Skip to content

Rewards Program

Reward Programs for Credit Cards, Travel, Hotels and More

Menu
  • Reward Programs
  • Credit Card Rewards
  • Travel Rewards
  • Hotel Rewards
  • Other Rewards
Menu

Gaming & Hospitality Legal News: Volume 11, Number 4 – Media, Telecoms, IT, Entertainment

Posted on April 24, 2018 by Rewards


HOW THE NINTH CIRCUIT BIG FISH CASINO DECISION COULD IMPACT
ONLINE FREE CASINO OFFERINGS ACROSS THE U.S.

by Jennifer Gaynor, Greg Gemignani, Jeff Silver, and Kate
Lowenhar-Fisher

Virtually every significant gaming operator in the United States
has some form of “free to play” online casino offering.
Because no purchase is necessary to play (no consideration) and no
valuable prizes are offered (i.e., you cannot trade your free play
credits for a comped hotel stay), these offerings have generally
met with green lights from state gaming regulators.

Enter the Big Fish Casino decision: On March 28, 2018, the 9th
Circuit Court of Appeals released an opinion that found the Big
Fish site to be an illegal gambling game under Washington law.

If the Big Fish casino offers free play, how did this
happen?

The Big Fish Opinion

Similar to most online “free-play” casinos, the Big
Fish site uses virtual coins as the basis for game play. The
virtual coins, which are issued for free at signup and replenished
for free at periodic intervals, cannot be converted to money or
valuable prizes through the Big Fish site. If a player runs out of
virtual coins, the player cannot play games on the Big Fish site
until the virtual coins are again replenished. As mentioned,
replenishment occurs at various times for players with a zero
balance, but players may also purchase virtual coins as a
convenience rather than waiting.

The state of Washington, however, has a very liberal definition
of “thing of value” for the purposes of consideration
in gaming. Its state law defines a “thing of value”
as:

[A]ny money or property, any token, object or article
exchangeable for money or property, or any form of credit or
promise, directly or indirectly, contemplating transfer of money or
property or of any interest therein, or involving extension of a
service, entertainment or a privilege of playing at a game
or scheme without charge.

Therefore, the Court held that the virtual coins were a form of
credit involving the extension of a service, entertainment, or a
privilege of playing at a game or scheme. The Court supported its
opinion by stating that when a player ran out of virtual coins the
privilege of playing was withheld; thus, the virtual coins had
“value” because they allowed continued play and games
could not be played when a player ran out of virtual coins.

Additionally, the Big Fish site allows transfers of virtual
coins between players, with a transfer fee being collected by the
site operator. This creates a risk of third-party markets where
virtual coins can be sold for money. Such a third-party market was
an indicator that the virtual coins had value, and the transfer fee
collected by Big Fish supported such an argument.

Big Fish Aftermath

Following the Big Fish decision, many online free-play casino
operators have blocked Washington State residents from their sites
or changed the way their free-to-play sites operate. But with more
Big Fish-style lawsuits pending – two more Washington State
residents have filed lawsuits against free-play casino sites,
including Double Down Interactive, Playtika, High 5 Games, and
Huuuge Games – is that enough?

The Big Fish decision is not the first time that the legality of
the free-play casino offerings has been tested. Over the years,
there have been a number of regulatory and court opinions on the
topic, with most courts and regulators finding that the games lack
the elements of either consideration and/or prize.

As many gaming law scholars may know, there were opinions from
the early days of coin-operated video games that held games like
Pong, Asteroids, and Space Invaders to be gambling machines,
because players paid to play and could win extra lives. Ultimately,
courts moved away from viewing free lives or extended play as a
valuable prize; however, such older court opinions remained
apparently good law. Big Fish, however, is the first case in recent
history where a court has found this to apply to an online
free-play site.

Because gaming is largely governed by state laws, the Big Fish
decision is, on its face, limited to the state of Washington. This
means that blocking play by Washington residents is a good first
step. Any companies that participate in the free-play casino space
should also update their state-by-state legal research to
reevaluate where the risks are highest (for example, which states
have similar definitions of “thing of value” to
Washington and/or case law where their courts have found free play
to be a “thing of value”) and review their online game
rules of play to help determine the best strategy to minimize
risk.

