 Thank you. Good morning. It's a convening of the Massachusetts Gaming Commission, and we hold this meeting virtually, so we will do our roll call to my fellow colleagues. Good morning, Commissioner Bryan. Good morning. I am here. Commissioner Hill. Good morning. Good morning. I'm here. Commissioner Skinner. Good morning. Good morning. And Commissioner Maynard. Good morning. Good morning. All right. So today is September 19th, it's a Tuesday starting right at 10 a.m. is our public meeting number 479. And we are having a special meeting today on on one topic and it is a convening of a roundtable of number of stakeholders who have expressed an interest, or have an interest in our regulation 205CMR. 27 that addresses data privacy privacy. We have used this convention of a virtual roundtable to learn more from our stakeholders when questions arise. We work hard to become informed. We are at a stage in this regulation that's a little bit different. We have had a number of public comments about this regulation. But again, because there were outstanding questions, the commissioners all decided that we wanted to hear more. So with that, I'm going to turn to our legal team to help set the stage both substantively and procedurally with respect to the regulation. And then as our agenda points out, we have some prompts. To get started on the discussion. I will have a round of introductions. And, and it is a large group. And we want to express our gratitude to all of you for making the time today to have this conversation and help us understand things better. But I think we'll start with our legal team and I think Caitlin Monahan of our gaming commission will start off and then we have folks from Anderson Krieger who will also help set the stage. Good morning, Caitlin. Good morning. Yes, thank you. Thank you, Madam chair and good morning to everyone on this call. I am going to quickly turn this over to Mina Macarius who's a partner at Anderson and Krieger and has been our outside council working with us on this data privacy reg. So Mina is going to walk through the structure of the reg just so that we're all on the same page for this conversation and then of course we are here for any questions that crop up over the course of this discussion. So we're looking forward to hearing what everyone has to say today. Thanks Mina. Thank you, Caitlin and good morning everyone. I'll try to be brief because as as the chair said we are all eager to learn from the group and hear about your perspectives on the regulation. So first, this is a matter of process where we are with this regulation this regulation was passed in the normal rather than emergency course. I believe 60 day comment period, if I'm not mistaken, Caitlin that and and both a presentation of the draft regs, followed by a discussion of the comments received there were there were many pages of comments received from both operators, other attorneys in the Attorney General's Office as well. The regulation was developed initially based on a set of comments that came from the Attorney General's Office on prior versions of other regulations. This actually started way back in January with comments received from the AG's office on items in 138238 247248 and predominantly the advertising reg. The commission made the decision early on in the advertising process that issues of data privacy and data protection, while it was important and didn't really fit in with the advertising regulations. They were separate. There were some overlap, of course, but they were separate and tasks the legal team and staff to to work on a draft regulation. So this is that the product of that work that input from both internal and external stakeholders and the comment period. And it is in force, however, subject to the the requested waiver and and the last commission meeting and discussion that the round table will be useful to to end up more particular feedback. I'm going to give a very brief overview of the regulation and sort of its overall structure without getting too far into the weeds. The regulation starts at six sections that starts with a definition section. There's two key definitions here. Really, there's three definitions totals might as well cover more. One is the data what a data breach is, which is defined to be identical to what's in section 93. So that's chapter 93. Excuse me. So data breach is defined exactly the same way as take a lot. Then there are two other definitions, confidential information and personally identifiable information. And the key distinction between the terms is that personally identifiable information is sort of traditional core privacy information, including under state law that includes that allows someone to identify a person. Confidential information goes beyond that and includes, among other things, sports information related to sports wager account, the placement of wagers, really what the way I've been thinking about is what a patron does on a particular platform or at a sports book. It is not just the personally identifiable information named birth, etc. The substantive sections of the regulation then start into data use and retention section two, which includes a couple of broad statements about what data can and can be used for. The can largely consists of anything that has to do with operating a sports book or including, thanks to some helpful comments from operators through the process, the ability to respond to subpoenas to anticipate and have alerts for red flags or problem behavior on a platform fraudulent behavior, etc., to debug and identify errors, really a broad swap. The prohibited activities start in section three, 2507023, and the key phrase here is that a sports wager reads a sports waging operator may not use a patron's personally identifiable information or confidential information or any information derived from it to promote or encourage specific wagers or promotional offers based on and it has a set of criteria and these are the sort of prohibitions based on behavior on the due to dormancy, the use of responsible gaming cannot be used to then promote wagers. That's how that's phrased, etc. There's also within this section provisions regarding how retention is of data should be carried out there. We received comments sort of on both ends regarding the proposal to have an opt in proposal. So something where someone has to allow the use of data. This is, in large part, we know this is something that European markets have followed, although we acknowledge there is some of this may be new to some of you. So this is one of the things we're, I think, eager to hear about as Madam Chair's prompts will show. 250703 and I am flying through these so of course if there are questions as we go that are helpful for us to address we can do that has to do with data sharing where data can be shared with third parties and effectively at a very high level, a lot of the this is intended to mirror 250702 to say, we understand businesses require sharing data with vendors and others. When you do that, it's holding them to the same standards that you're going to hold for yourselves with what you do with your data. And including understanding what their policies and security policies are internal 250704 relates to patron access. This is a covers and methods of transparency to understand for patrons to understand what is happening with their data. Importantly, we have, again, thanks to to both helpful input from folks at the Attorney General's office and at the operators during the comment period, made some tweaks from the original draft comments that a lot of you probably have seen saw before the final to make sure that there are ways for operators to say that when they cannot meet a patron request for security reasons or otherwise or to not even have to say that you don't necessarily have to, for instance, dispose of data that a patron might say I no longer want you to hold my data, because there may be reasons to hold the data for other legitimate purposes of the enterprise. 250705 requires a program, a data program, sort of to capture all of this and make sure it's happening. It's came to a lot of the internal controls processes that the regulations are only as good as what you're able to implement internally. For your processes. And then finally 250706 is intended to cover data breaches. An important note about this is there is some immediate notification to the commission required to allow coordination and investigations. However, there is no intent and there's actually tries, we tried to make this very clear to supersede or create any conflict with other data breach notification protocols you might have under applicable state or federal laws. And that's today for current laws as well as something we're keeping an eye on, of course, is to the extent the Commonwealth or the federal government develops other federal laws. Those will either supersede this or the good news is done by regulation. We would certainly recommend revisiting all of this in the in that instance to make sure we're staying consistent with state law. So Madam Chair, that's, that's a very quick sprint through the regulation, but if there's questions, I'm happy to take them now or otherwise I will be listening intently like everyone else. Thank you, Nina. Thank you, Caitlin. Thank you to the entire legal team. I don't stress an instrumental role as we stand up this new industry here in Massachusetts. I know you thought that watching this team at hard work so good time for us to express our appreciation. So, at this point in time I think it's important for us to do our introductions I decided to go on a little bit off agenda so that we would move right into our conversation with our name tags on. So, I think what I'll do is I'll start with the upper rear representatives and again we very much appreciate the interest and the willingness to appear today. She's does things in public, and we are always appreciative of the cooperation we received from from all of you. So, I'll say the names and lean in and if you want to say a couple of words about your role and we'd love that so everybody gets to know each other attack. Okay, Alexis Coco. Hi. Thank you. My name is Alexis Coco. I am the associate general counsel handling privacy and product at Ben M. Jim. Nice to meet you and thank you for having. Thank you. Jackie crumb. Good morning, Jackie. Good morning, Madame chair and commissioners. I'm Jackie crumb. I'm the senior vice president and general counsel for Uncle Boston Harbor. Thank you. Good morning, Corey Fox. Good morning, Madame chair and commissioners, Corey Fox vice president for product and new market compliance at Fandall. I've been at Fandall for eight years and I've been involved in every step of the way of launching Sportsway journey for Fandall in Massachusetts. We thank you very much for taking the time to explore this issue more deeply this morning. Thank you. Good morning, Madame chair and commissioners. Thank you for having us. I'm head of gaming at better when I oversee product engineering and operations. Nice to see you. David Prestwood. Good morning. Good morning. My name is David Prestwood. I am the governor affairs manager at draft Kings. I have with me a colleague who can fill in the gaps that I can't fill in Dan. Can you introduce yourself. Yeah, sure. Good morning, everyone. Dan keysack VP of engineering at draft Kings. And I'm here to share any any technical details that might be relevant to the conversation. Excellent. Thank you. And David, just so you know, your audio is a little off, but we can understand you. It's just a tad. I don't know if that can be corrected. Next we have one. Hi, Leo one VP legal intellectual property and privacy at Penn Entertainment. So, Leo, do you want to have your video off? Technical issues. I'm having a little bit of an issue with my camera this morning. Okay, I don't know if we have a trick for him, but I'll leave that to folks if you want to wait on our team to weigh in as we do these introductions. Good morning, Leo. And Dan Miller, it is nice to see you today. Good morning. Thank you, lady chair and fellow commissioners. Good to see you too. And you are. I apologize. We do this so frequently. Daniel Miller, MGM, Springfield compliance director. Thank you. And Jennifer Roberts. Good morning. Good morning, madam chair members of the commission, Jennifer Roberts, vice president and general counsel of wind bit. I'm also joined by my colleague who will introduce herself. Sarah Partita. She's the chief technology and privacy counsel for when resorts. Good morning. There you are. Hi, Sarah Partita as Jennifer mentioned with when resorts I'm chief privacy and technology council. Good morning, Sarah. Okay, and then we have Chris Miller. Good morning, madam chair and commissioners. I am also having some technical difficulty with my webcam, but I did put on a suit today. So I definitely want to be on camera. I am a Chris Chris Willard VP and chief corporate counsel for marketing and privacy. Okay, and we're going to turn to those tips and just a second because I don't want a good suit wasted. And Chris Charbel. Good morning. That's right. Good morning, madam chair and commissioners. My name is Chris Charbel. I am associate general counsel here at banks. And I support fanatic studying gaming. The sports book as well as the rest of the fanatics enterprise. Okay. Any tips for Leo and Chris Grace or Dave or Mills. How they could maybe get their cameras going. Any thoughts. Down in the left hand corner of your screen where the mutant stop stop and start video button is. There's a little arrow in the video. In the video icon that would open your video settings. That would be the place to fix any issues if there were any to select the appropriate camera. Okay. I don't know if I would like to fix it would be in there. Otherwise, sometimes a good old fashioned exit and rejoin tends to work. Yeah, but I'm going to try the exit and rejoin. We'll see you in a bit. Okay. All right, then we're going to move on to our other guests. Those are all the representatives from our operators. And again, thank you. Good morning, general's office representative. Good morning, Jared. Good morning, chair. Good morning commissioners. My name is Jared Reinhimer. I'm the chief of the data privacy and security vision division, excuse me at the AG's office. I do, I'm a lawyer, we do civil law enforcement work around data breaches and also just around privacy generally. Yeah, that's me. Thanks. And thank you to you and your colleagues for your good contributions. I'm on the way both with respect to the advertising regulation and in particular this one. And then we're turning to our technical experts who kind of served us so well as we went through standing up the sports majoring industry, the GLI votes. Good morning, Joe. It's been a while. Do I see him? I don't hear him. Can you hear me now? I can hear you. I am vice president, Joseph Bonham, vice president of government regulatory affairs for GLI. I oversee the regulatory advisory and relationship team. I have with me, Mark Robertson. Do you want to do yourself, Mark? Oh, yeah, Mark Robertson, senior gaming technical advisor. Happy to be of assistance. Good morning, Mark. Thank you. And thank you, Joe. These gentlemen are very much aware of the technical requirements and there are questions about implementation. So we really appreciate your sharing your expertise today. And then finally, we have a responsible gaming expert. And that's Dr. Michael Wall, who has been advising us along the way and works on research projects with us. Dr. Wall there, please. Good morning, Madam Chair and commissioners. Michael Wall, a professor of psychology. I'm joining you from Carlton University in Ottawa, Canada. I've been doing research on the students and consequences of gambling with a specific focus on responsible gambling for the past 25 years. Thank you for allowing me to join you today. Thank you. And this is why virtual works really well. You didn't have to jump on a plane to get to us as well as many of you. So thank you. So commissioners, you know, this is going to be a conversation, but again, we should really feel comfortable following up at any point in time with a question that you might have. It just makes sense to ask that right then and lean in. And I'm just going to ask also the four of you can help me navigate the conversation because I'm looking at a lot of squares and they'll be leaning in and folks might decide to use the icons. So that's okay to you don't have to be you are Leo. That work and then now we just got to find out if it works for us. It did. I am here. There you are and that rebooting always works. Yeah. And we see the suit. So it feels good. All right. Great. So it's definitely more of a of a navigation now. So we're going to turn to are definitely a more of a conversation in conference room. So now I'm going to navigate by starting with a prompt. And I want to thank Commissioner Maynard. He worked with me and the certain members of the team, as we thought about these prompts and we'll help with the conversation. So I'm going to