Section 257.02 - Data Use and Retention(1) A Sports Wagering Operator shall only use Confidential Information and Personally Identifiable Information as necessary to operate a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform, or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena or civil investigative demand of a governmental entity, to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity, debug to identify and repair errors, to investigate, respond to and defend against filed legal claims, and for other reasonable safety and security purposes.(2) If a Sports Wagering Operator seeks to use a patron's Confidential Information or Personally Identifiable Information for purposes beyond those specified in 205 CMR 257.02(1), a Sports Wagering Operator shall obtain the patron's consent, which may be withdrawn at any time.(a) Such consent must be clear, conspicuous, and received apart from any other agreement or approval of the patron. Acceptance of general or broad terms of use or similar documents that purport to permit the sharing of Confidential Information or Personally Identifiable Information in the same document shall not constitute adequate consent, nor shall hovering over, muting, pausing, pre-selecting, or closing a given piece of content without affirmative indication of consent.(b) Consent shall not be deemed to be a waiver of any of the patron's other rights.(c) The option to withdraw such consent must be clearly and conspicuously available to the patron on the Sports Wagering Operator's Sports Wagering Platform. A patron shall not be required to confirm withdrawal of consent more than once, and no intervening pages (other than those needed to confirm withdrawal of consent) or offers will be presented to the patron before such confirmation is presented to the patron.(3) A Sports Wagering Operator may not use a patron's Personally Identifiable Information or Confidential Information, or any information derived from it, to promote or encourage specific wagers or promotional offers based on: (a) a period of dormancy or non-use of a Sports Wagering Platform;(b) the wagers made or promotional offers accepted by other patrons with a known or predicted social connection to the patron;(c) the communications of the patron with any third party other than the Operator;(d) the patron's actual or predicted: 1. income, debt, net worth, credit history, or status as beneficiary of governmental programs;2. medical status or conditions; or(e) Any computerized algorithm, automated decision-making, machine learning, artificial intelligence, or similar system that is known or reasonably expected to make the gaming or sports wagering platform more addictive.(f) Engagement or utilization of play management options, including type of limit, frequency of engagement or utilization of play management options, and frequency of changing limits; (g) Engagement or utilization of cooling-off options, including duration of cooling-off period, frequency of engagement or utilization of cooling-off options, and frequency of changing cooling-off periods;(h) Engagement or utilization of any measure in addition to those described in 205 CMR 257.02(3)(f) and (g) intended to promote responsible gaming.(4) A Sports Wagering Operator shall only retain a patron's Confidential Information and Personally Identifiable Information as necessary to operate a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena or civil investigative demand of a governmental entity, to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity, debug to identify and repair errors, to investigate, respond to and defend against filed legal claims, and for other reasonable safety and security purposes.(5) A Sports Wagering Operator shall collect and aggregate patrons' Confidential Information and Personally Identifiable Information to analyze patron behavior for the purposes of identifying and developing programs and interventions to promote responsible gaming and support problem gamblers, and to monitor and deter Sports Wagering in violation of M.G.L. c. 23N and 205 CMR. The Sports Wagering Operator shall provide a report to the Commission at least every six months on the Sports Wagering Operator's compliance with 205 CMR 257.02(5), including the trends observed in this data and the Sports wagering Operator's efforts to mitigate potential addictive behavior.Adopted by Mass Register Issue 1503, eff. 9/1/2023.