DON’T GAMBLE WITH THE GDPR

by Sara H. Jodka

The European Union’s (EU) General Data Protection
Regulation (GDPR) goes into effect on May 25, and so do the
significant fines against businesses that are not in compliance.
Failure to comply carries penalties of up to 4 percent of global
annual revenue per violation or $20 million Euros – whichever
is higher.

This regulatory rollout is notable for U.S.-based hospitality
businesses because the GDPR is not just limited to the EU. Rather,
the GDPR applies to any organization, no matter where it has
operations, if it offers goods or services to, or monitors the
behavior of, EU individuals. It also applies to organizations that
process or hold the personal data of EU individuals regardless of
the company’s location. In other words, if a hotel markets
its goods or services to EU individuals, beyond merely having a
website, the GDPR applies.

The personal data at issue includes an individual’s name,
address, date of birth, identification number, billing information,
and any information that can be used alone or with other data to
identify a person.

The risks are particularly high for the U.S. hospitality
industry, including casino-resorts, because their businesses
trigger GDPR-compliance obligations on numerous fronts. Hotels
collect personal data from their guests to reserve rooms,
coordinate event tickets, and offer loyalty/reward programs and
other targeted incentives. Hotels with onsite casinos also collect
and use financial information to set up gaming accounts, to track
player win/loss activity, and to comply with federal anti-money
laundering “know your customer” regulations.

Privacy Law Lags in the U.S.

Before getting into the details of GDPR, it is important to
understand that the concept of privacy in the United States is
vastly differently from the concept of privacy in the rest of the
world. For example, while the United States does not even have a
federal law standardizing data breach notification across the
country, the EU has had a significant privacy directive, the Data
Protection Directive, since 1995. The GDPR is replacing the
Directive in an attempt to standardize and improve data protection
across the EU member states.

Where’s the Data?

Probably the most difficult part of the GDPR is understanding
what data a company has, where it got it, how it is getting it,
where it is stored, and with whom it is sharing that data.
Depending on the size and geographical sprawl of the company, the
data identification and audit process can be quite
mind-boggling.

A proper data mapping process will take a micro-approach in
determining what information the company has, where the information
is located, who has access to the information, how the information
is used, and how the information is transferred to any third
parties. Once a company fully understands what information it has,
why it has it, and what it is doing with it, it can start preparing
for the GDPR.

What Does the Compliance Requirement Look Like in
Application?

One of the key issues for GDPR-compliance is data subject
consent. The concept is easy enough to understand: if a company
takes a person’s personal information, it has to fully inform
the individual why it is taking the information; what it may do
with that information; and, unless a legitimate basis exists,
obtain express consent from the individual to collect and use the
information.

In terms of what a company has to do to get express consent
under the GDPR, it means that a company will have to review and
revise (and possibly implement) its internal policies, privacy
notices, and vendor contracts to do the following:

  • Inform individuals what data you are
    collecting and why;
  • Inform individuals how you may use
    their data;
  • Inform individuals how you may share
    their data and, in turn, what the entities you shared the data with
    may do with it; and
  • Provide the individual a clear and
    concise mechanism to provide express consent for allowing the
    collection, each use, and transfer of information.

    At a functional level, this process entails modifying some
    internal processes regarding data collection that will allow for
    express consent. In other words, rather than language such as,
    “by continuing to stay at this hotel, you consent to the
    terms of our Privacy Policy,” or “by continuing to use
    this website, you consent to the terms of our Privacy
    Policy,” individuals must be given an opportunity not to
    consent to the collection of their information, e.g., a click-box
    consent versus an automatically checked box.

    The more difficult part regarding consent is that there is no
    grandfather clause for personal information collected pre-GDPR.
    This means that companies with personal data subject to the GDPR
    will no longer be allowed to have or use that information unless
    the personal information was obtained in line with the consent
    requirements of the GDPR or the company obtains proper consent for
    use of the data prior to the GDPR’s effective date of May 25,
    2018.

What Are the Other “Lawful Basis” to Collect Data
Other Than Consent?

Although consent will provide hotels the largest green light to
collect, process, and use personal data, there are other lawful
basis that may exist that will allow a hotel the right to collect
data. This may include when it is necessary to perform a contract,
to comply with legal obligations (such as AML compliance), or when
necessary to serve the hotel’s legitimate interests without
overriding the interests of the individual. This means that during
the internal audit process of a hotel’s personal information
collection methods (e.g., online forms, guest check-in forms,
loyalty/rewards programs registration form, etc.), each guest
question asked should be reviewed to ensure the information
requested is either not personal information or that there is a
lawful reason for asking for the information. For example, a
guest’s arrival and departure date is relevant data for
purposes of scheduling; however, a guest’s birthday, other
than ensuring the person is of the legal age to consent, is more
difficult to justify.