start really at the high level. This please detail the specific requirements of the Commission's regulation, not currently imposed in other jurisdictions that present challenges. Those of you who work in other jurisdictions, why don't you help us understand those outliers? Who wants to go first? So. Madam chair again, I'm David Prestwood. I'm here in my role as government affairs manager at draftings. When as we were looking at these prompts last Friday and after some pre meeting consultation with director band and staff. Several of the operators gathered together and thought that it would probably be helpful if we could do a brief presentation on some of these issues in the form of a deck just to kind of set what the current landscape is. Talk a little bit about our compliance processes and then what some of the timelines and implementation challenges here would be because these are such highly technical issues. And we'd like to start by responding to this prompt. If that's okay, I can share my screen. My colleagues Alexis Coco from bed and Jim Cory Fox from fan dual can take part in this presentation and then, you know, you can feel free to interrupt with questions. But I think that framing it in a kind of here's where we are. Here's what we're going here's an overview of the challenges would probably be helpful. Okay, let's see how it goes. All right, let's see if I can share my screen first of all. Of course, just so you know, I won't be able to see faces now so those of you who want to weigh in. I guess David, it sounds like you're going to lead but if other folks want to chime in. I really do encourage other voices. So thank you. Yeah, and absolutely I'm not trying to make this a one person or one operator show. So, yeah. These are the five areas I mentioned we kind of want to talk about I'll respond to your first prompt with a first slide which is what the existing landscape is. So as you may know the California Consumer Privacy Act was the first conference of data privacy law in the US. It was passed in 2018 and became effective in 2020. And that spawned many additional comprehensive state laws and CCPA and those laws have a number of key things in common. They permit the processing of personally identifiable information based on consumers consenting to a privacy policy. They afford consumers the right to opt out of editing their data sold or shared to third parties for non required purposes. And what that means is when the third party has some independent commercial purpose for that data. They also afford consumers rights to access or delete their data or generally to correct errors in that data. They also require businesses to employ reasonable security measures without generally setting a particular standard. And they obligate businesses to then conduct privacy assessments of their data processing practices. And finally these apply to all industries only exempting say businesses under a certain size or those where for which data is already covered by another regime. So for example HIPAA for certain medical data would supersede those those laws. And so to talk about your prompt a little bit let's talk about some of the unique requirements of 257. The first is it flips the way consent operates potentially requiring patrons to opt into each individual use of data that is not required to operate the wagering platform or comply with the law. During the original meeting in which these were adopted Commissioner Skinner asked a question about what other jurisdictions are opt out as opposed to opt in. And the basic answer is that every jurisdiction in the U.S. that is dealt with these issues has an opt out regime. So this is something that is entirely new for domestic U.S. operators. The regulations impose blanket prohibitions on using certain personal information for promotional and analytics purposes including things like period of dormancy which you see across business lines across all businesses. Critically it doesn't allow critical data sharing with third party vendors even when consent is obtained by an operator. So at present anything that is not required to operate the platform or comply with the law may require this opt in consent specific to each business purpose under the regs. What the regs don't appear to do is permit sharing of that data with third party service providers even when we get consent to process information for those purposes. If it is not a required purpose or comply required to comply with the law. And the result of that is it makes it practically infeasible to conduct a lot of legitimate business practices like marketing analytics and consumer outreach because vendors are needed to conduct all of those services. This requires consumers to opt in to myriad individual uses of data one by one. And it also provides that all of those are revocable and no other privacy law does this with respect to so many legitimate internal business uses. So the potential result is every individual customer could have its own menu of acceptable uses for their data and that would be extraordinarily difficult to implement. 257 also requires operators to encrypt or thanks to amendment hash and protect all PII including by multi-factor authentication. No existing law does this and really for good reason is that many types of PII just do not present the kind of heightened risk to the rights and freedoms of individuals even if they were improperly accessed or disclosed. I'm talking about things like IP address or device ID or mobile advertising ID. There's nothing anybody could really do with that information even if they accessed it. And so this is why state breach notification laws including the 93H in Massachusetts focus only on sensitive PII like government issued identifiers or payment card from financial information might be count numbers. Beyond that encryption in many cases is impossible. For example, how do you encrypt something like a public username? And this is why other privacy regimes have exceptions for things like publicly available information, which is a present here. So that's a unique challenge. You know, as you know, this applies to a single industry and requires that that industry go it alone. When CCPA was passed to apply to all industries and one of the benefits of that was that there was incentive for third parties to develop tools that were designed to streamline compliance and assist businesses in managing data in a compliant matter. Because this applies to, you know, eight to 10 companies, no such tools exist. And so as we build processes, we're kind of all of our on our own process, which can lengthen the compliance timeline. And finally, there's no clear timeline for compliance here. I think one of the reasons that CCPA was relatively manageable for companies and that's probably an exaggeration. It was actually very difficult to get off the ground. But one reason is that it was relatively so is that it built in a multi year approach with clear timelines for implementation. And so before we move on from this and get into questions, I mean, this seems pretty daunting and I want to highlight where I think to date there's been a disconnect between operators and the commission. It's not that we disagree on the importance of data privacy or certainly of RG. It just has felt like we aren't speaking the same language. When we talk about these things and we talk about how 257 is unique or unprecedented, I think the commission has taken that to mean that the strength of consumer protections are unprecedented. And what we're intending to communicate is that that's not the case. 257 is data machines that doesn't necessarily make it stronger. So all concerns are that it is in many cases more invasive and it's challenging to implement in part because it has all of these unique components. It's not an extension of any existing legal framework in the US. And so we want to talk about those implementation challenges today. At the same time, I think a lot of these things could be managed if the commission was open to revisiting parts of the regulations. And I'm not talking about striking the whole section. I mean, I think the commission has been clear that you don't want to go that route. But revisions here really are much needed. And operators are broadly in agreement that the process to date has not, I think, represented the seriousness of some of these concerns and how challenging this actually is practically to implement. I mean, I think after watching the meeting where 257 was adopted. There was a consensus among operators that are written comments were not really deeply evaluated. I think a lot of them were highly technical and drafted by teams that included experts on data privacy regimes, including many of the folks on this call. And there was not a significant amount of discussion on a lot of those comments. I think several comments were disregarded entirely and they weren't even mentioned in the meeting. And so without that detailed analysis of these concerns, I think that showed up in that meeting. You know, commissioners said, well, there's only really one operator that's concerned about this. And that wasn't true. I mean, there were comments from any operators or acknowledged that the commission wasn't quite sure how long compliance would take. Despite comments that, you know, operators kind of formally said this is probably multi-year process. And then the regulations were adopted despite that uncertain landscape. And so in addition to talking about the implementation challenges, we want to highlight that we think there are ways to accomplish your goals that are cleaner and clearer and easier to implement. For the concerns that are specifically data privacy, if that's a concern, that's great. I mean, we are very good at protecting consumer data and we would love to share that expertise in really focusing on how to protect consumer data. I think a lot of the concern represented here is responsible gaming and that's also great. You know, we've worked with the commission on adopting all kinds of regulations on advertising and marketing and R&P. And so there may be ways to focus these on responsible gaming that still allows for these regular business functions. I think we've got plenty of time to make some changes to the regulations, tweaks here and there to provide clarity and support for operators while meeting the commission's goals. And again, I'm not talking about starting over, but talking about making clarifications. I think, you know, the turnout here indicates that we have a lot of questions we want answered, but we're really ready to work with you. And we hope that we can work together to make these kind of make sense for everyone. I don't know if there are questions about this and other operators can jump in. But I'd like to turn it over to Alexis from Bet and GM to talk about how product change actually works as we look to implement. I'm going to ask this question, David, do you tend to show another slide or is this your only slide? We have a few more slides just to outline Alexis for presentation. So commissioners, why don't we pause here? Could you just take this PowerPoint down for a second? And I'm happy to share this as well. Yeah, we'll go back if you're going to go to page two. So David has given a presentation that shows the outliers and then I think that we're going to move next to that MGM. I'd like to hear from others in terms of what's been presented and then I do want to hear from the other stakeholders as to what has been presented thus far. And that includes I suspect our legal team. You know, there was some, you know, we do part ourselves on having rigorous discussions. And perhaps, as David pointed out, there were times when we should have asked more questions. So maybe, you know, this is a good time for us to pause and think about that as well. Commissioners that particular questions you have, and then turn to our participants for any input. Okay. Yes. Go ahead, Alex. Thank you for the opportunity. While I haven't contributed to the presentation, I totally agree with it. I had the opportunity to work with, for example, with Cori and launching so many jurisdictions at my time at Fenduel. And then what I would say a couple of layers that we've seen through the process and I watched all the sessions on YouTube. So I kind of enjoyed it. So I, as it was said, I think a lot of the comments were not presented and I think missed the substance. Sometimes it was like, some of the comments were like, well, some operators expressed concerns about this without giving the details on the concern. But we still think it should remain as is presented in the regulation. So it was, I would say, maybe it's unfair for me to say but a bit impartial from not like providing the full picture of the operator. And the second thing is, I think the speed as we're moving with the new regulations. Again, I think GLI is here and can attest because I think they are overseeing regulations and testing and I would say almost all jurisdictions except a couple. The moment you go from discussing to actually promulgating and being in effect, it takes like some between months and years depending on the complexity. In this situation, we've been put into a process where regulations were presented and adopted through the emergency process. And even if, let's say, there were some comments accepted, it was really hard to comply in such a short time. I think there are other other jurisdictions where changes to the regulations happen and it's perfectly normal as things evolve, but takes out say months until they are put into effect. And I think that's one of the biggest challenge we we facing was presented here. I just want to turn to attorney by time or do you want to weigh in at this point. Sure. Thank you. I think I am certain that there are going to be technical challenges and implementing some parts of this regulation. And I think that's totally understandable. I think with respect to the. There are a few points that were brought up that I want to just present some perspective on. So, first is the consent mechanism. I think opt in consent is something that is being used broadly in Europe currently under the GDPR. And it's my understanding that a lot of those consent mechanisms were intended to be adopted in this particular regulation. The principle I think behind that is sort of a pretty what I would say is common sense one if you if you want to use someone's information, you ask them first, and that seems like a reasonable approach. I'm sure that there are technical challenges to some of those particular types of consent, but I don't know if changing the consent mechanism is the appropriate way to address that issue. I think the other thing that I think is worth distinguishing here is there's a concept of data privacy versus data security. Data security. Very important. It is, you know, the methods that companies take to prevent themselves essentially from suffering from security breaches, right? So chapter 93H in Massachusetts, and there's plenty of other analogs in other states require notifications in the instance of a security breach, right? The primary harm that those statutes were intended to protect against are things like identity theft, people losing money, people having difficulty obtaining access to credit because somebody else may have opened a credit account in their name. And so those laws are really directed at financial account information, social security numbers, and that sort of personal information. So chapter 93H, which is a law that our office enforces regularly, along with data security regulations that are in place from the Office of Consumer Affairs, those are largely directed towards those financial type harms. Data privacy, on the other hand, is sort of a different focus, I think. Data privacy is really about respecting the consumer's right to control how their information is used. I see this regulation tackling both of those issues, but I noticed that there is a lot in here that is very important with respect to data privacy. And we think it is important, especially in the context of this industry, which is new, and it's very data dependent. So with respect to the timeline for getting things done, I think a lot of the operators have pointed out that there are laws already in place. And so I don't think it will require as much of a head start as the, say, when the CCPA was implemented, because that has already been put in place. And so there are systems designed to deal with that, but also the, I mentioned the GDPR before, and I think at least some of the operators already operate in Europe, and so are familiar with that. And I think we'll be able to adjust based on that. Of course, I don't see within the operator systems. I don't know exactly all the technical challenges that are going on, but I really would be interested in hearing more about what the specific challenges are here. I think the one that jumped out at me in particular was David had mentioned that the they can't share with third party service providers, even with consent of the patron. And I was just curious what specific sharing