< Back

Share |

The risk of gambling with data protection requirements

For gambling operators, data protection is not only an obligation but critical to retaining customer trust and protecting investor value, whether this is in securing data integrity or acting responsibly when using cookies and similar tools that track customers.

March 2013

Data security

The protection of users' data is probably one of the key areas of data protection risk that a gambling operator will need to address. The fact that personal data collected by gambling operators is particularly sensitive means that the consequences of a security breach could lead not only to the regulators taking swift enforcement action, but also the loss of valuable customers and even an impact on share price.

convicted - in handcuffs

One only has to recall the security breaches suffered by companies such as AOL, where 20 million search keywords of over 650,000 users from a three-month period were accidently made public, and, more recently, the hack of Sony's PlayStation network where 77 million records were taken. Specific to the gambling industry, in November 2011 a man was convicted of selling unlawfully obtained details of more than 65,000 players on the Foxy Bingo website.

There is clearly a huge reputational issue for the gambling operators and it is inevitable that the corporate name and brand will be impacted when any data breaches become public. Sony, for example, recently estimated the cost of the data breaches it suffered at $170 million.

In addition to the reputational risks, the powers of the regulators can be severe. The UK’s Information Commissioner's Office ("ICO") can levy fines for breaches of data protection legislation of up to £500,000, and these are similar or significantly higher elsewhere in Europe. The European Union is now looking to update EU data protection legislation through a revised Data Protection Regulation (COM(2012) 11 final) which, amongst other things, proposes that data protection regulators across Europe can levy fines of up to 2% of global turnover for the most serious breaches of data protection. This means that global gambling operators could face unprecedented fines for lapses in compliance with data protection legislation which, given the pressures on margins, could seriously impact profits.

clockUK Gambling operators have a greater burden than businesses in most other sectors. This is because the Gambling Commission's conditions and codes of practice require licensed operators in Great Britain to notify it, as soon as reasonably practical, of any major breach in information security where the confidentiality of customer data is adversely affected or prevents customers from accessing their accounts for a substantial period of time. This differs from the position under the current UK data protection law which does not oblige businesses to notify the ICO of a breach (although he expects that serious breaches be notified). This will change with the revised Data Protection Regulation which proposes a requirement to notify breaches. Gambling operators could therefore face hefty sanctions from both the Gambling Commission and the ICO for lapses in information security.


EU law implemented in the UK as the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 ('PECAR') came into force on 26 May 2011 (and has been enforced by the ICO since 26 May 2012). In summary, PECAR requires that tools like cookies (or equivalent technology) can only store or access information on the machines of users who have been notified of this use and given their consent.

Although there is no express requirement under PECAR for prior consent, the ICO has made it clear that browser settings cannot be relied upon to show user consent at present. In other words, users must be given clear information before a cookie is set, from which their agreement to receiving the cookie can be demonstrated by their subsequent actions. Consent is needed for all cookies that are served, including session, persistent, first or third party, unless these are ‘strictly necessary’ for a service requested by the user. The exemption is narrow but would include cookies that remember services a user selects and then wishes to pay for, those that provide security or enable the content of pages to load smoothly. It would not extend to uses of analytics or advertising cookies. Even where the exemption applies, the use of all cookies must be explained (such as through an expanded cookies section of a privacy policy).

777 gambling operatorAlmost all gambling operators now have websites that are likely to rely heavily on cookies to support a wide range of their online services and functions. This can include personalising user content and preferences, recalling registered account holders and managing their transactions, delivering and tracking the effectiveness of advertising in addition to offering embedded social networking content and conducting website analytics. Where users must first register with a gambling service, then one approach may be to provide clear information and a consent option at the point of sign-up, although existing users will also need to be alerted and specifically agree to these changed terms.

Where gambling operator has a UK website or one actively targeting UK users (and placing cookies on their machines) it will need to comply with PECAR. Steps should be taken now as the enforcement action includes fines of up to £500,000 for serious breaches.

Taking action

Gambling operators who are concerned about the status of their data protection compliance program would be advised to consider the following steps:

  • carry out a data protection audit to evaluate gaps in compliance;
  • put into place a remediation plan and implement the controls and training of staff to ensure that a compliance environment pervades throughout the organisation;
  • ensure that the data protection governance environment is sufficiently robust so that there is effective reporting to a senior position within the company; and
  • keep a watching brief on changes to the law  (see our Global Data Hub microsite for insight and guidance on data protection issues) and ensure that new technologies and routes to market are subject to a robust privacy impact assessment so that data protection risks are addressed by both default and by design into the product itself.

cookiesIn respect of cookies, practical advice would be that gambling operators take action to:

  • identify the different cookies that are placed on the machines of users who visit their website;
  • assess how intrusive those cookies are; and
  • implement appropriate mechanisms to provide clear and accessible information on the use of cookies through the site and collect user consent to those cookies.

If you have any questions on this article please contact us.

padlocked computer disc
Graham Hann

Graham focusses on two important reasons why gambling operators need to pay attention to data protection.

"There is clearly a huge reputational issue for the gambling operators and it is inevitable that the corporate name and brand will be impacted when any data breaches become public. Sony, for example, recently estimated the cost of the data breaches it suffered at $170 million."