DraftKings can take your personal information, convert it into anonymized or aggregate data, and then use or sell that data for any purpose with no restrictions.
This analysis describes what DraftKings's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The right to use de-identified data derived from personal information 'for any purpose' and share it with third parties 'for any reason' is broad, and the practical privacy protections depend on the robustness of the de-identification process, which is not described in detail.
Data derived from your personal information, once de-identified or aggregated, can be used and disclosed by DraftKings for any commercial purpose including sale to third parties. The protections associated with de-identified data depend on the technical standards applied during de-identification, which the notice does not specify.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
DraftKings has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may create aggregated, anonymized, or de-identified data (i.e., data that is not reasonably capable of being associated with or linked to you) from personal information we collect from or about you. We use such data to analyze request and usage patterns so that we may develop, improve, optimize, and/or enhance our Services and improve our consumers' experience with and ability to navigate our Website and Applications. We reserve the right to use aggregated, anonymized or de-identified data for any purpose and to disclose it to third parties for any reason.— Excerpt from DraftKings's DraftKings Privacy Policy
REGULATORY LANDSCAPE: CCPA/CPRA and other state privacy laws include definitions of 'deidentified data' that, if satisfied, remove the data from the scope of consumer rights obligations. However, these frameworks also require that companies maintain technical and organizational safeguards to prevent re-identification and bind recipients by contract to the same restrictions. The FTC has issued guidance on the risks of re-identification from purportedly anonymized datasets. CPRA specifically requires that recipients of de-identified data be contractually prohibited from re-identifying it. GOVERNANCE EXPOSURE: Medium. The provision asserts broad rights over de-identified data but does not describe the de-identification methodology, technical safeguards, or contractual obligations imposed on third-party recipients. The absence of these details creates uncertainty about whether the de-identification meets the standards required by CCPA/CPRA and other applicable laws. JURISDICTION FLAGS: California CPRA requires specific de-identification standards and contractual protections for recipients of de-identified data. Colorado CPA, Virginia CDPA, and Connecticut CTDPA have similar requirements. The EU/EEA GDPR applies a higher standard for what constitutes truly anonymized data, and data that does not meet that standard remains subject to GDPR protections regardless of how it is characterized. CONTRACT AND VENDOR IMPLICATIONS: Third-party recipients of de-identified data should be assessed to confirm contractual prohibitions on re-identification are in place as required by applicable state privacy laws. If de-identified data is sold or licensed commercially, this activity should be assessed against the scope of any data sale restrictions or opt-out mechanisms offered to users. COMPLIANCE CONSIDERATIONS: Compliance teams should document the technical de-identification methodology used to ensure it meets applicable state and federal standards. Contracts with third-party recipients of de-identified data should be audited for re-identification prohibitions. The notice should be reviewed to assess whether additional disclosure about de-identification practices is required under applicable laws.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The right to use de-identified data derived from personal information 'for any purpose' and share it with third parties 'for any reason' is broad, and the practical privacy protections depend on the robustness of the de-identification process, which is not described in detail.
Data derived from your personal information, once de-identified or aggregated, can be used and disclosed by DraftKings for any commercial purpose including sale to third parties. The protections associated with de-identified data depend on the technical standards applied during de-identification, which the notice does not specify.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DraftKings.