that encompassed because it seemed to me that the permission to use information to operate the sports betting platform would cover things that are that are needed there. So those are my initial thoughts, but I'm sure I'll have more in a little bit. Thanks. And we'll be building into implementation challenges and more detail. I'm going to turn to Alex for response and then go back to David and unless somebody else times and I just looking at people leaning in Alex. GDPR is brought up a lot and I'm not sure how many folks on the school had the opportunity to work on that I actually had the opportunity to work. I before joining Fandula I work at at Bedfair for Flutter many years and I was actually part of the team that implemented the GDPR changes across multiple brands. For context, there were 25 months between promulgation and going into effect for GDPR. And it went like the amount of work that went there will thousands of people across entire organization because you have to do a first of all an audit of all data and how it's managed data governments and then how we implement that so it's been like about 12 months of just understanding planning before actually real work has been done. And again, some things already done for the US platforms, but I'm not sure how many operators are using the European platforms in the US. I think that's a big nuance that we need to look at. It's easy to compare with GDPR, but again there were 25 months from promulgation to implementation in Europe. That was one thing that I wanted to point out. Alex, I'm just going to piggyback to say GDPR was also a document that was worked on over the course of several years. I think it was like a four year development process as opposed to several months that we've had here so there was a lot of notice even ahead of that 25 month implementation timeline. Okay, anybody else want to weigh in at this point. Okay, Nina. Madam Chair, if it's appropriate. I don't want to go too far back and forth but a couple of things were said during the presentation. I just want to make sure clear so that when you do talk about implementation, we're not, you know, and if the, we're not talking about requirements that aren't there in the rag itself, and I'll leave aside the comment about the comments. I think, well actually I won't. Let me address that real quick. There are about 30 pages of comments that were included in the commission's packet. We did go through them. We did go through each one of them. I will note that the very first comment, this isn't for several operators, I hate to pick on it, but it was the first one on here, requested that this reg be struck all together. Several operators had asked for that. There were some more detailed comments. We did make some changes based on some of those detailed comments, but I respectfully disagree with the implication that the team at the commission didn't go through them. That being said, I think it's important that the operators identify which particular language they are dealing with because we want to understand what is hard. But we also want to make sure that folks are not creating challenges for themselves that the commission's not asking them to create in these regs. For instance, on the data sharing. In very broad terms says that a sports waging operator shall not share patrons' confidential information or personal identity information with a third party except as necessary to operate a sports wagering area, sports wagering facility or platform. That goes beyond what's legally required. That is what you need to do to run your business. And that was, and thanks to helpful comments from WinVet, we broadened it to include some additional legal requirements so that there would not be a question if an entity found itself in litigation or subject to a subpoena that they needed that. It's far from saying you cannot share with third parties. And so I would just ask that we try to focus on the language that's there, not the language that we're worried could be there. And if the language isn't clear enough, I think it would be helpful for the legal team's perspective to hear what edits would be suggested for them. I hope we get a little latitude today, Nina, to, you know, I think everybody's going to focus on the language that's there, but this is something that you're pointing to as a fair question. And I think it was one I was going to ask, what third parties are we talking about, right? Are they outside of their own sports wagering? And I think then that begs the question that we're going to get to, which is, why is that important in the industry? But Nina, go back ahead. And if I can just take one other point so I don't have to keep interjecting. The other question, and I guess just one thing I didn't bring up in the, maybe as clearly as I wanted to in the introduction, and I just want to make sure we're understanding in terms of the question of the timeline piece. Because we understand the timeline, you know, we're asking for something to be done, as the commission's asking for something to be done. The commission is also asking for policies to be put in place to make sure things aren't done. And I just, I wasn't sure if that was clear in the presentation that some of these things are not a matter of setting up new measures. And Attorney Reinhimer kind of got at this. They are also asking what is in place to make sure data breaches are prevented and data is not misused or used in ways that aren't allowed. And that's, I think that's just a different category. Thank you. Okay, I'll turn to Alexis. Good morning again. Good morning. Thank you again. I just wanted to build a little bit on what's been said and clarify. We are here today to have this conversation to understand what the commission believes to be necessary. So one of the suggestions that we had made was something that was reasonably necessary. Many of us are lawyers, we're used to parsing regulations, and may get a little, who is it necessary to do a promotion? Is it necessary to do marketing? I was happy to hear that Mina said, well, what's necessary to run your business? Because I think a lot of things are necessary to run our business. But it's very difficult when the language is necessary for food. It's necessary that you have vitamins and some nutrients. Is it necessary to have coffee? I agree it's necessary to have coffee every morning. If I don't have coffee, it's not going to be a great day. But is it really necessary for a human to function? It's trying to understand what you want so that we can provide guidance to our product teams so that we can run the regulations. And because we haven't had a ton of back and forth on this with you, that's why we always ask for this round table and why we all appreciate the time that you're giving to us here. Okay, very helpful. I think I'll turn back to David who needs to speak in order to pop up on my screen. There you are. So, and I don't know, I think you might have planned on going to Alexis Max if I remember correctly, but you have a second slide. I want to be clear when I talk about what happened at the initial meeting. It's not a dig at outside council or MGC staff or anyone, you know, I'm not saying that the regulations weren't reviewed. I think in watching the meeting, it seems like in the meeting, the commission wasn't maybe presented with the analysis that those folks went through. And that I know is a function of Massachusetts and that you are required to do open meetings. And I think that because of that, a process in which maybe it took several meetings to kind of get into more granular detail is something that the operators would have preferred. You know, I'm not saying people didn't do their jobs. I'm just saying, I think it's hard when you're talking about such highly technical issues to present all of that information that the commission may need. And so that's that's one of the things that we want to do now and do going forward. But the reality is because the regulations are already in effect, you know, there's a waiver process to do that. David, and I appreciate your clarification. I did hear you say it that way that it was more on the commission's engagement and asking a question versus the team's team did it work. So thank you. Well, and all that we as operators are able to see is what happens to the public meeting and I watch every single one. So, you know, that I definitely, you know, that's what we can take. I want to talk about briefly when I talk about, for example, the third party issue in 250702, it has this language about you can only use confidential information as necessary to operate or to comply with law. And then 250702 says if an operator wants to go outside of that, then they have to get opt-in consent. And that first one is mirrored in 250703 about data sharing. It says you cannot share except for as necessary to operate or, you know, to apply with applicable law. But there's no mirror of that second point that says if you choose it to use it for something else and someone has opted in, then you're allowed to share. And so that's what we're talking about where, you know, I think that's a simple clarification. My assumption is what the commission attends is for if an individual opts in to an operator using their data in a different way that that operator can then share with third parties specifically for the purpose of using the data in that particular way. It's just not present in the regulations. And so those are the kind of clarifications that we're talking about because right now there's just a hard stop on even information that patrons have opted into allowing you some. And again, I don't think that's an intentional thing, but it's something that based on the way our businesses work where we do use third party vendors for a lot of these things that patrons would opt into. You know, and they keep that data tight and, you know, we follow the requirements here, you know, that they would have to follow the same data security concerns. It's just on the privacy front. It would in order to follow up on the opted in use that the patron has chosen, you would have to share that data with third parties and under the regulations as written couldn't do that. So that's an example of one of these kind of technical things that we're talking about where. Again, I don't think it's intentional, but we need to change to actually operate. That makes sense. Here, I have a question. Thank you. David, when you say opted into. Don't you mean haven't opted out of because there is no opt in and any other jurisdiction I think we've confirmed that or you've confirmed that earlier. Yeah, I mean under these regulations specifically where if we set up a process in which a patron needs to opt in for a particular service, whatever that may be. In order to actually use that service, we may have to share their data with a third party provider. So one of our vendors, for example. But the regulations here don't give us the opportunity to do that, because those things aren't necessary to operate a sportsbook or aren't necessary to comply with the law. Even if they've opted in, we would need language in the data sharing is as hey, if they've opted into this, you can affect you can affect the thing that the patron has asked for by using your third party. So I think my next question has been alluded to a couple of times. What vendors. Would you be sharing this data with what vendors that aren't necessary to your business operation. Would you be sharing this data with. If you could give us give examples, right? I'm looking for examples. Yeah, practicality. Thank you, Commissioner Skinner. And I also add to that question, which is, you know, you can put them in buckets, right, which is what are ones you would see easily fitting into this regulation. And one of the ones you're thinking wouldn't. Well, I'm happy to take thoughts from other operators on this. I don't want to, you know, monopolize this, but let me say, for example, let's say hypothetically a patron option to receiving physical mail. From a sportsbook. Unless the regulations would not permit us to share that personally identifiable information, for example, name and address with a third party vendor that prints address labels under the regulations. If we wanted to do it, we would have to print everything in house. Yeah, there are also, I think, rewards programs that exist where patrons would like to use the rewards points that they may have gotten through us to with other partners to to to cash in for hotel rooms or to cash in for sort of other physical rewards where we would typically provide them with, you know, they would know that they are going to a Marriott using their rewards for a Marriott, but then we would have to communicate with Marriott that they have these rewards. So what we typically try to do is provide them with that information before they connect accounts or before we send the information to the third party. But without, I would say it's really necessary to our business model. But is it necessary to operating a certain way during platform? It's, this is the type of thing that I want to make sure we are doing correctly. And as long as we get clear and conspicuous consent, which I think you've built in to the regulation into the first part of the regulation. If that would be mirrored in the sharing part of the regulation that clear clear consent would be permitted for those types of third parties where they become they do have a little more control over the data that we share. I think that's what we are potentially hoping for as a group is both the making sure that necessary means includes vendor includes printing vendors and software providers. That we use to run our business sort of on a general, you would think, oh, of course you have a printing provider. We're not printing things, printing postcards and handwriting them in-house, right? We're not doing all of those things. We use the third party for printing. We can share in those ways as long as there's a contract that protects the sharing. But then there's also some sharing that we would make sure is specifically opted in when it's not a necessary type of sharing. So that's in my, that's how I see the distinctions that maybe we would want to make sure we cover and that we're not running afoul of what your hopes are for this regulation. Thank you. Commissioner Skinner, do you want a few more examples? Commissioner Maynard, another bucket? I'm good, Chair. That was very helpful. Thank you. Thank you. Commissioner Maynard. Oh, just ask the legal team. It was contemplated, right, that if a patron opted in to direct mail, what's the example? That they could actually share that with a third party vendor. That was a necessary operation to then get the mail out, correct? Yeah, so if I may, Madam Chair, to Commissioner Maynard's question, yes, I think that was contemplated. I can see a potential tweak to make that clearer. So it was helpful to get that kind of particular example. I think what is a policy question for the commission that we don't need to weigh it on right now is the reason that there wasn't a mirrored language that consent for sharing with third parties in the sense of other advertising partners, which is common in some industries, we know, right, that if you share with an airline, they will sell it to a credit card company or somebody else. That is a different policy question than necessary to get the job done that was opted into, which I think is already contemplated, but certainly could be clarified. Those would be the other examples that might be a further stretch, right? And so I think that would be helpful. The couple that showed, I think, tweaking is easy, but if we really do need to press further, I think I need some more examples that might be harder for you to share with us, Corey. One other example I just wanted to point out was much of our marketing apparatus, which includes our customer relations management. In other words, the emails and messages that we use to communicate promotions to our customers is driven from third party software as a service vendors. So we are in a sense sharing information with those vendors. I think I hear Mina's comments to mean, so long as the underlying activities are permissible, that it is necessary to operate the business and we would be able to do that sharing, but that that is the kind of vendor that was particularly alarming for us that we would potentially not be able to share information. Alexis. I agree with with my colleagues here. I think I might be presenting the next slide. So I'm not sure if it's me, but it's certainly want to make sure everyone has. This is going to shed light on it. This is, I think I hear me as saying it's a policy discussion but I think all of us might benefit from, you know, that spectrum. Because and and, and the impact as we move along a different different third party vendor that you know we're not hearing about so this is the opportunity, but we can go to that slide of commissioners unless you want to help me play in on that particular issue right now. Madam Chair, before we move on, could I just ask