Wil Schuehler, Associate Member 2025-2026
Intellectual Property and Computer Law Journal
I. Introduction
Nearly half of men aged 18-49 and more than one in five Americans have an active online sports betting account.[1] With the legalization of sports betting in many states across the United States, gambling apps have become embedded in mainstream culture.[2] Yet, behind the widespread use of the apps lies an evolving concern over how these platforms collect and utilize user data. This blog explores how gambling apps raise consumer privacy concerns. Part II examines the rise of betting apps, common practices within the industry, and recent enforcement action. Part III discusses a comprehensive federal data privacy model, possible reform in the United States, and current challenges to reform. Finally, Part IV concludes by recognizing the need for reform and uniformity within this industry and suggests a solution.
II. Background: Gambling Apps and Data Protection
Rise of Betting Apps and Their Practices
Currently, 38 states permit sports betting, and 30 of those states allow bets to be placed directly from a mobile phone.[3] Two sportsbooks, FanDuel and DraftKings, are at the forefront of sports betting in the United States.[4] The two betting apps had a combined download total of 20.7 million in 2024, and $50.8 billion was wagered on FanDuel alone.[5] With the rise of sports betting and its propensity to lead to gambling addiction, it is important to highlight the practices and features of these sportsbooks.[6]
These apps are designed to maximize engagement and can be extremely addictive for users. Notably addictive features include: social groups where users can join like-minded individuals and share bets, promotions and bonuses that incentivize users to gamble, an illusion of skill, the ease of download and signup, the encouragement to chase losses through increasing wager size or creating less likely parlays to back money, and instant gratification with live betting or quick bets.[7] As a result, the United States has seen a 23% increase in internet searches seeking help for gambling addiction.[8]
Perhaps the most concerning aspect of these betting apps is the amount of data they collect from users. For example, DraftKings collects 22 data points from each user, including precise location, photos, videos, contacts, files, documents, other installed apps, messages, health and fitness data, personal information, and financial information.[9] Every gambling app does not collect the same data, but on average, DraftKings, Caesars, Sky Bet, William Hill, and FanDuel collect 16 data points in total.[10] These data points do not stay in some protective vault away from intrusive third-parties. Rather, according to sources like Incogni research, DraftKings shares eight points of data for advertising and FanDuel shares eleven data points.[11] This practice highlights the issue of data privacy within the betting app realm.
Current Legal & Regulatory Framework
Currently, there is no comprehensive federal protection of data collected by betting apps, despite the collection of information such as social security numbers, date of birth, physical address, email address, etc.[12] There are several federal laws that address data security such as the Computer Fraud and Abuse Act (CFAA), Consumer Financial Protection Act (CFPA), Federal Trade Commission Act (FTC Act), Health Insurance Portability and Accountability Act (HIPAA), Electronic Communications Privacy Act (ECPA), and more.[13] However, these laws are designed to address specific areas and do not encompass data privacy as a whole.[14] For example, HIPAA is designed to address protected health information (PHI) within the healthcare industry and only applies to “covered entities” and “business associates” of covered entities such as health plans, health care providers, and companies that handle PHI for covered entities.[15] As a result, industries that do not fall under the purview of these statutory frameworks, like sports betting platforms, operate with less direct federal data privacy oversight. This lack of a comprehensive federal standard stands in contrast to broader and more cohesive regulatory oversight seen in nations such as the European Union under its General Data Protection Regulation (GDPR).
Individual states, on the other hand, have attempted to address data privacy concerns in recent years.[16] Over 25 states have data privacy laws addressing security practices in the private sector.[17] Most of these states have also enacted data disposal laws that govern how companies should destroy or protect personal information collected from customers.[18] The California Consumer Privacy Act (CCPA) has been highlighted for its comprehensive approach because it applies to most for-profit businesses and regulates all personal information.[19] Ohio does not currently have a comprehensive privacy law.[20] However, the Ohio Data Protection Act (Senate Bill 220) does incentivize a higher level of cybersecurity in exchange for a legal safe harbor to tort claims related to data breaches and failing to maintain industry best practices.[21] These state-level efforts, while useful, have led to the fragmented system of protection that consumers and companies are left with today.
