To infinity & beyond: Protecting player data in the digital age

It is no secret that GDPR has been a hot topic over the last 10 years, with the collection of player data becoming essential for how companies progress with research and tailor content to appeal on a more bespoke basis.  Alongside that,  research shows there have been many instances where data has been stolen, not protected or misused. Consumers have become more savvy in relation to their privacy rights, but in an age where most of us are digitally interacting for long periods daily, we continue to spread our personal data far and wide, and that will include making it available to recipients who will have no scruples about its use/misuse.

As a result , the Information Commissioner’s Office (“ICO”)  in the UK has ensured stricter regimes on all businesses to ensure data is protected, stored and processed correctly. There are over a million data controllers registered with the ICO. In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. (The UK opted to adopt European Commission standards post Brexit).  Since then, we have seen a large shift in data privacy and related consumer protection, and in particular, the obligations companies face in the gambling sector.

The statutory protection of customer data also goes hand in hand with regulations set out by the UK Gambling Commission RTS standards, which highlight key obligations on how companies should store data securely, as well as the transmission of this data.

Storing data legally

Companies, however, will face some challenges in the ever-maturing digital age. With vast amounts of registrations being made on a daily basis throughout the UK, from multiple platform streams, it can be difficult for operators and suppliers to monitor that all data is all points is being stored, transmitted, and accessed lawfully. Data transfers from the UK to EU/non-EU markets can also cause larger issues for companies in multiple offshore locations, as the data is then shared across multiple jurisdictions, creating confusion for some companies as to which guidelines should prevail. Data leaks and cyber attacks are also a large and constant threat to all operators and suppliers. With most gambling companies operating in several jurisdictions, the obligation to hold data responsibly becomes almost infinitely onerous.

There have been some key examples in the gaming industry where operators have been reprimanded/fined for not storing player data correctly, and where those companies were/are of a size where one would expect a high degree of conformity. The stakes under GDPR are high; potentially fines can be imposed of £17.5m or 4% of annual global turnover.

In 2024, the ICO issued a public warning to Bonne Terre Ltd, trading as Sky Betting and Gaming, for unlawfully collecting and processing people’s data through advertising cookies without consent being granted first. It was later claimed that the company had experienced a technical failure.

Another material issue that impacted a lot of gambling operators was their use of Meta Pixel to access Facebook (Meta) data. Several gambling companies heavily relied upon the use of this tool and, therefore, in turn, misused player data. (Whilst Meta was fined, commercial entities using the tool were also held responsible/fined.)

Bwin, a previous sponsor of Real Madrid, shared data in connection with players who visited a promotional page for a £20 free bet. The data sharing happened without consent from the player. It was later claimed by the brand that there had been some internal technical issues.

With gambling operators relying upon multiple marketing partners and behavioural tools, in circumstances where the data is not being properly identified as personal data, how can a UK gambling operator ensure it is compliant? Most of the time, players will not even be aware of what personal data they are sharing, and board members (ultimately responsible for compliance) are also blissfully unaware of what technology has enabled.

Fundamental steps

Companies need to set out fundamental steps and a robust internal and external privacy policy to ensure that all parties are aware of what data is being harvested and why. It should be made clear what personal data is being collected is needed for lawful (as opposed to optional marketing purposes), e.g. proof of age, problem gambling identification, etc. Companies should also ensure that data is reviewed on a regular basis with internal teams removing anything that is not deemed necessary from the system. Retention reviews are crucial to ensure data is not stored for a longer period than it should be. Schedules should also be created by companies to regularly assess what they keep and for how long, and what happens to that data if customers close their accounts. They should also have regular internal/external audits. With very few exceptions, gambling operators do not tend to employ or retain data protection specialists, and many rely on pro forma privacy policies that are not bespoke and /or fit for purpose

In terms of technical protection, companies should ensure the correct steps are taken to encrypt the player data they have on file, both in transit and at rest. Access controls to this data should be limited, ensuring only authorised staff can access the correct levels of the database, and that this level of access is not abused at any stage.

Companies can also use firewalls, DDoS protection, or third-party security systems to ensure that the network is protected and to create a barrier for anyone trying to commit a cybersecurity attack.

Measures need to be set out for the player logging into the account as well, to ensure that accounts are not hackable or information is not being made vulnerable to misappropriation. Secure account access with 2MFA login, and locking accounts after multiple attempts to log in should comprise the minimum security measures for player account management.

Companies should also ensure that there are clear and accepted guidelines on how player data is used, notifying players that they also have the right to access and erase their data at any stage, save where regulatory obligations override and with which entities player data must be shared. In the UK, it is the gambling regulator that most often seeks player data, but in other jurisdictions where player winnings are taxable, it is likely that privacy rights will prevail over a revenue body’s request for disclosure.

Affiliates are not immune

Affiliates may think they are immune to the realm of GDPR; however, this is certainly not the case. By collecting and processing data, this makes the typical affiliate model a “data processor”, and therefore, the rules still apply. By running campaigns, newsletters or any marketing to a wider audience, this creates a position of data processing. It is both vital and critical that all marketing emails must have: an active opt-in, proof of consent, an unsubscribe mechanism and a purpose limitation. Without these key features, affiliates could be at risk of breaching GDPR guidelines.

Some advanced tools operators can use to ensure data is further protected are products that utilise zero trust architecture, verifying each end-to-end user and device ahead of granting access to any system.  Another tool for data protection is ‘data anonymisation and tokenisation’, where companies use pseudonyms or tokens in analytics and reporting systems, creating another layer of security to ensure that the data on systems is protected.

In a nutshell, it is imperative to ensure that operators in the UK and EU follow the correct guidelines in ensuring data is protected, stored, and transferred safely and securely. Without these practices in place, the consequences can be severe, and therefore, the storing of sensitive data should be taken extremely seriously, particularly where gambling companies are already seen in an extremely bad light and have failed to grasp the nettle with regard to the privacy obligations that sit in parallel with/overlap their gambling regulatory ones.