Mina to remind me the timeline on this reg? When was it proposed? When was the open comment period? Where do we stand now with the waiver? And I'll ask Caitlin to back me up in case I have the dates wrong. I believe proposed the draft was discussed in June. I want to say it was voted on the public comment period thereafter through July. The comments were received towards the second half of July. The public meeting was on the eighth. When they were approved with contemplation of this roundtable being part of that. And then there was a waiver voted in, they wouldn't have wouldn't have taken effect until end of August early September. There was a waiver right before when that would have happened that gave about a 60 day window which is what we're in. I can add a couple. Apologies chair. I was just going to add a couple of dates. So the commission first saw this reg on June 1 as Mina said. And then there was basically a two month comment period before it came back for a second review and vote on August 8. And then it was a fact September one and then it was an effect September one. Yes, with a waiver with a waiver waiver now extends to I believe November 17. Michelle Bryan is not helpful. Yeah. Yeah. Thank you. Okay. Do you have anything you want to ask about the third party vendor question now? Are you all set? No, I mean, it to be honest strikes me that it's not the sky is falling so much as clarity that needs to be sought in terms of the language. I thought it was more in line with what Mina said, which is it was necessary to, you know, to run the process of making sure that that's finessed so that everyone's on the same page about what an opt in allows the operator to do. I want to make sure that we understand from today's discussions on the operators, what you do is as so core to your business that we might not understand if so, you know, so far the examples I'm hearing are very understandable as probably what we imagined. But I'm wondering if there's some example that's out there that you really want to be able to work with. I haven't given it to us. It's a little bit more of a stretch. I mean, is it to, you know, for credit, or is it something that raises the issue around data sharing that is pushing the envelope. A lot of discussions that are going around, you know, United States in the globe. So this is just an opportunity for that clarity as well. Okay. Yeah, so I since the Commission's cognitive abilities come up on what we understood and didn't understand, I, I want to be clear, I'll just make a statement and then it can be responded. I am glad that Mina clarified that we can get a little more language in there to talk about mailings, for example. And I did think that that was a permissible activity to share that information. But let me give another example. I didn't think a car manufacturer. I thought if an operator was going to sell data to a car manufacturer, right, that that patron should know that and have to agree to that before it was sold. Right. I'll just give an example or a watch maker or a clothing company or what have you, right? Airline as Mina said earlier. I think that the patron should know and I was very cognitive of that when I took my votes and was reading the regulation. So I'll throw that out there as an example of two extremes. I thought that the company that mails it, mails the mailer should be able to do their job. But I thought that, you know, if Lexis wanted to hold up this information, the consumer should know that Lexis wanted this information. I think some laws talk about reasonably anticipated uses. So that would cover that's different than necessarily sort of that's our I think that may be the issue is what's reasonably anticipated for a sportsway during platform operation to run. People understand that they're going to extract mail they understand, you know, certain usage you would understand search certain uses commissioner Maynard versus, you know, we're not general data brokers we're not trying to we're not selling on data for Lexis so they can sell new cars we really want to operate our platforms to the most efficient way. So these I think we're essentially on this is just the law reflects the regulation reflects all of these things that we're discussing which is really helpful for me. Good. I think David and then Alex. I just want to second that I agree that that's right when I was talking about what one of the things that the CCPA does for example, where it allows consumers to opt out. It's opting out of data that is sold or shared to third parties for non required purposes specifically if that third party has their own independent commercial purpose for the data. For example, if one of us that we're going to sell your information to Lexis. That's the kind of thing that's contemplated by these opt out regimes where it says, you know, they, they have their own independent purpose that's not performing a function of draft things or a fandal that's Lexis wants to send you a mailer to sell your car. And so that's that's a little different than the language that's here where it's talking about not selling data, but sharing data for operating the actual platform. Okay, Alex. Thank you. Yeah, thank you again and thanks Mina for the clarification I think that helps. I would say a lot. I think I have a few examples in mind that we could maybe just discuss and will help us maybe set a broader understanding or where we are. And then for example, a lot of open the operators here will share specific information relevant information with third party providers that provide them responsible gaming services to understand the behavior we just assumed then we don't need an opt in for that because that is actually allowing us to operate the business that's that's an assumption I made after the clarification you presented. Is that assumption correct or wrong commissioners I think we would all agree right. That's great. And then another example maybe on the other side, from an advertising perspective we have our market marketing colleagues who are building up audiences and while they're not sharing the data they are sorry not selling the data they could share the platforms like Meta or Snapchat or TikTok basically to build audiences to advertise to other potential consumers basically does that include operating your sportsbook business because you just advertise potential consumers based on your existing audiences without actually selling the data. I think we're getting into a realm work for me. That would require a broader discussion I mean because I'm going to start expressing opinions that I think are probably better left for the five of us having written wording and written examples and some of us because to me, you're crossing into a sphere of not necessary for the business potentially so I think that's a that's a very different question then executing a mandated RG functions. I totally agree that but I appreciate your feedback and but I wanted to kind of give a few considerations so you can think about it so it there's like the two extremes maybe I call that's why I call them like the RG. Angle of it and then the I would say the marketing angle and like that's where I think a lot of everyone is looking for clarity because if it's not like more clear. It's easy for us to, you know, basically be in a breach of compliance maybe without actually wanted to do that so definitely that's not something anyone is looking. Commissioner Brian if you allow me because I actually did was really helpful for me because we that really does show kind of the two ends of the spectrum. I wouldn't have a policy discussion I do believe it would be reserved for the five of us right outside of this roundtable. I'd love to have the follow up question. If Alex is example that he just gave is one that's really a top of mind. This is the. Where is it my in terms of an impediment for you to be successful in running a business. I mean I think I wanted, I need to understand that better. So I have a follow up to that follow up to know that doesn't mean commissioner bernie's don't read into my. No, not at all I just know it's like I need something right springboard off of that so okay great thank you. And I know this can be uncomfortable because we're in public and I also am very mindful of the fact that there, you know, there could be business implications so if I'm asking a question not couple asking that's okay chip will just move on answering. I, I can talk about my broad general experience because we're in a public forum I don't want to. Specifically about an MGM council to a number of companies and worked at another company in house. I think our marketing teams every marketing team I've ever talked to has talked about targeted advertising as being necessary to run a business I think other industries targeted advertising and that's really what we're talking about here. Other industries targeted advertising and in order to be efficient. I think it would be. Unlikely that I think it's likely that all of our marketing teams or to product teams would say that that type of. Activity is necessary to run the business or those types of uses for those types of sharing unlike sending a list of all your customers to Lexus the selling cars. But I think there's probably a space for opt in and out doubts there. It's just is it, it shouldn't be a blanket prohibition. I think that would be a very difficult way it would be very difficult for us to run our businesses effectively without that type of marketing opportunities. If there's no immediate response. I'd love to turn to Dr wall because I think there's our G applications here. We have a lot of time thinking about our advertising and the benefit of targeting targeted advertising versus that push that just goes Jen. So Dr wall and then also I'll turn back to the G's office so and and we are going to get into implementation issues and timing so but this is very helpful. Thank you Dr wall. Thank you Madam chair and I do have a lot to say on the matter but I want to make sure that the operators felt they had sufficient voice. And so thank you for making the time for me, because I have a different angle on this issue that I think deserves attention, one that directly focuses on patron health, and the issues with data amalgamation. The aggregating patron data from sports wagering accounts such that confidential information so I'm seeing this as individual level gambling behavior. So where that kind of data cannot be analyzed can have both advantages and disadvantages when it comes to patron protection. And I think that it's essential that we weigh the pros and cons to understand why it may be detrimental for patron health in the long run. I'll start off with the advantages first and foremost, there's privacy protection. So amalgamating data can help protect the privacy of individual patrons. It prevents the creation of detailed player profiles, which can potentially be misused or breached. But there are, there's an array of unintended negative consequences that can arise from the demands to aggregate data. And if you'll give me a few minutes, I'm going to kind of detail some of my thoughts on the matter. And if I can remember what point I'm on, I'll say them in points. Number one is that it prevents effective responsible gambling monitoring. So responsible gambling programs rely on the ability to monitor individual gambling behavior to detect early signs of problem gambling. Aggregating data can make it challenging to identify at risk players and provide them with appropriate interventions. Number two is that it prevents customized interventions. So individual level data allows for personalized prevention and intervention initiatives, such as play my way or risk identification programs. Without the this data, without these data, gambling programs might have limited impact. Point number three is the loss of insights. So aggregating data can lead to a loss of valuable insights into gambling patterns, which could help develop more effective harm reduction strategies and programming like game sense. I would be remiss if I didn't mention research and problem gambling research. Researchers studying the prevention of problematic gambling and the impacts of problematic gambling rely on access to detailed individual level data to enhance our understanding of disorder gambling. Aggregating data could hinder scientific progress in this area. And I will say that Massachusetts right now is seen as the crown drool of for gambling research. I'll be mentioning later on where soon section 97 researchers around the world see what's happening at access to data from land based casinos due to section 97. As a model for other jurisdictions. In fact, I have to detailed sketches of a paper that I'd love to read on what I'm calling the Massachusetts model. And the current privacy legislation that I'm reading will not allow the Massachusetts model what I'm calling the Massachusetts model to be extended online to sports wagering. To put a dark line under the matter when considering the concept of consumer protections, it's essential to distinguish between protecting personal information and protecting the well being of the individual. Although aggregating data can enhance personal privacy. It may come at the cost of compromising the protection of individuals from the harms associated with the potential harms associated with sports wagering and specific and gambling more generally. I have a couple more points if you allow me the absence of player level data from online venues and sports wagering can create a significant blind spot for regulatory agencies for MGC in terms of responsible gambling programs. Section 97 of the expanded gambling act provides a wealth of important information for player protection from land based casinos. However, without a similar section for sports wagering and the provision of access to player level data. MGC may struggle to create and test the efficacy of online responsible gambling programming and compare gambling related harms and protection stemming from online gaming compared to land based gaming. So in conclusion, although privacy considerations are important, I think we need to be balancing them also with responsible gambling and responsible gambling initiatives, which are can be complex and the absence of player level data from sports wagering can hinder the effectiveness of responsible gambling efforts and limit the ability to make meaningful comparisons between online and land based gaming in terms of player protection. So I'll stop there. And thank you for for the time to speak. And thank you, Dr wall commissioners I don't we've not heard from Dr wall before so this is an opportunity to follow up with him. I guess I'd love to know specifically what is troubling you most is that the opt in. Is there, you know, the specifics really matter at this stage. So, commissioners, I asked that question, but I want to turn to yours first commissioner Ryan. No, I had the same question which is the same that I would ask of the licensees which is, you know, what's the particular language I mean there's also the reality of the statutes are different. I mean we have to acknowledge that that's just 23 can 23 and are different. But what is the particular language that you feel is either lacking or troublesome in what's currently been enacted. Yeah, so what when I when I read this what really popped out to me is the word aggregated data. And what is meant by aggregated data aggregation could just simply mean the coalition of data, but my reading of this means that you will not have access to player level data. And that is really important to have for for for responsible gambling initiatives initiatives like play my way that when you aggregate data. You're, you're collapsing across all data points. And when we know that the vast majority of players do play positively. You're going to eliminate the variance, you're going to eliminate the ability to detect who is perhaps playing more intensely. And look at that level of analysis of what is contributing to this high intensity play. You, you won't be able to examine that level you won't be able to to look at that when data is aggregated. I have to pause right now on that. Jared and me on the way in. I don't know who made the hit first but I will go to Jared first me. I think I think me and I might be mentioning the same thing but I think Dr will the concern you I mean the only time aggregate appears in the regulation from my presentation is 257.025 where it says a sports wagering operator shall collect and aggregate patrons confidential information. And I, I totally understand your concerns I think they're they're they're valid I think you're right that a lot more can be told about someone when the information can be linked together to a specific person. I think, you know, a lot of the software that's out there right now that identifies problematic gaming behavior in particular relies on the fact that it can be tracked back to a specific person. And so, I just wanted to jump in to say I think, you know, totally understand all of those concerns. It seems to me