What Other Data Subject Rights Must Be Communicated?

Another significant requirement is the GDPR’s requirement
that guests be informed of various other rights they have and how
they can exercise them including:

  • The right of access to their personal
    information;
  • The right to rectify their personal
    information;
  • The right to erase their personal
    information (the right to be forgotten);
  • The right to restrict processing of
    their personal information;
  • The right to object;
  • The right of portability, i.e., to
    have their data transferred to another entity; and
  • The right not to be included in
    automated marketing initiatives or profiling.

Not only should these data subject rights be spelled out clearly
in all guest-facing privacy notices and consent forms, but those
notices/forms should include instructions and contact information
informing the individuals how to exercise their rights.

What Is Required with Vendor Contracts?

Third parties are given access to certain data for various
reasons, including to process credit card payments, implement
loyalty/rewards programs, etc. For a hotel to allow a third party
to access personal data, it must enter into a GDPR-compliance Data
Processing Agreement (DPA) or revise an existing one so that it is
GDPR compliant. This is because downstream processors of
information protected by the GDPR must also comply with the GDPR.
These processor requirements combined with the controller
requirements, i.e., those of the hotel that control the data,
require that a controller and processor entered into a written
agreement that expressly provides:

  • The subject matter and duration of
    processing;
  • The nature and purpose of the
    processing;
  • The type of personal data and
    categories of data subject;
  • The obligations and rights of the
    controller;
  • The processor will only act on the
    written instructions of the controller;
  • The processor will ensure that people
    processing the data are subject to duty of confidence;
  • That the processor will take
    appropriate measures to ensure the security of processing;
  • The processor will only engage
    sub-processors with the prior consent of the controller under a
    written contract;
  • The processor will assist the
    controller in providing subject access and allowing data subjects
    to exercise their rights under the GDPR;
  • The processor will assist the
    controller in meeting its GDPR obligations in relation to the
    security of processing, the notification of personal data breaches,
    and data protection impact assessments;
  • The processor will delete or return
    all personal data to the controller as required at the end of the
    contract; and that
  • The processor will submit to audits
    and inspections to provide the controller with whatever information
    it needs to ensure that they are both meeting the Article 28
    obligations and tell the controller immediately if it is asked to
    do something infringing the GDPR or other data protection law of
    the EU or a member state.

Other GDPR Concerns and Key Features

Consent and data portability are not the only thing that hotels
and gambling companies need to think about once GDPR becomes a
reality. They also need to think about the following
issues: 

  • Demonstrating compliance.
    All companies will need to be able to prove they are complying with
    the GDPR. This means keeping records of issues such as
    consent. 
  • Data protection officer.
    Most companies that deal with large-scale data processing will need
    to appoint a data protection officer.
  • Breach reporting. Breaches
    of data must be reported to authorities within 72 hours and to
    affected individuals “without undue delay. ”This means
    that hotels will need to have policies in procedures in place to
    comply with this requirement and, where applicable, ensure that any
    processors are contractually required to cooperate with the
    breach-notification process.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link

Ask Jeeves
Ask Jeeves

Rewards Programs

  • What Animal Crossing Character Are You Based On Your Zodiac?
  • My Husband And I Have ## Separate Travel Credit Cards Between Us, Here’s Why
  • This Is the Average Cost of a Wedding in 2022
  • More Americans Are Using Digital Wallets Than Ever. Which One Should You Choose Right Now?
  • Amazon Credit Card Offering $200 Gift Card as Welcome Bonus
  • NERD WALLET: Lessons I wish I’d learned sooner about travel
  • Wyndham Rewards To United Airlines MileagePlus Conversion Bonus July 1 – 31, 2022
  • Citi AAdvantage Executive World Elite Mastercard: Is It Worth the Annual Fee?
  • How To Get Amazon Prime Membership For Free
  • The 5 Best Credit Cards for Seniors and Retirees in 2022
  • Cembra launches Certo! – a new range of credit cards offering money back rewards and other innovative services
  • 5 On Your Side gets gas rewards app back online :: WRAL.com
© 2022 Rewards Program | Powered by Superbs Personal Blog theme