Enforcement Action
An ongoing case that highlights the misuse of bettor’s data is City of Baltimore v. DraftKings and FanDuel Inc. In this case, the city is suing DraftKings for allegedly violating the City of Baltimore’s Consumer Protection Ordinance, Baltimore City Code Art. 2, § 4 (“CPO”).[22] In its complaint, the City alleges that DraftKings and FanDuel “sought to guarantee their profitability by cheating, hoping to hook, and then ultimately exploit, as many users as possible.”[23] The betting platforms are being accused of using “creative, algorithmically-crafted, inducements [in the form of bonus bets, VIP programs, and others] to keep people in the game, even when it is clear the game is causing those users serious harm.”[24] One portion of the complaint claims FanDuel’s parent company, Flutter, has collected at least 186 attributes for each bettor, including their propensity to gamble and susceptibility to marketing.[25] The complaint in this case, while speculative at this point, demonstrates many concerns such as the abundance of data collected by betting apps, the potential to abuse that data, the privacy risks, and the need for comprehensive reform.
III. Discussion
Exemplary Data Privacy
Before discussing proposed reform for the betting industry, it is worthwhile to explore an exemplary model of data privacy law. The General Data Protection Regulation (GDPR) from the European Union is widely cited as one of the most comprehensive data privacy laws in the world.[26] Under the GDPR, companies processing an individual’s data must adhere to seven principles: (1) lawfulness, fairness, and transparency; (2) purpose limitation; (3) data minimization; (4) accuracy; (5) storage limitation; (6) integrity and confidentiality; and (7) accountability.[27] Further, individuals have the right to object to companies using their data for marketing, research, or historical purposes, and they also have the right to request erasure.[28] Connecting this to the usage of personal data, the GDPR also recognizes a prohibition on entities using automated profiling to make decisions that have a legal or similarly significant effect.[29] A decision has a similarly significant effect if it has the potential to significantly influence the circumstances or choices of an individual.[30] Online gambling advertisements to individuals in financial difficulty would be included in this definition.[31] These seven principles, taken together, demonstrate how the GDPR sets the gold standard by prioritizing personal privacy, fairness, and honesty.
Possible Reform
Since the United States does not have an established comprehensive data privacy law, a possible solution to growing concerns would be to adopt the American Privacy Rights Act (APRA). The Act was proposed in 2024 and would be a significant step towards combatting personal data misuse and ensuring individual privacy protection.[32] The APRA proposes to eliminate the patchwork of state laws by setting one national standard.[33] It would apply to businesses subject to the authority of the Federal Trade Commission (FTC), common carriers, and nonprofits (together, “Covered Entities”).[34] Among the proposed obligations of covered entities are the following: heightened transparency, regulated automated decision-making, data minimization, data security and incident response requirements, and consumer rights to access, delete, correct, and export covered data.[35]
One of the standout obligations the Act proposes is the regulation of automated decision-making. This section of the APRA regulates “covered algorithms,” which are defined as computational processes that make decisions or facilitate human decision-making using covered data. This includes systems that determine the promotion, recommendation, amplification or display of information to an individual.[36] Under this requirement, it is possible that betting apps utilizing behavioral analysis to hook users with incentives and bonus bets would be required to undergo design evaluation to reduce the risk of potential harm.[37] This could not only highlight potential misuse of data by companies but also deter companies from engaging in exploitative practices. With both the ability to protect users from addiction-reinforcing algorithms and the ability to increase overall data privacy protections, the APRA provides a comprehensive and forward-looking solution.[38]