as though the problem is just the and aggregate and that and that particular regulation but I don't want to speak for you know, if you had a response to that. That's your, your right. This is where it's that point five I have highlighted the word aggregate. And what does that mean. Will that preclude the ability to look at individual level play. We need to be able to look at how how play track an individual over time and see how their play changes and what they're playing what games are they playing. Are they engaging in in place sports betting how frequently. And how does that relate to other behaviors. That's, that's necessary when you're looking at trying to implement limit setting. You'll need individual level data to be able to suggest limit suggest to a player that they may need to set a limit. And the word aggregate here does concern me. That's an important piece. After a while on my question. Forgive me, I might just be missing something fundamentally. Does it be the idea that we would be requiring out. No. Opt in. So that's the secondary concern because. Okay. Thank you. Right. Because my guess is that you'll have a low level of opt in. And so then any data that you get is going to be highly biased. Or we won't get the data for people who need it. Correct. My guess is that and most players who play problematically understand that they're playing problematically. And they won't want to provide their data. And that's the most important data to have available. So my preference would be to have an opt out as opposed to an opt in. Very, you know, very helpful insight. And Jared. Yeah, sorry, I just wanted to jump in again to say, I think, you know, the way that the regulation is currently drafted, I would view the requirements of. You know, 250702 talks about consent and asking for consent. In certain circumstances, and then a later portion allows information to be used for responsible gambling purposes and I don't view consent as required for that provision. But I am not the Canadian Commission so Mina or anyone else, please feel free to mention how you how you do that. Thank you. That's sorry for jumping in but that that's exactly where I was going is can we can MGC carve out research and RG that that's individual level data can be collected and used for research and RG purposes. And eliminate the word aggregate from point five. Is there often about concern? If it's still opt in. So if you can carve carve out a section for research and RG and apply section 97 to to sports wagering. Perhaps we don't even need to discuss opt in opt out, because that's a separate point that that individual level data can be used for research and RG purposes. C section 97. I'm having a little practical problem with that because if you haven't done. Your data would be available. So walk me through that. Sorry. Yeah, I mean what what I'm saying is that I would like to see that the the language around opt opt in if opt in is for operating purposes. Sure, but for RG and and research purposes that the individual data can be used. And so the exception for for point five would be that section 97 applies to sports wagering. Madam chair, this may help just at least conceptually clarify how how the commission could think about Dr wall suggestion. Keep in mind we keep talking about opt in or opt out but the opt in isn't about the data existing or in the first place it's sort of by necessity. Operators have to have data that includes individual at the individual level right just just to be able to do the basics of confirming who you are and what you're betting on and what your account is and what your accounts link to all of those. All of this regulations about what you do with the data. So I think Dr wall suggestion that it's another sort of reason why this these roundtables are very useful is to make sure that everyone's reading things the right way I certainly think the intent was to allow what was never to just as assistant attorney general right armors said was never to disallow using this for all the commissioners nodded when I was asked earlier. So if the so the carve out to the extent that's a clarifier that could easily be done on the purpose of the aggregating. I same thing the word aggregating here was again you know we were thinking of a different issue of being curious if with your indulgence for Dr walls reaction to this. It was to aggregate behaviors in order to develop new techniques and new methods to detect problem gaming. But again it's not in lieu of being able to get an individual who needs help. They need so so maybe the word aggregate is just in an unfortunate place and that's what we can address that but that's the they're sort of different between opt in for use versus the data will be there. It's how you use it. It was necessary to business anyway so got it. Thank you. I'm not a lawyer. So I'm reading this as a as a lay person. But if I would ask two things either aggregate be explained, or that it be removed, and whether there is a way to refer to section 97. That section 97 applies to sports wagering. Okay. Meena and I think we'll move on. I'd like to defer just thinking about that as you know we're always very careful and we take something from the gaming act and apply to sports wagering to make sure that's an appropriate thing to do, based on the legislators intent but but it's the point taken up from Dr walls comments. Thank you for your time. I appreciate it. Okay, I'm going to go back to David. You had the seconds. I know we're looking at the clock too but I, I also think we can, if everybody can take a breath, we might be able to go a little bit past noon but I'm also happy to have a heart heart. Let's just do a time check. Folks, can we go a little bit longer than noon commissioners. Okay, everybody sort of nodding. All right. Okay. Back to David. Yes, I wanted to turn this over to Alexis to talk a little bit about resources and project management how we actually conduct product change and then just to lay out what it actually looks like to comply with a regulation like this because I think that, you know, from those initial conversations about how long does this actually take this is kind of a necessary background to provide color on what we actually do to apply. Thank you, David, you want to share the slides again. Absolutely. As he's putting the slides up I also want to recognize that we're in a public forum. And I hope the commission will understand that I'm speaking generally and broadly on behalf of all of the operators and not solely based on my experience at that MGM. The operators are all aligned on these points. And as the process continues, each of us may be able to offer more specifics in a private setting without it putting a lot of our system information online which could create both cybersecurity issues and also some of that is trade secrets. So forgive me for being a little bit broad here as we move forward. I wanted to address your questions about resources and timelines because as as this isn't a privacy on or privacy off button if it was I think we'd all be be on happy to comply very quickly but there are a lot of systems involved. We have product roadmaps where we have a number of cybersecurity upgrades we have regulatory requirements in both in Massachusetts that we're working on and with other regulators, we are always trying to improve customer journeys, and then occasionally we have a response troubleshooting if there are bugs they need to be fixed. So we have technical resources assigned in a in a long term position to make sure that all of these things are within specific timelines. I think we talked about this was really only presented in June and then there were changes. I haven't been able to put it on our product roadmap because we needed these clarifications. That's why again, so grateful to have the time this time spent with you, so that I can go back to my team and get specifics about how long it will take to implement X or implement Y. But these, we have product changes, always ongoing their plan far in advance, any deviations from our current plan require removing resources and then could leave customers vulnerable because we we do need our information security personnel to be working on, we have cybersecurity upgrades that we've already got planned in different, different types of projects. As we, as their clarifier clarified what we'll be able to say this may take three months this may take six months but I did want to say we don't have just a bunch of developers that are waiting to to follow my instructions as much as I would love to have that we need to work with large teams of resources that may already be dedicated to other things. I did also want to say and I think we've talked about this a little bit this is not a blanket request for this state of privacy regulation to go away. A lot of us are already meeting these requirements. Maybe all I think either are or have the ability to turn on most the star data subject access request for Massachusetts I know better GM did that over the summer so Massachusetts residents can submit opt out request deletion request although there's there's limited deletion right for all the reasons we need to keep it right to correct and right to access so that's been available to our patrons. Since this summer, we have you have some some things in the regulations that require provisions in contracts with vendors we've been using data protection agreements or DPAs or data privacy addendums on our template contracts that include a lot of the themes but maybe not the exact language that you've requested. So we are already protecting all of our patrons they're not just those in the states that already have these laws we use them for blanket for all all of our patrons. We also already offer advertising opt out and we don't market based on RG designations and that's really important that we're not trying to use this in order to continue to you know to market people based on them getting off of an RG distinction. We do need clarity and we've talked about this a little bit from MGC so that we have we can provide the guidance to our teams as to what does need to be built what is necessary what specific options. Are you looking for before we can operate. So I think we will have more clarity after this meeting and maybe after another meeting or after you've been able to sort of discuss what is where your where your distinctions live or what is often versus what is about for what is infomissible sharing. And as my as we get these clarifications we can put it into a project roadmap and then assigns resources but this isn't just a on or off button that I have the ability to put in. put in. I talked about building, to my teams about building the registration journey and putting in different options. How many opt-ins do we need? What opt-ins are required? What opt-ins should we do? It can be very complicated and is not just necessarily an out-of-the-box easy change. David, could you go to the next slide, please? And this is in aggregation, we'll say, of all the implementation challenges that the operators set forth in our exception requests. They're not specific to any operator. There may be more, depending on the discussions that we have. I don't want to go into it because I know time is very, we're sort of going up on time. The one that I can easily talk about because I'm a lawyer is... Alexis, I think it's okay for you to take some time on this because we do want to understand this and we also want GLI to weigh in on detail. So, commissioners, are you looking forward to hearing a little bit more of the details? Or Alexis, should you feel comfortable going through as many as she wishes? Yes. Thanks, Makita. Thank you. Thank you. Okay, so relax on time. Thanks. Thank you. So, I can speak to certainly some of these. The one that I was going to give an example because I'm a lawyer is sort of changing our contracts. If language is needed in all of our GPAs, that might require going to do many different vendors, presenting them with an amendment and then getting both our legal resources involved and their legal resources involved. Typically, when these laws have been passed, there's been an implementation period of maybe 18 to 24 months. So, when a law is passed, what I do is I go to our template contract and make sure that if the regulation or the law requires specific language that it's in our template contract so that two years from now when the law goes into effect, we don't have to renegotiate every contract or contact every vendor. The themes are already covered, but the language that you've added may not exist in every single contract. And as you can imagine, every single contract may be a little bit different. We might end up engaging with third-party software developers or vendors or support teams to expand technical capabilities. When the CCPA was passed, and I think David went into this a little bit, there were vendors coming out of the woodwork saying, this is what we can do. This is our technical capabilities because there was a market for very specific for this. California is like the fourth or fifth biggest economy in the world. So, everyone operating in California, there's a lot of opportunity. When you're looking at eight or 10 vendors in Massachusetts, we may not have the third-party tools that we would be able to typically rely on in order to get some of this done. Some of our systems or our products may not have the ability to segregate data in a way that we would need to to implement this. Now, I don't have specifics again because we're in a public forum, but also because I was waiting, I think all of us were waiting for the instruction that we're getting today or that we're starting to get today as to how to clarify these things and how to classify potentially necessary sharing that maybe doesn't require any opt-ins at all with non-necessary that requires opt-ins versus impermissible. All of the data flows that we have, we need to reassess. We've assessed them obviously for CCPA compliance and things like that. I hope everyone has done at least overall data maps, but looking at it under a new lens, under a new classification requires input from lots of areas of the business. We've had this engaging discussion about where marketing is what's necessary. I think if I ask five people at different operators or in the industry what's necessary, I may get five different answers. So trying to classify lots of different information flows or information data points, it just requires a lot more clarification and then decision making and often outside council guidance so that we're covered so that we understand what you want and that we're compliant because the goal obviously is compliance everywhere. Building where registration flows. We're constantly upgrading our registration flow to make it friendlier to the patron and also more efficient. I know we've got we've got full up registration flows that are approved by probably this commission but also in other jurisdictions. So we may need to rebuild the flow completely or an operator may need to rebuild the flow completely from Massachusetts with different options or different requirements and I think making sure that that does not interfere with other products that are going on and other announcements that are being done. It's just it's going to be a lot of technical discussions with teams that aren't going to be fully dedicated to this because as I said they're working on cybersecurity improvements, they're working on other product improvements, they're working to make sure that we're meeting your regulatory requirements and then regulatory requirements in other states where we operate. Not all of these pieces were mine. One of the things that I think is very is we've talked about opt-in and opt-out, letting people opt-out to individual uses of their data. I don't think there's a tool out there that lets us do that right now. You know, I use OneTrust, it's public. If you go to our privacy policy, you can click on the link and it'll take you to OneTrust and I have an opt-out option for opting people out of all marketing. I'm honestly not sure how I would be able to opt people out, get them, give them the option to opt out of individual uses. I'm trying to figure it out on the fly and I think you will be helpful. But that would also maybe require us to list vendors that we would otherwise keep confidential because they're part of our systems or they're part of our architecture that we wouldn't be public. We wouldn't be sort of making public. So trying to figure all of these things out is just a process and it's not that we don't want to comply. It's just that it is going to take a while to figure out exactly how to do it in the most efficient way that does provide Massachusetts patrons with the types of protections that you're looking for. So that's, I think, my slide and trying to go into the right amount of clarification while also keeping in mind it's a public forum. That's all right. Thank you, Alexis. If we could take down the slide so we can see each other again. I want to ask the operators, did you want to