Over/Under: Online Sports Betting Will Prompt the Next Big Wave of Data Privacy Litigation

By: Danielle Gershen

The surge in sports betting began in 2018 after the U.S. Supreme Court overturned the Professional and Amateur Sports Protection Act (PASPA) in Murphy v. NCAA.[1] The Court held PASPA as unconstitutional and a violation of the Tenth Amendment.[2] Contrary to popular belief, Murphy did not directly legalize sports betting, but rather removed the federal barrier that prohibited states (other than a few states grandfathered in, including Nevada) from legalizing sports betting.[3] Currently, thirty-five states and the District of Columbia have laws in effect, and another three states have legalized sports betting, but the laws are not yet in effect.[4] In 2022, revenue from sports betting increased by almost seventy-three percent from the previous year, bringing in $7.5 billion dollars.[5] Additionally, there is a projection of over thirty-one million online sports betting users for 2023.[6]

Simultaneously, new trends have developed within the data privacy litigation landscape. Casinos, like MGM and Caesars, are members of several cybersecurity class action lawsuits stemming from hacks that resulted in stolen personal data and lost revenue.[7] Based on the nature and growth of online sports betting, it is likely these newer platforms will become one of the next targets for cybercriminals.

Data privacy concerns in the sports betting context often arise out of a company’s failure to properly protect a consumer’s personally identifiable information (“PII”).[8] PII is defined as any “information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”[9] However, only certain types of PII, known as sensitive PII, can lead to significant harm if stolen or leaked.[10] This is because sensitive PII, like a social security number or financial information, can be used to distinguish and trace an individual’s identity.[11] Government agencies and financial institutions mainly utilize sensitive PII to protect a person’s record and accounts.[12] Whereas disclosure of non-sensitive PII, like full name, phone number, date of birth, and address, is less likely to lead to significant harm because the data is typically more readily available to the public.[13]

Generally, data privacy litigation has been centered around data breach class action lawsuits under federal and state wiretap statutes.[14] However, emerging technologies, like pixels and cookies, have created additional avenues as consumers attempt to pursue claims through the Electronic Communications Privacy Act (ECPA) and the Federal Video Privacy Protection Act (VPPA).[15] The exploration of these claims has triggered a national increase in data privacy lawsuits and highlights the United States’ lack of comprehensive data privacy laws.[16] To compensate, states are slowly passing their own data privacy legislation. For example, the California Privacy Rights Act (CPRA) elevated a business’ obligations when collecting PII and formed new consumer rights.[17] More recently, the Massachusetts Gaming Commission approved new regulations, the Sports Wagering Data Privacy Rules, which target sports betting operators by requiring them to create policies that ensure protection over consumer PII and other confidential information.[18] These regulations include provisions that focus on the operator’s ability to use, retain, and share consumer data, the rights of consumers to request information on the use of PII, and requirements for data privacy policies and breach reporting.[19] As of September 2023, only eleven states have enacted consumer data privacy laws and even fewer have imposed comprehensive regulations on sports betting data, creating significant legal risks for users and platforms.[20]

Looking into the data collected by popular sports betting applications like DraftKings, a new user is not only required to create a username and password, but must also provide their name, date of birth, phone number, email address, physical address, and sometimes a Social Security number and financial account.[21] DraftKings makes it clear when consenting to their privacy policy that the PII is stored, tracked, and collected for internal and third-party analysis to “improve, personalize, and optimize” the service.[22] However, even if DraftKings is investing in cybersecurity safeguards for their users’ PII, as the majority of platforms do, past scenarios demonstrate that no company is immune from hackers. When considering the vast amount of PII that is accumulated and distributed, partnered with known risks and lack of regulations, there is still a high probability that online sports betting platforms will be the subject of the next data privacy class action lawsuit.

[1] Murphy v. NCAA, 138 S. Ct. 1461, 1485 (2018).

[2] Id. at 1481.

[3] Dan Preciado, States Where Sports Betting Is Legal, Forbes (Feb. 28, 2023), https://www.forbes.com/betting/guide/legal-states/.

[4] Interactive U.S. Map: Sports Betting, American Gaming Association (Sept. 28, 2023), https://www.americangaming.org/research/state-gaming-map/.

[5] Doug Greenberg, Expanded Legal Betting Access Leads to Record Year, Front Office Sports (Feb. 16, 2023), https://frontofficesports.com/sports-betting-industry-record-7-5b-2022-revenue/.

[6] Online Sports Betting – United States, Statista (Aug. 2023), https://www.statista.com/outlook/dmo/eservices/online-gambling/online-sports-betting/united-states#users.

[7] Zeba Siddiqui, Hackers say they stole 6 terabytes of data from casino giants MGM, Caesars, Reuters (Sept. 14, 2023), https://www.reuters.com/business/casino-giant-caesars-confirms-data-breach-2023-09-14/.

[8] See Id.

[9] Guidance on the Protection of Personal Identifiable Information, U.S. Dep’t of Labor https://www.dol.gov/general/ppii#:~:text=Personal%20Identifiable%20Information%20(PII)%20is,either%20direct%20or%20indirect%20means/ (last visited Oct. 19, 2023).

[10] What is personally identifiable information (PII)?, IBM https://www.ibm.com/topics/pii (last visited Oct. 19, 2023).

[11] Id.

[12] Id.

[13] Id.

[14] Kevin Hylton, Data Privacy Class Actions on the Rise, Lexis Nexis (June 8, 2023), https://www.lexisnexis.com/community/insights/legal/b/practical-guidance/posts/data-privacy-class-actions-on-the-rise.

[15] The ECPA aims to protect wire, oral, and electronic communications. Both the Wiretap Act, which prohibits the actual or attempted interception of a covered communication, and the Stored Communications Act, which focuses on the privacy of stored data by service providers are codified within the ECPA. Id.; The VPPA traditionally prohibits video tape service providers from knowingly disclosing PII obtained from video materials, but newer litigation attempts to apply the VPPA to any website with embedded videos that shares data with third parties for marketing purposes. Id.

[16] Fredric D. Bellamy, U.S. data privacy laws to enter new era in 2023, Reuters (Jan. 12, 2023), https://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/ (comparing the United Stated “harms-prevention-based” protections to the European Union’s “rights-based” apporach for the General Data Protection Regulation).

[17] Id.

[18] 205 Mass. Code Regs. 257.00-06 (2023).

[19] Id.

[20] Which States Have Consumer Data Privacy Laws?, Bloomberg Law (Sept. 7, 2023), https://pro.bloomberglaw.com/brief/state-privacy-legislation-tracker/.

[21] DRAFTKINGS – OUR COMMITMENT TO PRIVACY, DraftKings (Dec. 30, 2022), https://myaccount.draftkings.com/documents/privacy-notice#THEPERSONALINFORMATIONWECOLLECT.

[22] Id.