 3/9/2023 (EMERGENCY).Amended by Mass Register Issue 1494, eff. 3/9/2023 (COMPLIANCE).Amended by Mass Register Issue 1498, eff. 6/7/2023 (EMERGENCY).Amended by Mass Register Issue 1503, eff. 6/7/2023 (COMPLIANCE).