add any further clarification around those implementation challenges before I turn to GMI and ask out their thoughts? And then commissioners, do you want to weigh in the questions or comments? I just wanted to add one piece. I think Alexis was framing it in a very generous way when discussing sort of the individual vendor by vendor opt out saying it would take a while to figure out how to comply. But honestly, from my vantage point, the notion of each user being able to design their own individualized privacy regime for themselves, I don't know that that's at all possible. I think the only way we would be able to comply would be to implement a much broader opt out than the player was asking for. I don't think we would be able to do it on a vendor by vendor or information piece by information piece basis. I don't know what the language intended. Maybe there's a different interpretation, but when we read it, we had some serious concerns that that was impossible. Commissioners, before we turn to John Mark, any questions for Alexis or Corey? And I think while we're talking about the implementation challenges, we've heard also some discussion around timeline. So impossible doesn't fit on any timeline. So that's really helpful feedback, Corey. But otherwise, I'm hearing also timeline. Joe, what do you think? Before you go to GLI, Madam Chair, my question in general is we've heard that the opt in is being widely used in Europe. So I'm curious as to any of some of the licensees operated internationally, some do not. So I understand what you said in terms of the difficulty vendor by vendor, information by information, as opposed to maybe categories of types of opting in or out. But can anyone speak to the experiences with the opting in Europe? I see, Chris, you have your hand up. Thank you. Well, actually, I just wanted to point out that and I'm only speaking for on behalf of Caesars here, but Caesars is primarily a U.S. operator does not have any EU operations. And so developing a new opt in mechanism would be the equivalent of having to comply with a brand new CCPA or GDPR. And so I do want to distinguish between as we discussed before, there are a number of privacy, new privacy rights in this regulation that we can comply with that we are already offering to Massachusetts residents, but the opt in mechanism, given that it's brand new for the U.S. and our systems are designed for the U.S. with the expectation that sort of CCPA requirements would be kind of the outer band there. To have to redesign things would be challenging for all the reasons that Alexis discussed. Another challenge I wanted to point out is just the fact that Massachusetts will have its own unique version of opt in rights. There will be a number of edge cases, things that we're going to have to figure out in terms of we have a national loyalty program. We have operations in different states that have different rules. People have accounts in different states. People may sign up for a loyalty program in Las Vegas when they visit a property and then later at a later time sign up for the Massachusetts, a gaming service, but perhaps not opt in to certain uses and we need to figure out what does that now mean for their participation in the Caesars Awards program. There are a number of things that we need to think through and understand what the rules are and then it's going to be the hard work of developing the technical changes to make sure that all of these requirements are implemented. That, Commissioner O'Brien, that Caesar's perspective, is there anyone you're hoping to hear from someone who has the European experience? I don't mean to put anyone on the spot. I would just submit from my perspective, we are a subsidiary of a European operator. I don't know the answer to Commissioner O'Brien's question directly, but I'm certainly happy to reach out to my colleagues in Ireland and England and get some more clarity on how they implement those provisions. I would just say though that our US account and wallet and data systems are built for the US. We do leverage certain information from Europe, but not those systems. We'll get more information, but we're not ready to implement it just because they do there. No, I wouldn't think you'd be able to just update and go running, but I'd be curious if you can provide an update in terms of how it functions for your UK and Ireland operations that I would like that. Absolutely. Commissioner O'Brien, did I not go back to you on another question? My apologies. You basically did. You just didn't come back to me. It's you cycled into hearing from Professor Wall because that was my follow-up question to where you had gone. You just went there on your own, so I didn't speak up. Okay, my apologies. Thank you. No problem. I meant to circle back. Okay. All right. So I guess now it makes some sense to really drill down on the implementation challenges and we'll turn to GLI. Joe, are you prepared? Yes, I'm here. Thank you. Everything presented so far seems reasonable, very reasonable. And while Alex did mention that we consulted, we have been contracted to consult with mass gaming, our awareness of this regulation came at the same pace as everybody else. That some of the implementation challenges for this regulation, especially considering a comprehensive consent management system, certainly isn't anything that I would expect the industry to have ready. To manage those consents, it's not just a simple add a check a box UI change. There's a lot of re-architecture of the data and how it's tracked accurately to manage the consent and withdrawals to make sure they comply with this particular regulation. So I think that's one of the main concerns and how the rest of the United States has no such demands, plus how their player account management, their PAM systems are mostly universal from different U.S. market to different U.S. market. Mark, would you agree? Yeah, the segregating between the different markets on the consent would be a technical challenge. I would expect a, you know, two months is no time to do anything like that. I can speak to that from firsthand experience. So, meaning the two months, because we have that November 17th data compliance, as we were thinking of that, I don't know what the word came out. Yeah, it's, I mean, it's a massive demand, technically. Okay, massive. Commissioner Maynard, and then I'll turn to somebody else, because Alexis. Thank you, Madam Chair. How long would this take in this form and understanding that it sounds like everyone would be able to take some small changes, how long would it take to implement this? I mean, I'm just asking purely technical, how long would it take? I think in the operator perspective, we've all been talking about a year, maybe two, to meet all of the requirements. We haven't had specific conversations with our technical team, because we're trying to figure out what would be considered necessary, what would be considered opt-in. So I have, I've had conversations with them, but they can't tell me it'll take months, it'll take nine months, it'll take a year, because we don't have the specifics yet. But I think Commissioner Maynard, when we've discussed it as a group of operators, we've really said to fully comply would be, you know, a year or two. But we would hope, you know, I presented a little bit, we're already meeting some, we intend to meet others. Some of them may be easy, fixes, and some of them may be product bills with third parties involved or legal or infosec approvals. So it would be, I think, a rolling product implementation, but I wouldn't, I think GLI Joe said it's a massive demand, a massive technical demand, and I'm certainly not going to contradict that. So I intend to go back to my product team and sort of talk to them a little bit more based on this conversation. But then I think we also need to see where the commission ends up on the clarifications so that we can see what we can do. And I want to also circle back to Corey's point that some things at the end of the day may not be technically feasible. But without the clarification, I can't, I don't want to sit here and say we can't do it versus we can do it. We really want this to be an iterative process so that we meet the themes, the privacy themes that you've presented and the cybersecurity themes we've presented and we all care about privacy and cybersecurity. It's just a matter of how we get it done in a technically feasible way with the right resources. I just wanted to add on to Alexis's point again that I know that two years does seem like a long time, but if you look at other privacy regimes from CCPA to GDPR to in fact Massachusetts own data security regulations that went into effect in 2007, I'm told, two to three years is actually not entirely uncommon for implementation of these types of data privacy regimes. So it is a long time, but these are really hard and it's re-architecting a bunch of power back-end systems work. That's there and I actually appreciate Alexis's pointing out that some of this could be done quicker than other pieces and that's something that I will definitely want to see. I'm going to throw a provocative question out there that I don't expect there to be an answer to, but I want to prove the way that I'm thinking about. I really want to nail down how long technically would it take? I don't know Alexis, but what if, you know, if I were to take a vote to suspend all the temporary licenses, how long would it take to get this implemented? And again, I don't expect an answer to that, but my point being, you know, I'm really trying to find out what could the resource and manpower be put behind this to get this done. That's what I'm trying to figure out and trying to understand. And I just, I just can't give you specific answer without talking to my little teams. I'm a privacy attorney, so if you want to talk about specifics of privacy laws, I'm happy to do it, but I'm not an expert on every technical piece of our product. So I don't know for those teams and put them in a position where... I'm going to turn to David because I think he's responding to Commissioner Maynard's question that I'll get to Jared, and I know we also have Director Dan, who's probably going to lay in on GLI's role, but if you want to set up a fun spot. So David, thank you. Yeah, I think there are a couple of things. The first is, you know, we're just a couple of weeks into this, these initial waiver requests. And one of the reasons we asked these initial waiver requests were for scoping purposes. And so, you know, our teams are doing that, we're all working on that and trying to figure out what the technical demands are, and certain these clarifications are part of that. I think, secondly, it's not as simple as even if we had unlimited resources of just hiring a bunch of developers to work on this specifically. So, you know, there's no way to even give you what a lower bound of that would be, because that would require, you know, interviewing, hiring, training on the way or specific products work in addition to all of that background scoping work. And I think that's why you see that even when other states have adopted privacy laws over the last few years that were all modeled on the existing CCPA framework, the average is like 21 to 22 months before implementation. And that's with all the tools and with companies already complying in California. So this is because it is a totally different animal. I don't think any of us can at this point give you a reasonable estimate. And all of our systems are honestly, they're built differently, you know, every platform is different. So what may take some operators, you know, 15 months may take others 18 to 24, that's just, you know, we're all trying to figure that out at the same time. Jared? Thank you. I wanted to, well, I guess what I'll say is I don't doubt that implementation of some of these restrictions is going to take some time. I think that seems reasonable to me. The one concern I have is that sports betting has just become legalized in the Commonwealth within the last year. And so a lot of operators are currently in the state of acquisition of trying to acquire new users, trying to get people to use their platforms. And so in the interim, while say there may be a waiver granted, I think there's some concerns about what's being done with the information that's being used right now and how that's being used and what's being done with that. So I think to that end, I would just encourage the commission to think about what, what sort of restrictions, rather than like waving the entire compliance with the regulation, I would think it would make some sense to think about what Mina was mentioning earlier in that there are some, there are some requirements that exist at the moment that may be implemented or implementable in the near future. And there may be some that may take longer. And I think it would be beneficial to spell out timelines for those particular requirements. But also I do, I still have a concern that a lot of the information that operators may be gathering is happening at the moment, you know, say with the start of the new NFL season. So that's all I wanted to bring up. And can you be more precise, Jared? I want to go to GLI and ask, these are comparts businesses, technology, want to be realistic about what we'd expect. So I'm going to ask Joe and Mark, this is my question, commissioners and reissuers, you know, is that kind of an approach, you know, feasible? Could we pick and choose? But what would you want us to, what, what is it right now with respect to the acquisition issue that we can turn to in this red to say to them, this is our concern, this is the AG's concern. Because we are really listening to the attorney general's office and yeah, a lot of input. So what would be the precise piece of the tackle? I guess what I would say is to, you know, to the extent that the different use restrictions and consent requirements are really important to the commission, which it seems as though they very much are at the moment, those are not being used right now. And so there is data that is being acquired at the moment that may not be subject to the restrictions of this particular regulation. And so I wonder what happens to that data in the long run, right? Where does it go? Who uses it? You know, currently, you know, business partners may be using that information and it may be out there, right? And so I don't have like a specific proposal at the moment, but I think it's worth thinking about, you know, in the interim before this thing becomes fully effective, that's what it's ultimately decided. What do we do with the information that is being collected about players at the moment? Yeah, I don't know if that helps anymore or not. I think I think I'm hearing the consent framework that we've put in place is a real challenge. Yes, yes. So in the meantime, this information being collected, can the industry here in Massachusetts abide by usage and sharing details? And those precisely in layman's language, what does the AG's office not want to see us have them do with that information? Yeah, I think the specific concerns that Commissioner Maynard expressed earlier, right? We don't want the information being sold to, say, a car manufacturer, right, or being used in ways that the regulation currently prohibits, right? So like the regulation goes through a number of uses for advertising, say like periods of dormancy or advertising to social connections, things like that. They may take a shorter period of time to implement than, say, the consent mechanism, right? And so I think, you know, I don't have a specific list in front of me at the moment, but I'm happy to work and think about what could be implemented over time. That was very helpful during Caitlyn. Thank you, Madam Chair. I just wanted to sort of add on to what Attorney Reinheimer said by way of timelines and the different pieces of the regs. So as he noted, you know, there are pieces that require implementation, for instance, switching to, you know, an opt-out process. And then there are also ways in which the algorithm is used. So you can't use your algorithms to advertise to someone based on the fact that they haven't played in a few days, right? So different things to think about. And so with the commission, just to say it while we're all in the same room again, what the commission asked for when it granted the waiver until November 17th was that each operator come back to it with a plan for implementation, including as detailed a timeline as possible for what can be put in place and when. So it may be that there are things you're already doing. In fact, you've told us there are already things you're doing great. We'll check them off the list. There are things you can do next month, the month after. And then maybe there are certain pieces, hopefully not too many, that'll take a bit longer. And so I just wanted to put back out there that the commission did ask for those materials in advance of the 1117 end of the waiver. And then that will help the commission based on this conversation and future conversations