By Michael J.A. Wohl
MGM Casino privacy policy decoded for Ontario players
When you create an account at the MGM-branded platform, you’re entering a data relationship with two of the world’s largest gambling and hospitality companies simultaneously. MGM Resorts International brings decades of land-based casino data infrastructure, including the MGM Rewards loyalty ecosystem that connects online play to physical property visits. Entain brings the operational backbone – the technical systems, compliance infrastructure, and group-wide player protection monitoring that power the platform behind the scenes. Understanding what this dual-corporate structure means for your personal data is the focus of this guide, framed within the AGCO’s Ontario licensing requirements and Canada’s federal PIPEDA.
The regulatory framework governing data at MGM Casino
Two regulatory layers shape how the MGM-branded platform handles Ontario player data. The AGCO’s iGaming Ontario licensing requirements incorporate Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) alongside Canada’s federal PIPEDA – both apply as conditions of the operating agreement, with provincial oversight backing federal protections. PIPEDA applies to all Canadian players regardless of provincial licensing, providing a baseline of consent requirements, access rights, and complaint pathways through the Office of the Privacy Commissioner of Canada.
The Entain Group dimension adds an international layer. Entain holds UK and EU licences requiring GDPR-aligned data practices for its UK-facing operations. While GDPR doesn’t apply directly to Ontario players, the group’s shared technical infrastructure and compliance culture is shaped by these higher international standards – which can mean Ontario players benefit indirectly from data handling practices built to satisfy more demanding requirements elsewhere in the group.
The MGM Resorts dimension adds a third layer entirely. MGM operates under Nevada Gaming Commission regulation and US privacy frameworks. The corporate joint venture’s data infrastructure spans all three regulatory environments simultaneously – a complexity that’s worth understanding rather than glossing over.
| Privacy framework | Applies to MGM Casino’s Ontario players? |
|---|---|
| PIPEDA (Canadian federal law) | Yes – baseline consent and access rights |
| Ontario FIPPA via AGCO licensing | Yes – provincial oversight layer |
| GDPR (Entain’s UK/EU operations) | Indirect – shapes group infrastructure standards |
| Nevada/US frameworks (MGM Resorts) | Indirect – shapes parent company practices |
What data MGM Casino collects from Ontario players
Data provided directly:
| Category | Specific data points |
|---|---|
| Identity data | Full legal name, date of birth, gender |
| Contact data | Ontario address, email, phone number |
| Verification data | Government-issued photo ID, proof of address |
| Financial data | Card details, PayPal credentials, Interac information, MGM Gift Card data, CA$ transaction history |
| Account preferences | Responsible gambling settings, marketing consent, sportsbook preferences |
Data collected automatically:
| Category | Specific data points |
|---|---|
| Technical data | IP address, device, browser, operating system |
| Behavioural data | Casino games played, sportsbook bets, session duration, win/loss records |
| Location data | Ontario presence verification at every login |
| MGM Rewards data | Cross-property activity linking online play to physical MGM venue visits |
| Communication data | Live chat, email support records |
| Cookie data | Session authentication, analytics, marketing tracking |
The MGM Rewards data category is the one element genuinely distinctive to this platform versus a standalone online casino. Because MGM Rewards connects your online activity at the MGM-branded Ontario platform to the same loyalty infrastructure used at physical MGM properties, your data profile potentially extends across borders – your online play in Ontario becomes part of a rewards record that’s relevant if you ever visit an MGM property in Las Vegas or elsewhere. This is a genuinely unusual data relationship for an online-only Ontario player to have, and it’s worth being aware that this connection exists even if you never plan to use it.
The Ontario geolocation data collected at every login is a non-negotiable AGCO licensing requirement – it confirms physical presence within the province for every real-money session and cannot be disabled.
How your data is used
The platform processes Ontario player data for:
- Account creation, authentication, and management
- Processing CA$ transactions across casino and sportsbook
- AGCO and iGaming Ontario regulatory compliance
- Identity verification and AML monitoring
- Responsible gambling monitoring through Entain’s group-wide player protection programme
- MGM Rewards loyalty administration, including cross-property activity where applicable
- Customer support
- Platform development across casino and sportsbook products
- Marketing communications – with explicit consent only
The Entain player protection programme deserves specific mention from my research perspective. It uses behavioural data – the same kind of session and betting pattern data my work examines – to proactively identify accounts showing potential harm signals, independent of whether a player has set any limits themselves. This is one of the more genuinely protective uses of gambling behavioural data, operating in the player’s interest rather than purely commercial interest.
Third parties and the dual-parent structure
| Third party category | Purpose | Notes |
|---|---|---|
| MGM Resorts International | MGM Rewards administration, jackpot network | Joint venture parent – cross-property data link |
| Entain Group entities | Compliance, shared player protection systems | Joint venture parent – group infrastructure |
| Payment processors | CA$ transaction processing | Interac, Visa, Mastercard, PayPal |
| Identity verification providers | KYC and age verification | Third-party document checks |
| AGCO and iGaming Ontario | Regulatory oversight | Provincial regulator |
| Analytics providers | Platform performance | Usage tracking |
The data sharing between MGM Resorts and Entain is the structural reality of a 50/50 joint venture – both parent companies have legitimate operational reasons to access certain data flows, disclosed in the privacy policy as a function of the corporate structure rather than a commercial data sale. The platform states personal data is not sold to third-party advertisers, and marketing requires explicit consent.
Your rights under PIPEDA and Ontario’s framework
- Right of access – request all data held about you
- Right to correction – update inaccurate information
- Right to withdraw consent – opt out of marketing anytime
- Right to complain – to the Privacy Commissioner of Canada or iGaming Ontario
- Right to account closure – subject to retention obligations (typically 5 years for KYC and financial records under AGCO/AML requirements)