Challenges to Reform
Although the APRA would provide notable improvements to U.S. data privacy law, it would not come without challenges. The most daunting challenge would be its passage through Congress. The APRA was proposed in April 2024 and has not advanced beyond the committee stage, leading to concerns over when, or if, it will be passed.[39] The bill has garnered bipartisan support, and several commentators have applauded the bill for its ability to account for contested issues.[40] At the committee hearing, all of the witnesses agreed the APRA was the “best chance of getting something done [on comprehensive data privacy].”[41]
However, there is opposition to the passage of the bill.[42] Those that oppose the bill are primarily concerned with the preemption of state law.[43] As discussed previously, states have tried to fill the void in federal data privacy law, and the APRA would preempt many well-crafted state laws.[44] The prominent view among opponents is that the APRA should set the floor for privacy rights rather than the ceiling.[45] For example, the California Privacy Protection Act, which has been praised for its comprehensiveness, may be weakened by the APRA, possibly inhibiting California’s ability to provide stricter safeguards within healthcare data, communications, and AI regulation.[46] Moreover, some argue that states are better equipped to respond to technological changes and data practices, arguing that the federal government may not be able to keep pace.[47] Alternatively, some claim establishing federal standards through the APRA would limit the states’ power of innovation.[48]
Nevertheless, as seen with the GDPR and its success, a comprehensive federal law is both viable and effective. The APRA mirrors much of the GDPR and could provide some much-needed uniformity, stronger data privacy protection, and clarity.[49] While passage of the bill may be difficult, the APRA could provide a meaningful opportunity to combat data misuse and privacy within the betting app industry.
IV. Conclusion
It is abundantly clear that the collection of personal data and its misuse is a problem, especially in the betting app industry. Without reform, companies will continue to leverage personal data for their own gain. By adopting the American Privacy Rights Act, the United States could protect consumers by promoting transparency, giving individuals more rights to their own data, and limiting exploitative data practices. Meaningful data privacy reform should bolster consumer autonomy and ensure informed consent. By establishing a right for consumers to control how their information is used, and by developing a method to uncover deceptive terms and practices, a new data privacy law could curb misuse and rebuild public trust.
[1] 22% of All Americans, Half of men 18-49, Have Active Online Sports Betting Account, Siena Research Inst. at Siena Univ. (Feb. 18, 2025), https://sri.siena.edu/2025/02/18/22-of-all-americans-half-of-men-18-49-have-active-online-sports-betting-account/ [https://perma.cc/PSR7-XYWC].
[2] Murphy v. NCAA, 584 U.S. 453 (2018).
[3] 7 Years of Sports Betting: Did States Get it Right?, Nat’l Conf. St. Legislatures (last updated March 21, 2025), https://www.ncsl.org/fiscal/seven-years-of-sports-betting-did-states-get-it-right#:~:text=Since%202018%2C%20when%20the%20Supreme,making%20it%20easier%20than%20ever.
[4] Chinmay Vaidya, FanDueal vs. DraftKings: Which is the bigger sports betting giant?, CBS Sports (Mar. 12, 2025), https://www.cbssports.com/betting/news/fanduel-vs-draftkings-which-is-the-bigger-sports-betting-giant/.
[5] Id.
[6] Brian Pempus, Sports Betting Addiction Statistics, GamblingHarm.org (Sept. 3, 2025), https://gamblingharm.org/sports-betting-addiction-statistics/ [https://perma.cc/V3LU-D3TW].
[7] Brian Pempus, Is FanDuel Addictive? How FanDuel Addiction Works, GamblingHarm.org (June 11, 2025), https://gamblingharm.org/is-fanduel-addictive/ [https://perma.cc/33HX-MLHL].
[8] Kiki Intarasuwan, Online searches for gambling addiction surge as sports betting expands, study finds, CBS News (Feb. 19, 2025), https://www.cbsnews.com/news/gambling-addiction-online-search-surge-sports-betting/.
[9] The reality of data practices in online sports betting, Icogni Research (2024), https://blog.incogni.com/online-sports-betting-data-research/ [https://perma.cc/6DCF-X2AA].
[10] Id.
[11]Id.