to sort of figure out the next steps for, you know, presumably additional waivers will be needed based on this conversation. So I just wanted to put that back out there while we're all together. Thank you, Cory. I just wanted to make one suggestion, which is that the car manufacturer example really makes me think of the California Consumer Protection Act because it has very clear language about the sale of information sales defined extremely broadly any sort of commercial arrangement. Many of the operators may already be complying with CCPA. There are also vendors out there in the world who will help you comply with CCPA because it is such a broad regulation affecting much of the online world. So if the language here were to mirror CCPA, it would address some of these concerns and I think allow for a much faster compliance timeline. I'll stop there. Patricia's responses to that or to Caitlyn or to Jared? I just had one other question which is framing what we've talked about a slightly different way, which is would the opting in make you non-compliant in any other U.S. jurisdiction? I'm taking it from the conversation. That's not the case. It's more the implementation itself and the issues with that, but I wanted to ask that question specifically. To my privacy expert colleagues on the call, I don't think it would make us non-compliant in other jurisdictions. I think it's an implementation challenge, but I'll let others speak. Anybody else? I'll turn to the Attorney General's Office. When I hear Cory say mirroring the California privacy, what do you think about that, Jared? I think there are some valuable parts of the California law that are already implemented here. I think it seems like the big stumbling block right now is the consent mechanism and that does differ from California's current implementation scheme. I think that this presents a real opportunity for the commission to take a leading role in regulating how this information is used. I think that's very important. I don't think, although, yes, this might be unique to the United States, this type of model has been implemented elsewhere. I think that it may be a challenge to implement, but I think it's worth doing. California doesn't have online sports betting yet. The statute that you're talking about is not quite laser-focused on this industry, which might also speak to part of the reason we might be in the forefront of this. Yes. Thank you, Commissioner O'Brien. I think that's another valid point worth making is that this is a different industry. The California law is a very general broad-based privacy law that affects all industries that operate in California. I think that mobile sports betting is different. The way that data can be used, I think, is of a big concern to our office, particularly because there are real concerns about the addictive use of the platforms and the public health considerations. I think it's appropriate here to implement this type of consent mechanism in particular. I was also thinking about Jared's point about where does the data go while these timelines are being implemented and so forth. The more I think about it, maybe the data and the raw data should just be given to the IED and to research on responsible gaming until conditioned by any favor that we would get for people implementing this. We can just get all the raw data. I'm just trying to think about a way that we make sure the consumers are protected while we're waiting for something like this to be put up. We do have all public-facing privacy policies that our consumers do or do at least acknowledge at the time of sign-on and when they're adjusted. At least at BetMGM, they're presented with the changed privacy policy. I understand that Massachusetts wants to go further than opting into a broad privacy policy, which is a fine approach to take, but it is an all-cloak and fagger behind the scenes selling the data. We are all making presentations every day about how we use the data so that our consumers that are interested in privacy can see that can happen as fast as they can out-of-marketing or other usages in certain ways. There may be retroactive anonymization or things like that as we move forward or we ask for specific consent. I know that we've got the ability to push someone and put a banner up and say, do you agree to all of these things? We could probably do that in a way later when we're all aligned on what those consents are, but we are trying to be open and honest with our patrons about how we use the data. I know many jurisdictions require review of our privacy policies before they're posted. I'm not sure specifically about Massachusetts, but we are, I think, as an organization or as a group, we do try to be open and honest with what we're doing with our data now, the data we collect from customers. I spend a lot of time with our privacy policy. I don't know how many people read them, but they are very thoughtfully done. Other questions for David? Yes. I just want to add, I think some of this discussion is what I was talking about up top, which is to the extent that a lot of these concerns are about uses of data that the commission finds to threaten responsible gaming practices, that's a separate issue than a Consent Management regime. I think there's an opportunity to take some of those things separately and say, let's look at really targeting some of these things towards those uses, and then the Consent Management regime is kind of, that's the long-term, the secondary thing we need to deal with, but that's some of the things, I think you mentioned some egregious examples. You don't want people to use PII to market to people who are coming off an exclusion list or who are registered for RG's services. Sure, absolutely, but that doesn't necessarily implicate Consent Management, that's just an RG practice where you say, hey, you shouldn't use this information to market to those people, and something that is just much more technically feasible than kind of flipping the Consent Management regime entirely, if that makes sense. I think what we're saying is, we want to work with you to accomplish what the goals are, just with an understanding that some of these things really are super highly technically challenging for us, and some are not. So figuring out what those things are and what the immediate priorities of the commission are I think are helpful. We do have one more slide about some of the clarifications that we're requesting, I think we actually, two more slides, I'm not sure if both are necessary. But I think it would be worth it to at least show. I think we've discussed some of these today, you know, I think some of them have not yet been answered by the commission and that there's an opportunity to continue the conversation, but broadly, the greater the ambiguity, the longer the compliance timeline for any of these things. And so, you know, the more we can answer these, the more it will help us in scoping. You know, the first one here is about, we already talked a little bit about sharing with third party vendors and how even if there's an opt-in, that's not necessarily clear under 257.03. You know, secondly is a clarification where the regulations allow use of confidential information or personally identifiable information to investigate, respond, and defend against filed legal claims, but not necessarily for threatened or anticipated legal action, which would leave us unable to, for example, preemptively demonstrate to a plaintiff that their claim is without mail. You know, for example, you know, they say they never agreed to terms and conditions and we could show them that they did that. Similarly, to, you know, defend to unfiled actions by government agencies. You know, M&A transactions, for example, are, and we transfer PII if there's merger or an acquisition, you know, and that's that, there's no exception here for that. We already talked a little bit about encrypting publicly available PII like, like usernames. The next question about, you know, using social platform data is primarily based around RG. And I think we've all agreed that we need some clarification that RG purposes are used. So for example, operators may currently use some kind of social platform data for RG purposes to determine if someone has an issue. It's not clear if that would be allowed by the current language. The third party forensic examination here is a data breach question. You know, the commission is allowed under a breach to request a third party forensic examination if there's a security incident. You know, we need to understand if those would be public or not, because it'd be a pretty significant cybersecurity risk, because those would contain pretty sensitive corporate security information. And so looking for guardrails on subsections. The three questions about necessary sharing and reasonably expected to make a wavering platform more addictive are the kind of things we're talking about that these necessary sharing are legal terms of argument, and they're not defined very clearly here. It's also not clear what is reasonably expected to make a wavering platform more addictive. I mean, that could be, it depends on what reasonably means, and I hate to parse it, but you know, I'm a lawyer, you know, as Alexis said a couple times, this is kind of, these are the questions that we need to understand. And then finally, one of the things that was not, is not present here, but is present in other privacy laws is anonymization or aggregation of records in lieu of full deletion. If someone requests that we delete their data, if we basically de-identify it, so we can still use it for analytics purposes or generic RG or things like that, is that acceptable? So, these are the kinds of questions I think every operator will have a bunch of these that would be helpful for us in scoping what compliance requires, and then also raise some issues that we may want to consider revisiting because we want to understand what the commission's intent are. Like, I'm confident these aren't the only questions, but they're a start. That's a lot. And I know you have another slide, but I've got Nina with a hand raised. And so, maybe it makes sense to take the slide down so we can see each other. Please. Sorry, Madam Chair, I was actually going to offer, since I know, based on Commissioner Maynard's questions and Taylor's comment that there may be a desire to sort of, and the timing, there may be a desire to see some additional implementation. I'm happy to try to answer some of those questions based on the language of the RG, if you want. But I also defer that to a later meeting if you prefer. So, that's entirely up to you. You mean in terms of offering language that would involve some of the issues raised? Completely candid offering where the language in the existing RG answers a question and to suggest that maybe if we need to tweak, we can. But some of these, I know we answered some of them. I'll take an example of one. The WinBet, again, gets a credit for this. They had suggested language that we used, I believe, verbatim to allow responses to legal claims. And we didn't use lawsuits. We didn't use legal action. We used claims for exactly this purpose. Of course, it is necessary to run a business. One needs to be able to respond to legal claims. Again, I just want to be, you know, I think we've all talked a lot and we've gotten really helpful feedback on specifics of implementation. So, we just want, you know, to the extent that we can get folks off to the races on what they need to tell their IT folks, then I, you know, if it's helpful to answer questions, but I don't want to overstep. So, if that's for a later time, we can say that. The second slide, the next slide, and then we know you can come back with your trip on this. Okay. Thanks. And I think I'm going to lose Dr. Wall. So, if we have questions for Dr. Wall, if we haven't already lost. Why don't we go to the next slide, Alexis, whoever had, or David, thank you. That's really all we had. We had another slide about during implementation timelines, but we kind of covered that. Okay. Okay. Commissioners, do you want to hear Mina's list? You know, because I, my instinct is to have Mina go over his feedback to make sure we're all listening and hearing the same thing. Because, you know, some of the things when I'm hearing Mina, you say it's clear, it's clear, it's in the reg, but maybe it's just not as clear because we're not implementing it. You know, this, I'm not the one writing the code and doing the marketing now. Okay. So, Mina, why don't you go over some of your thoughts. The one you just raised, is there a response to that? Yeah. If I could ask for the slide back, there are a bunch of things on there. Okay. Thanks, David. And then let's just have to shout out. Okay. Yeah. Sorry. And to be clear, it is not, this is not intended to be, you know, oral argument. The regs already say this. They don't. What I'm suggesting is if the commission already believes or agrees, you know, with the interpretation I'm suggesting of what was intended, then the legal team has a pathway to go back and suggest additional clarification to make sure we're on the same page. If there's a policy question that needs to be addressed, that's a different process, right? And so that's the kind of guidance I was hoping to get, Madam Chair. I don't know how the commission would feel, Mina, but for me, policy implications include business, you know, implementation challenges. Of course. You know, risk assessment. Okay. Exactly. Of course. Yeah. Of course. That's what I mean by policy. Yeah. Yeah. Number one, I think we talked about a lot. So I don't think we, there's much more to say. So, you know, shared with third party vendors, I think there's this question of, well, kind of third party vendors, is it sort of implied from the consent given or not? So I'll leave that one alone. On the second one, as I, that's the one I was responding to, reasonably anticipated litigation. I can see, you know, a lawyer reading to defend against respond to and defend against legal claims, worrying how soon can I use that information? Or do I have to wait until someone has sent me a formal demand or a lawsuit? So that perhaps warrant some clarification, but the intent was certainly to allow folks to be able to because, because that's the nature of the comment that came to us from WinBat initially was that, you know, was this precise concern. So if we didn't address it fully, I think that's one that may be worth a tweak. So I'm just looking for any objections to that. The commission's intention on non-transferable and MNA transactions, I'm not sure I can answer that one today. Again, if it's sort of in the normal course of business, that may be a little different, but that's, I think gets at the heart. I don't want to speak for him about what Jared was speaking about, that, you know, if the data is acquired now, what's done with it, if it's protected the same way, maybe there's a way to specifically carve that out. I guess I was looking for a little clarification on encryption of publicly available PII. When we were referring to encryption, I'm using as an example, most law firms in the world don't do their work except behind encrypted, you know, cloud systems or that's, that's what almost all data is in. I think Gmail is encrypted. So when we're talking about encryption in the RAG, what I was a little bit confused about is, and maybe this is not to put anyone on the spot today, but one clarification would be helpful, I think, to our team would be what kinds of things aren't encrypted today or being possible to encrypt as opposed to when they're used by the operators or behind some encrypted system. It doesn't mean that they can never be seen, but they would require some specialized access. I couldn't go into the operator system and just look at them myself. The social platform data, I think we talked about, the reports available to third parties as I think has been covered many times for better or for worse, a legislator did not give the commission full protection of all data under the sports way drain. However, most times an investigation is subject to the investigative exemption under the public records act. So be it case by case basis, but I think, you know, there'd be ways to handle that before a record came in in the first place. And then I think the last three, sorry, the second to last two, the necessary and sharing we've talked about reasonably expected to make the platform more addictive. I think the reasonably there was intended to be a bit of thrown, you know, to give some work to the operators to try to make sure that they understood what they were doing with the data. I don't know that the commission could possibly figure that out in all instances, but there it does require a bit of an intent element. And if I'm not mistaken, and I would have to go back, so the reasonably may have been added at the request of somebody there. So it was one of the few places we use the word reasonably because we've been asked to use it many times. The last question I think we'd have to think about. So I'm not