Section 248.06 - Terms and Conditions and Privacy Policies(1) All terms and conditions and privacy policies for Sports Wagering Accounts shall be readily accessible to the patron before and after registration. Sports Wagering Operators shall inform patrons of any material changes or updates to said terms and conditions or privacy policies.(2) All terms and conditions for Sports Wagering Accounts must address all aspects of the Sports Wagering operation including, but not limited to, all of the following: (a) A statement that only individuals over the age of 21 and located in the authorized geographic boundaries within the Commonwealth may participate in Sports Wagering;(b) Advice to the patron to keep their authentication credentials secure;(c) All processes for dealing with lost authentication credentials, forced password changes, password strength and other related items as required by the Commission;(d) Full explanation of all rules applicable to dormant Sports Wagering Accounts, including the conditions under which an account may be declared dormant and what actions will be undertaken on the account once this declaration is made;(e) Actions that will be taken on the patron's pending wagers placed prior to any exclusion or suspension, including the return of all wagers, or settling all wagers, as appropriate;(f) Information about timeframes and limits regarding deposits to, or withdrawals from, the Sports Wagering Account, including a clear and concise explanation of all fees, if applicable; and(g) Statements indicating that the Sports Wagering Operator has the right to: 1. Refuse to establish a Sports Wagering Account for what it deems good and sufficient reason;2. Refuse deposits to, or withdrawals from, Sports Wagering Accounts for what it deems good and sufficient reason; and3. Unless there is a pending investigation or patron dispute, suspend or close any Sports Wagering Account at any time, provided such suspension or closure is in accordance with the terms and conditions between the Sports Wagering Operator and the patron, M.G.L. c. 23N, and 205 CMR.(3) All privacy policies for Sports Wagering Accounts must address all aspects of Confidential Information and Personally Identifiable Information protection, including, at a minimum any measures required by 205 CMR, M.G.L. c. 93H, M.G.L. c. 93I, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, and any other applicable law, regulation or order of a governmental body. (a) The Confidential Information and Personally Identifiable Information required to be collected;(b) The purpose and legal basis for Confidential Information and Personally Identifiable Information collection and of every processing activity for which consent is being sought;(c) The period in which the Confidential Information and Personally Identifiable Information is stored, or, if no period can be possibly set, the criteria used to set this. It is not sufficient for the Sports Wagering Operator to state that the Confidential Information and Personally Identifiable Information will be kept for as long as necessary for the legitimate purposes of the processing;(d) The conditions under which the Confidential Information and Personally Identifiable Information may be disclosed;(e) An affirmation that measures are in place to prevent the unauthorized or unnecessary disclosure of the Confidential Information and Personally Identifiable Information; and(f) The identity and contact details on the Sports Wagering Operator who is seeking the consent, including any Sports Wagering Vendor(s) which may access and or use this Confidential Information and Personally Identifiable Information;(g) That the patron has certain rights with respect to their Confidential Information and Personally Identifiable Information pursuant to 205 CMR, M.G.L. chs. 93H and 93I and 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.(h) The rights of a patron to file a complaint concerning the use or storage of the patron's Confidential Information and Personally Identifiable Information to the Commission, the Office of Consumer Affairs and Business Regulation, the Office of the Attorney General, or any other law enforcement entity regarding the use of the patron's Confidential Information and Personally Identifiable Information;(i) For Confidential Information and Personally Identifiable Information collected directly from the patron, whether there is a legal or contractual obligation to provide the Confidential Information and Personally Identifiable Information and the consequences of not providing that information;(j) Where applicable, information on the Sports Wagering Operator's use of automated decision-making, including profiling, and at least in those cases, without hindering compliance with other legal obligations: 1. Sufficient insight into the logic of the automated decision-making;2. The significance and the envisaged consequences of such processing for the patron; and3. Safeguards in place around solely automated decision-making, including information for a patron on how to contest the decision and to require direct human review or intervention.Adopted by Mass Register Issue 1486, eff. 12/22/2022 (EMERGENCY).Amended by Mass Register Issue 1492, eff. 3/9/2023 (EMERGENCY).Amended by Mass Register Issue 1494, eff. 3/9/2023 (COMPLIANCE).Amended by Mass Register Issue 1498, eff. 6/7/2023 (EMERGENCY).Amended by Mass Register Issue 1503, eff. 9/1/2023.