[12]Kathryn R. L. Rand & Steven Andrew Light, Sports Betting and Data Security: Cybersecurity, Data Protection, and Privacy Rights in Gaming Law Practice, American Bar Association (Feb. 10, 2021), https://www.americanbar.org/groups/business_law/resources/business-law-today/2021-february/sports-betting-and-data-security/.
[13] Id.
[14] Id.
[15] Steve Alder, Who Does HIPAA Apply To?, The HIPAA Journal (Apr. 10, 2025), https://www.hipaajournal.com/who-does-hipaa-apply-to/.
[16] Rand, supra note 12.
[17] Id.
[18] Id.
[19] Id.
[20] Anas Baid & Sadaf Ayub Choudary, Ohio: An Overview of Data Protection & Data Privacy Law, Securiti (last updated Sept. 23, 2025), https://securiti.ai/privacy-laws/us/ohio/ [https://perma.cc/SZ8D-QKU5].
[21] Nicholas Sollitto, What is the Ohio Data Protection Act (Senate Bill 220)?, UpGuard (last updated Jan. 16, 2025), https://www.upguard.com/blog/ohio-senate-bill-220 [https://perma.cc/4XBG-CJ3Y].
[22] Complaint at 3, City of Baltimore v. DraftKings Inc., No. C-24-CV-25-002683 (Md. Cir. Ct. Apr. 3, 2025), https://dicellolevitt.com/wp-content/uploads/2025/04/Sports-Gambling-Complaint-City-of-Baltimore-Stamped-Copy.pdf [https://perma.cc/DRC8-2KJJ] (discussing unfair, abusive, or deceptive trade practices).
[23] Id.
[24] Id. at 6.
[25] Id. at 4.
[26] Yanaisi Gordon, Betting on Privacy: Safeguarding Data in the Era of Online Gambling, 15 UNLV Gaming L. J. 212, 212-15 (2025).
[27] The EU’s General Data Protection Regulation (GDPR), Bloomberg Law (last visited Oct. 24, 2025), https://pro.bloomberglaw.com/insights/privacy/the-eus-general-data-protection-regulation-gdpr/#compliance [https://perma.cc/4DF2-DB6Q].
[28] Id.
[29] Philip N. Yannella & Odia Kagan, Analysis: Article 29 Working Party Guidelines on Automated Decision Making Under GDPR, Ballard Spahr LLP (Jan. 16, 2018), https://www.cyberadviserblog.com/2018/01/analysis-article-29-working-party-guidelines-on-automated-decision-making-under-gdpr/ [https://perma.cc/TBM3-J9XW].
[30] Id.
[31] Id.
[32] Hope Anderson et al., Proposed American Privacy Rights Act seeks to establish a comprehensive national framework for data privacy, White & Case LLP (Apr. 18, 2024), https://www.whitecase.com/insight-alert/proposed-american-privacy-rights-act-seeks-establish-comprehensive-national-framework [https://perma.cc/7UW4-VC7S].
[33] Id.
[34] Id.
[35] Anderson, supra note 32; Kathleen E. Scott et al., 10 Things to Know About the APRA – the Latest Federal Privacy Law Effort, Wiley Rein LLP (Apr. 10, 2024), https://www.wiley.law/alert-10-Things-to-Know-About-the-APRA-the-Latest-Federal-Privacy-Law-Effort [https://perma.cc/YH4J-24D3]; American Privacy Rights Act of 2024, H.R. 8818, 118th Cong. (2024) (latest action on APRA was on June 25, 2024 when it was referred to the House Committee on Energy and Commerce).
[36] Wiley, supra note 35.
[37] Anderson, supra note 32.
[38] Id.
[39] Peter J. Benson et al., The American Privacy Rights Act, Cong. Res. Serv., LSB11161(May 31, 2024), https://www.congress.gov/crs-product/LSB11161.
[40] Id.
[41] Id.
[42] Id.
[43] Id.
[44] Id.
[45] Id.
[46] Id.
[47] Gordon, supra note 26.
[48] Id.
[49] Anderson, supra note 32.
Leave a comment