sure, you know, I guess one question to the operators might be, what would that do in terms of changing implementation timelines and implementation protocols, if animization and aggregation in lieu of full deletion was acceptable? Because that doesn't sound like a front end thing. It's more of a back end thing. That's what I'm trying to understand. I could answer that. I think that anonymization, which we would believe is the same privacy protection because now data that is available in a system is associated with a number and not a person. So all of the goals of privacy are fulfilled when you fully anonymize the records, but still allow for additional uses, subject to whatever consents were obtained, additional uses for the data in an aggregate way or for RG purposes, as David mentioned. So it would be easier to do. In fact, we anonymize now for deletion in other jurisdictions. And so I do think it's an easier lift for sure if you are, usually the identifiable information is in a limited area. And then there's perhaps in other areas, there's just a number, an account number that no one would know that that's that person unless they had access to the personal identifiable information. So it does certainly make things easier to implement. If we had to do a full deletion, then I think there's there's now a larger scoping exercise just to figure out exactly where all of this data may exist and how difficult it would be to actually remove it, which sometimes turns out to be a lot more difficult technically than it would seem. Jared, if you want to respond to that, that might be helpful. You know, if the information is collected under a consent mechanism that's already in place, say like this system is already implemented, I'm not sure that the consumer's intent would be for the data to be anonymized instead. And so my concern there is just doing what the person actually intended to do. There are some concerns surrounding anonymization in the sense that often that information can be used to reidentify someone when aggregated with other pieces of information. So for example, there's a really well known study that, you know, I'm going to get the types of data wrong, but I think it's like gender, zip code, and age, or something you can use to identify someone pretty well, like 90-ish percent accuracy. And don't take my numbers as what the words are, but it's somewhere around there. So I think, you know, if that if that is the direction that this goes, there may need to be some guardrails around what types of anonymization and aggregation are done. For instance, in the CCPA, there is a requirement that the information not be reasonably connectable back to the individual. And so I think we just need to think about implementing something like that as well to make sure that there is a real guardrail there, because simply deleting someone's name may not be sufficient to not be able to identify them in the future. And I see Chris nodding. I absolutely understand the concern. And in our process, we don't stop with name, its name, its date of birth, its email, its address, its gender. All of the things that we as we went through and looked at it, what is there enough still here that someone could figure out who this person was? And so the CCPA standard, I think, would certainly be appropriate. And something that I think the operators could, I guess I'll only speak on behalf of CEDARS, but the operators could implement quicker than a full deletion process. Hi, that is sure-round triangulation, Jared. We deal with it in Massachusetts, you know, state agencies share data among, you know, each other that restrict agreements in order to really deliver evidence-based public policy. So I think there's so many ways to make sure that the amount of my station doesn't result in any kind of re-identification. So that, so I understand Commissioner O'Brien's point, yes, California doesn't have sports wagering, but in terms of, this is in terms of, that's not unique to sports wagering. I guess I'm trying to to see where we can do proper tweaks without compromising what is really essential to the issues around sports wagering. I think that's a really helpful insight, you know, and I appreciate that. I think that given that it applies, you know, CCPA applies to every industry, there are certainly plenty of industries where you wouldn't want to do that. And, you know, Mr. Renhevers correct the, you know, CCPA has really detailed guidelines on how to do that and re-linking, you know, it can't be available when you, when you anonymize or aggregate data. So that's the kind of tweak I think we're talking about in a lot of these areas where, you know, we, we think we understand what the intent is and maybe there's a way to accomplish the same goal that's technically a little more feasible. So I appreciate those comments. Commissioners, if we can keep this slide up where we can go back to a conversation, and I know you might be winding up, I want to make sure we take advantage of this, this group of people. And I see Sarah, if we could have, Sarah is playing in. Hi. I just wanted to weigh in on one of the items on that last slide regarding the forensic examiner reports and what it is that the commission would be speaking. I do understand that there's some statutory rules around what can and cannot remain confidential. And this is important to us just because what this commission is asking for seems to go beyond what is typically considered a public report after a breach, namely, you know, asking for plans for remediation, mitigation, future prevention. And again, that examiner's report. We had similar rules coming before the SEC recently, and they also took up this issue and decided to narrow what could be collected and disclosed publicly, just understanding that some of that could actually put our security at greater risk by being made public, as opposed to giving real value to the public to see that. So again, I heard Mina say that there are some ways that maybe before a report is submitted, we could protect that under some, excuse me, some confidentiality, but I guess I would like to better understand that, given that that's not clear in the face of the regulation. Mina, can you direct us to me? Sure. So this is 257.063. So this, this was phrased as upon request by the commission, and Sarah, to your point, I think the reason this was upon request as opposed to an automatic was to allow for a give and take for exactly that kind of conversation. We don't want, we want to be careful about where this report ends up or who has a need to see it. The commission has its own, from what I understand and Todd or Caitlyn, I think you may be better positioned to explain this, but its own internal security protocols. So this would likely only be seen by folks at the IAB or others who need to understand it to help the operator protect patrons going forward and operations going forward. With respect to what I'm talking about on the public record side, a common concern under, with the Sports Wadring Act has been that it doesn't have some of the same protections for public information that the Gaming Act did. However, all the exemptions under the public records apply and, you know, public entity getting a security sensitive, and I'm using that in the small S-words, not in the defined S-words report would normally be protected under the Public Records Act from further disclosure. But Caitlyn or Todd, I don't know if you want to add anything to what I just said. Yeah, I think that's right. And you know, it is a challenge we face under the Sports Wadring Act as opposed to the Expanded Gaming Act. And we deal with it all the time for all kinds of things that are required to be submitted. But I think I mean is right that it's not mandatory in every instance when there's an issue the commission can decide and then have the back and forth about what can be given and how so that obviously we wouldn't want to have any security concerns with with the information. Appreciate that. Thank you. Do other operators want to weigh in? Fishers. Okay. Must be lunchtime. Chair, sorry to say one more thing, but this is just as a matter of fairness. I did look back, reasonably expected was our language, not the operator. So I just apologize because we had seen that comment before, but didn't want to be misquoted on that. Thank you, Mina, for that. I think for next steps, first off, I think the first next step is to thank everybody for your time and your willingness to be candid and to help us understand commissioners. I'm going to let you express your gratitude. And then we'll go, I think in terms of general next steps, we have an agenda-setting meeting next week, commissioners. And I think we can think about how we want to digest this information. I know we have a November 17 deadline and there's some process that Caitlin outlined that we are hoping that the operators can give us. It's more nuanced, but I also hear that they're looking for more guidance from us and to the extent that we can be helpful that way. On one of five, I would be inclined to be as helpful as we can, but we need to circle back as to next steps. Commissioners, feedback on that point and then we can express our gratitude. Commissioner Maynard, what are you thinking on process for next steps? Mr. O'Brien, are you okay? Oh, I'm sorry, Mr. O'Brien, I think so. Caitlin talked about, and I can't remember who else talked about it too, which is this is a work in progress. So I thank everyone for their time and their comments. I think we did put a lot of thought into this when we looked at it the first time and when we voted. And I do think we have the mechanisms in terms of we've given some information for clarification. We've asked for other information from the operators in terms of what's implemented now, what's possible, timelines, what's still TBD, because maybe they need more information from us. To me, that next document will then guide where we go prior to the 17th of November, because it may be a more tailored waiver, really speaking to what it is that needs longer times to figure out what timelines you're going to be. But this has been very helpful for me as one commissioner. Mr. O'Brien, what about the tweaks that Mina has mentioned and that we've addressed today that are possibilities? What would be the process for that? I know we already have a reg, but the beauty about regulations is we can always revisit them. What about those tweaks? So I think what they need to do is be memorialized so we're all clear on exactly what the tweaks are to make sure that that's not requiring further clarification, that the operators don't need something even more pointed than what's already been discussed, and then I think we can deal with it. It may be that this reg is going to have to come back up in front of us a series of times for minor tweaks, but ideally, if we get this information memorialized, we get the information we had asked for in terms of you now have some answers, give us what is done, what is doable on a certain timeline, what is still unanswerable potentially because you're looking for clarification, then I think we can get to the next stage in terms of any cleanups that might be easy to do and any waivers that might be necessary. So legal, commissioners, if you're in agreement with that, we need some guidance from legal as to the process for properly doing that in the regulatory promulgation process. Commissioner Hill? I would agree with what Commissioner O'Brien just stated, and I want to thank everybody who came today. It was very, very informative. Food for thought, for sure. And I think the processes have been set up where we can be helpful to you and you can be helpful to us. Excellent. Commissioner Skinner, what are you thinking? There's not much for me to add on process, although it's almost a question for me is what comes first, the chicken on the egg. We've had a lot of give and take here and I understand the operators need to have the commission provide some clarification. Hopefully you did get some good clarification on some of the points today. I am looking forward to the material that you that we have asked back on August 8th for you to submit for us to further consider in terms of any additional waivers or an extension of the current waiver. I want to add my voice to the chorus of thanks to each of you for participating in this roundtable today. And in particular, our partner from the Attorney General's Office, very, very informative in terms of your contribution to this discussion today. To our sports waging operators, I think that you've expressed a real sincerity in working in your desire to work with the commission and in the team here to get this right. And so with the additional time that we have between now and November 17th, I'm hoping we can make some real headway on a regulation that does exactly what the commission intends for it to do, but then also respects your technical challenges and some of the other concerns that you raised before us today. So just I'll stop there. But just a thank you once again. Thank you, Commissioner Skinner. Commissioner Mayer. Thank you. Thank you, Madam Chair. I echo my fellow commissioners. I appreciate the operators for coming on in the candid conversation. I think that, you know, by trying to ask questions that were outlier questions, because I'm trying to figure out, you know, I'm trying to parse everything out, right, versus what's impossible, what's possible and what's inconvenient. And to that aim, it's always in the back of my head that I am speaking for myself as one commissioner put intense pressure on the MGC team to implement 23N and get it going. And I will put as much pressure on making sure that the citizens of the Commonwealth's privacy is protected. And that's just where I come from on this. I think Jared and Nina and GLI and our RG partners for putting more light into what's going on and where they're coming from. And I just want to get this right. I want to make sure that a citizen of Massachusetts knows how their data is being used, that they're treated fairly, that and we may be on the cusp, we may be ahead of the game nationally. That's okay with me. I'm fine with that. And so, you know, but I want to get it right and I want to be fair. I want to be fair to everyone. So, thank you. Excellent. To all of you, thank you for joining today. I echo all of my fellow commissioner's sentiments. This is a complicated topic. We appreciate that you asked for this opportunity. And I'm really pleased that we were able to extend it. But I appreciate that you're comfortable asking. And so, to that degree, we're cooperating. We will always agree with every element that I think we are operating always with open minds. And I too echo my fellow commissioners. We may not have been terribly vocal during that meeting, but we worked on it. And so, with that, you've given us a lot to think about. We've got some process questions to go forward. Again, thank you. Attorney General's office has been very important. There's our Commissioner Skinner's term partner in this effort because it is your area of expertise. Quite simply across the nation, the Attorney General's offices are meeting in on these conversations. And I really very much respect Attorney General Campbell's efforts here. And she's very well represented by Attorney Ryan. So, thank you for that. And then to our GLI partners, thank you. We may be meeting you again as we get the feedback on the timelines and implementation. I've learned a lot today. And always respect the fact that I am not in the operator's shoes. I don't understand all the complexities, although we, you know, I think you conveyed them to us today with a degree of precision that will be really helpful for us going forward. So, thank you. Anything else to, and of course to A&K and our legal team, thank you. I always feel like it just means more work. But as everybody said, you know, we're all working to get this right. So, thank you. Okay. Commissioners, I just want to turn to all the guests. Is there anything that you want to leave, you know, to say that you're going to just regret that you didn't say it's okay to say something? I just want to thank you for your time. And, you know, we really look forward to continue to work with you moving forward. I want to give a special shout out to Director Band and the staff who have been, you know, throughout this whole process, extremely helpful and available to us. So, thank you for that. Yeah. You know, and Bruce, thank you. I know that you've been reaching out and your team, we're all working hard to stand up this industry in a way that will work to make a sustained, strong industry here in Massachusetts. And we're pretty lucky to be able to have these kinds of conversations with the quality of operators that we now call licensees. So, thank you. And thank you, Bruce. And thanks, David, for that. That means a lot. All right. Then with that, I need a motion to adjourn. Move to adjourn. Second. Thank you. Any edits, questions? Michelle Bryan. Aye. Mr. Hill. Aye. Mr. Skinner. Aye. Mr. Maynard. Aye. And I vote yes.