GDPR Rules for Betting Companies

general data protection regulationWhen most of us sign up to a betting site we are mainly concerned with depositing and betting but changes in the rules around verification and knowing your customer over the last few years mean that betting companies are now in possession of a lot of important customer data and some people are concerned by that. 

It isn't just the ID or proof of address documents you send in or your banking information, betting companies actually keep track of a huge amount of data on customers, including pretty much every click you make.  The rise of online betting has meant that customers that choose to bet online are actually sharing a wealth of information with these companies and with gambling being an incredibly competitive market place those companies will use that information to glean whatever they can.  Even those that bet offline some of the time are encouraged to join card schemes that offer added rewards but at the same time give companies a means to track your betting both online and in shops.

Fortunately general data protection regulation (GDPR) is in place to ensure that companies in general do not misuse your information when you submit it to them. And the rules for this will differ depending upon the type of company in operation. What are the rules for betting companies where GDPR is concerned? New legislation was brought into effect in 2018 that dictates the necessary rules which a betting company must follow. Let’s find out exactly how these casinos, sportsbooks, poker rooms and so on, should be operating with regard to data protection.

What is GDPR Exactly?

gdpr complianceWhen talking about GDPR, we’re talking about an evolution in personal data protection, and this demands more from organisations. This is especially true when it comes to being held accountable for their use of personal data, and it adds to the existing rights that individuals already have.

GDPR creates a responsibility for companies to understand the risks that they create for people using their services, and also to ensure that they are reducing those risks as much as possible.

Data protection laws have been in operation for a few decades, and GDPR essentially builds on these laws even further. Many of the fundamentals remain the same with this, including providing transparency, fairness, accuracy, security and respect for the rights of the individual whose data a business is processing. Those points are all things that businesses should be doing already with such data, with GDPR building on top of that.

It is the Gambling Commission that is responsible for making betting businesses aware of GDPR and everything associated with it. Prior to it reaching the Commission though, it is the Information Commissioner’s Office (ICO) that is responsible for regulating the necessary legislation, as well as issuing guidance on everything included within it.

The ICO and the Commission together recognise that effective use of personal data is important so as to be able to tackle issues like problem gambling, as well as gambling-related criminal activity. The presence of GDPR is not there so as to prevent operators from taking necessary steps for public interest. It does, however, remain the responsibility of the business to ensure that it stays compliant with the GDPR rules. The Commission and ICO offer their assistance and support in order to help with businesses complying with the rules and regulations in place.

consent defintionWhen it comes to the word ‘consent’, it is thrown around in many circumstances. In relation to GDPR though, consent is a lawful basis for the procession of people’s personal data. The genuine consent of someone should put them in control, whilst also building up their trust in the online site they’re using. This also serves to enhance the reputation of the gambling company. Of course, if a site relies on invalid consent, then that could have negative effects on the brand’s reputation.

An indication of consent should not be open to multiple forms of interpretation. A clear affirmative action should be in place (an opt-in, in most cases), and should therefore remove pre-ticked opt-in boxes. Consent for GDPR should be separate from other terms and conditions relating to the online betting site, and it should not be utilised as a precondition of registering for a service, either.

GDPR also provides a specific right to the individual to withdraw their consent, too. If a business relies on consent, then it is important that they inform the users of their right to withdraw, offering them easy ways to do this at any time they wish. A business relies on consent as a basis for processing your personal data. However, there are four other lawful bases for processing data, with some of them potentially being more lawful than acquiring consent.

These legitimate purposes for processing data include:

  • It being necessary for compliance with a legal obligation to which the data controller is subject.
  • It is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • It is necessary for the performance of a task carried out in the interest of the public.
  • It is necessary for the purposes of legitimate interests pursued by the controller or by a third party.

Main Reason for Collecting Data

quantum computer graphicIn the world of gambling, money laundering is a big problem, and collecting data is a tool towards properly combatting this. Providing facilities for gambling otherwise than in accordance with the terms and conditions of a licence is a criminal offence, which could likely result in the revocation of an operator’s licence.

As part of receiving a gambling licence, operators need to put effort in to allow players to not only self-exclude, but to also prevent money laundering and combat gambling addiction. Due to this, it is a necessity for operators to both obtain and process the personal data of their players, so that they are complying with the rules. That data should also be retained by the operators for a reasonable period of time, in order to provide evidence of their GDPR to the Gambling Commission, should an investigation arise.

