GGB is committed to providing updated news and analysis on our weekly news site, GGBNews.com.

Privacy Matters

When harvesting biometric or artificial intelligence data, what is the responsibility of the casino

Privacy Matters

As new biometric and artificial intelligence technologies migrate into the casino environment, regulators or lawmakers may have to address the privacy rights of patrons. The public increasingly believes their privacy is under attack. A Pew Research study revealed that 79 percent of Americans are concerned about the way that companies and the government (64 percent) are using their data. Further, three-quarters of Americans believe that the data being collected is less secure than it was just five years ago. These fears accrue as technology improves ways in which businesses collect customers’ personal data, including their locations, who they associate with, and their purchasing and other proclivities.

Personal data collection has been a staple of casino operations for many years. The value of casino hosts largely depended on the quality of their customer lists. Moreover, casinos have collected personally identifiable information, including name, date of birth, home address, email address, gender, and driver’s license for the casino’s loyalty programs since the 1990s. These efforts, however, are on an opt-in basis where the patron agrees to share the information in exchange for comps or loyalty program benefits.

Biometrics and artificial intelligence, however, are rapidly developing technologies that change how business markets to consumers. Biometrics, including facial recognition, allow the casino to identify and collect data from anyone who enters the casino. Artificial intelligence permits the casino to analyze the data for a myriad of purposes, including safety, security, responsible gaming, anti-money laundering, and marketing. Unlike loyalty programs, businesses, which are not subject to existing privacy laws or regulations, can collect, use and store this data without the customer’s permission or knowledge.

The collection and use of data derived from biometrics and the use of AI may have regulatory implications. All regulation is a balance between risk, cost and reward. The government permits casino gaming to achieve public goals such as revenue generation, creating jobs and promoting economic development. Most governments, however, balance these goals against player protection objectives such as assuring the honesty of games, promoting responsible gaming, and preventing underage gambling.

Regulators historically have emphasized protecting patron data from exposure to criminals and other third parties that may want to exploit that information for crimes or other unintended purposes. As early as 2010, the Nevada regulators warned casino licensees that failing to secure patron data is a regulatory violation. But, as biometrics and AI become ubiquitous, the public reaction to privacy concerns is more pronounced. The public, including casino patrons, looks at privacy as a fundamental right. While their privacy expectations change in different settings, the overuse of biometrics and AI in the casino setting could have a significant backlash that impacts government goals such as public trust in the integrity of gaming, gaming revenues, job creation and economic development.

The use of biometrics and AI in casinos is, however, nuanced. Biometrics and AI fit into the casino industry in five separate categories. A blanket rule covering all five categories would leave to unintended consequences that would frustrate public policy goals. These categories are reviewed below.

The first is security, where facial recognition and other tools can identify security threats such as known terrorists or criminals and, when coupled with AI, reveal persons with firearms and other known risks at casino entry points. This protects patron safety, which serves the interest of the players, casinos and the government. When we look at security, the risk is obvious. The

October 1, 2017 mass shooting in Las Vegas showed that things could go wrong, and the consequences are terrible regarding human life and suffering as well as financial impact. In this case, the patrons probably have minimal privacy concerns when the casino is using facial recognition and AI to detect others who may be a threat to their safety. They likely understand that the casinos will surveil them and use all appropriate tools to keep them safe. Virtually any controls on the casinos’ ability to leverage biometrics and AI to secure the lives and safety of guests and employees should be scrutinized.

The second is surveillance, which is asset protection, that promotes revenue generation. The argument for the use of biometrics and AI in surveillance also has support. Patrons likely understand that casinos have used personal observation since the earliest casinos and CCTV for decades to protect the games from thieves and cheats. While estimates of casino and tax losses based on theft are scarce, the Association of Certified Fraud Examiners thinks the thievery from an average business is about 5 percent of gross revenue. Whatever the exact number in the casino industry, theft is common, and the consequences are loss of income, employment and capital investment that impact government goals.

The third is promoting responsible gaming and attenuating the impacts of problem gaming that supports player protection goals. Two uses should have little controversy, using facial recognition to identify underage players. Facial recognition technology is in place in Europe to assist grocery stores in identifying minors attempting to make alcohol and tobacco purchases at self-serve kiosks by review. Likewise, using facial recognition to identify persons on self-exclusion lists should not be contentious where the patron asks to be self-excluded and provides a verified photograph. Biometrics to enforce persons placed on exclusion lists by family members raises other issues unrelated to the technology. Japan plans to require casinos and other gaming venues to use facial recognition to prevent problem gamblers from wagering.

Another, perhaps more controversial, use of biometrics would be to enforce time or play restrictions. Here, facial recognition available on every game in conjunction with player tracking systems could track and record all player interactions. If the player exceeds a maximum number of hours or amounts wagered or lost, no new play would be permitted for that period. Governments and casinos also could use biometrics, player tracking systems and artificial intelligence to disclose problem gambling patterns. This could require the casino to intervene and either provide problem gambling information to the player or terminate play.

The fourth is for anti-money laundering and other uses promoted for government goals implemented across all businesses. For example, a casino could identify each cash player by facial recognition and track every cash transaction. This would increase the reliability of cash transaction reporting, and introducing AI would increase the ability to detect suspicious activities for reporting purposes.

The fifth is to use biometrics and AI to increase gaming revenue through more efficient marketing. AI would use biometric and other player data to analyze behavior and target the patron with individual incentives designed to increase or prolong play. Here the opt-in customer relinquishes expectations of privacy because they agreed to be part of the marketing program. But what about patrons whose data is collected and used in marketing promotions? Persons using popular search engines are already inundated with targeted marketing based on their internet habits.

Is this now an accepted fact of living in the digital age or could it bring a public backlash? Should regulators limit the casinos’ use of anonymous data? For example, should a casino be allowed to track a person using biometrics only long enough to determine if they are a good customer and if they want to opt into a player’s club? Moreover, can the casino use third-party services that compare images of otherwise anonymous players captured at the casino to databases of photos often scrapped from social media to identify the patron by name? Should the casinos be able to use biometric and other data to push offers to targeted patrons at gaming devices that stimulate more gaming?

Two other areas worthy of regulatory considerations are protection and ownership of the patron data. Protection requires consideration of how the data should be securely stored, who can access the data either internally or by unlicensed third parties, when data must be erased, and mandating use of encryption. Ownership issues include what happens to the data on transfers of the casino ownership and whether the casino can sell or license the data to third parties.

Finally, a question arises as to whether privacy concerns are even within the purview of gaming regulators. The issue of companies collecting and using personal data extends across all businesses, media and communications and needs to be addressed globally. California, as an example, has a robust privacy law passed in 2018 that allows customers to learn what data companies have collected about them, who they share the data with, and to delete or cease sharing it. This question shifts to whether the casino industry has peculiar characteristics that call out for specialized treatment.

Avatar
Anthony Cabot is one of the premier legal experts in land-based and online gaming, and is a partner in Lewis & Roca in Las Vegas. He is also a partner in the iGaming North America Conference.