The intersection of gambling regulation and data protection law presents unique challenges for the sector.
Operators must balance the prescriptive requirements of the Gambling Act 2005 (GA 2005) against the rules and principles of the UK GDPR, in particular data minimization and consent.
This article explores how to comply with both gambling regulations and data protection law, and includes two recent examples of enforcement in the gambling sector.
The regulatory framework: Gambling Act 2005
The GA 2005 established the Gambling Commission (GC) as the regulator responsible for issuing operating licenses. Compliance with the License Conditions and Codes of Practice (LCCP) is mandatory for UK operators.
Key elements of the LCCP relevant to data processing include:
- Social responsibility: Licensees must interact with customers who may be at risk of experiencing harms associated with gambling.
- Customer identification: Operators must verify the age and identity of customers (Know Your Customer/KYC) to prevent underage gambling and money laundering.
- Self-exclusion: Operators must participate in multi-operator self-exclusion schemes (e.g., GAMSTOP) and effectively process data to block registered individuals.
Privacy nuances in the gambling sector
The processing of personal data in this sector is often categorized as high-risk due to the vulnerability of the data subjects and the financial implications of the processing.
- Special category data: While transactional data (bets placed) is not inherently special category data, the inference of a “gambling addiction” or “disorder” may constitute health data under Article 9 UK GDPR.
- Single Customer View (SCV): The industry is moving toward data sharing mechanisms to prevent customers from gambling unaffordable amounts across different operators. This requires a lawful basis for sharing data between competitors for safeguarding purposes, often relying on “legal obligation” or “legitimate interests” rather than consent.
- Profiling and segmentation: Operators use sophisticated profiling to identify “high value” customers (for VIP marketing) and “at risk” customers (for intervention). The same raw data often feeds both models.
- Direct marketing: The standard for consent in the gambling sector is elevated due to the potential power imbalance between the operator and a vulnerable user.
Case study: RTM v Bonne Terre Limited (2025)
In January 2025, the High Court of England and Wales delivered a significant judgment concerning the validity of consent for direct marketing in the context of gambling addiction.
The claimant, a recovering problem gambler known as ‘RTM’, brought a claim against Bonne Terre Limited (trading as Sky Betting & Gaming).
Key findings from the judgment include:
- Invalid consent: The court found that while the claimant had technically clicked “accept” on cookie banners and marketing preferences, this did not constitute “operative consent”.
- Impaired autonomy: The claimant’s decision-making was deemed to be impaired by his compulsion to gamble. The court noted that consent must be “freely given”.
- Ineffective mechanisms: The defendant’s tickboxes were insufficient for a user whose primary motivation was to remove barriers to gambling access immediately.
- Knowledge imbalance: The claimant was unaware that his transactional data was being used to model his behavior and target him with personalized incentives to gamble more.
- Lawful basis failure: Without valid consent, the operator had no lawful basis for the processing of data for direct marketing purposes. The court rejected “legitimate interests” for profiling problem gamblers for marketing.
This judgment establishes that the “quality” of consent is context-specific.
In the gambling sector, reliance on standard consent mechanisms may be unsafe where the data subject is vulnerable, as their consent may not be considered “free” or “informed”.
Case study: ICO Reprimand of Bonne Terre Limited (2024)
In September 2024, the Information Commissioner’s Office (ICO) issued a reprimand to Bonne Terre Limited following an investigation into its use of tracking technologies.
The investigation highlighted alleged technical and legal failings, including:
- Premature firing of pixels: Third-party tracking technologies (specifically a MediaMath pixel) were deployed on users’ browsers immediately upon accessing the site, before they interacted with the Consent Management Platform (CMP).
- Lack of prior consent: Approximately 40 marketing cookies were set before users had the opportunity to accept or reject them.
- Processing operations: This occurred between January and March 2023. The ICO found infringements of Articles 5(1)(a) (lawfulness, fairness and transparency), 6(1)(a) (lawfulness of processing), and 7(1) (conditions for consent) of the UK GDPR.
- Remedial action: The operator fixed the issue in March 2023 after being alerted by the ICO.
The ICO emphasized that the processing of personal data for marketing purposes via tracking technologies requires prior consent.
The reprimand suggests that technical configurations must strictly align with legal consent requirements, particularly in sectors involving vulnerable data subjects.
A high bar for compliance
The law sets a high bar for gambling operators, which handle large quantities of sensitive personal data about potentially vulnerable individuals.
Recent enforcement in this sector shows that regulators and courts expect gambling operators to use personal data about their customers with due diligence.
Operators should consider whether their consent mechanisms, profiling activities, and compliance practices in general meet both the letter and the spirit of data protection and gambling regulations.