What data is considered personal for use in these situations? Well, personal data is usually deemed as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, or a computer’s IP address”.

One issue that did come up for people who participate in betting is the collection and storage for life of e-device data. This has not traditionally been something that has been defined as personal data. However, thanks to the ICO, when e-device data is combined with other data, like your home or email address for example, it officially becomes personal data.

Other Data Usage at Betting Sites

data trackingCasinos and bookies should always explain what they collect your personal data for via their privacy policy. Betfair, for example, lists several reasons for needing to collect this data, which includes the following points:

  • Account setup and management
  • Personalisation of content on the site
  • Personalisation of marketing materials sent to you
  • Analysis of the site so as to make improvements
  • To provide information to advertisers
  • To fulfil legal obligations
  • Fraud detection and prevention
  • To share information with trusted third-party brands

Generally speaking, this list relates to most other online gambling companies as well, give or take one or two points. But, if you want to know precisely what your chosen betting site(s) are doing with your information, then there is nothing to stop you from viewing the privacy policy. All betting brands should have one that is easily accessible for players.

Can You Request for This Data to Be Erased?

erase dataUnder Article 17 of the GDPR, individuals do have the right to request that their personal data be erased. This is also entitled as a person’s ‘right to be forgotten’. That right is not something that is absolute, though. It only applies in specific circumstances.

The following situations allow a person to request that their personal data be erased in any situation:

  • If the personal data is no longer necessary for the purpose which it was originally collected or processed for by the business.
  • If the business is relying on consent as its lawful basis for holding on to the data, and the individual withdraws that consent.
  • If the business is relying on legitimate interests as its basis for processing the data and the individual objects to that processing. There must be no overriding legitimate interest to continue this processing, either.
  • If the business has processed the personal data of an individual unlawfully.

When it comes to gambling companies more specifically, the Remote Gambling Association (RGA) has published certain guidance on when a player has the ‘right to be forgotten’. This reads in the following way:

“55. Customers have the right to have their data ‘erased’ in certain specified situations. This is in essence where the processing fails to satisfy the requirements of the GDPR. Where customers seek to exercise these rights, data controllers must respond without undue delay (and in any event within one month). This period can be extended in difficult cases, but data controllers would need to demonstrate their justification for relying on the extension provision.”

With regard to the “certain specified situations” part of this guidance, when it comes to gambling operators, this probably relates to any situation except where a person has proceeded with self-exclusion or is suspected of criminal activity. There aren’t really any other legitimate reasons for a gambling company to refuse the erasure of personal data.

The other section of guidance from the RGA is this passage:

“57. Where a controller is obliged to erase the data, but that data has already been put into the public domain or shared with other controllers, then the controller must also inform other controllers who are processing the data that the data subject has requested erasure of those data.”

With the assumption of e-device data being deemed as personal data, this means that a gambling company who has utilised products like Iovation or Threatmetrix for example, will need to inform them that they should erase all the data they hold on the customer requesting its erasure. This includes data within their databases that subscribers share access to, unless a person has self-excluded or is suspected of crime again. You need to make it clear when requesting that this data be erased though, that any form of device ‘footprinting’ should be deleted, as different companies use different services for fraud purposes.

Clearly, various reasons exist as to why gambling companies cannot refuse to erase the collected personal data of individuals. And this is most likely to the historical failures that have been experienced within this area.

Gambling Companies Can Be Punished for GDPR Failures

number crunchingBecause Brexit has finally come to an end, there are now two versions of the GDPR that UK companies may need to be in compliance with. These are the UK GDPR, which unites with the Data Protection Act and applies to the processing of UK residents’ personal data, and the EU GDRP, which relates to the processing of data from EU residents.

With regard to the UK GDPR, there is a maximum fine in place of £17.5 million or 4% of the annual global turnover (whichever is greater) for any infringements. A maximum fine of €20 million (£18 million) or 4% of the annual global turnover (whichever is greater) for infringements is in place for the EU GDPR.

Not all types of infringements lead to data protection fines, though. Supervisory authorities like the ICO can utilise a selection of other punishments or actions as an alternative. This includes issuing warnings and reprimands, imposing temporary or permanent bans on data processing, suspending data transfer to third countries and ordering the rectification, restriction or erasure of data.