Few single pieces of legislation have had a bigger impact on online presence in general than GDPR. Everyone has to comply with the new rules, and noncompliance can put organisations in serious legal jeopardy. When it comes to online betting, this is even truer than most types of online presence.
Online betting involves large money transactions, and all the personal data that is needed to facilitate that. Naturally, then, online betting sites have very strict policies when it comes to GDPR, so we’re going to take a look at the ins and outs of how online betting companies implement GDPR.
Firstly, though, what exactly is GDPR?
What is GDPR?
GDPR stands for General Data Protection Regulation, and in its current form was implemented into EU law in 2016. Data protection laws in some form have been in place for decades, but a number of particular events catalysed a rapid transition into much stricter regulations.
Essentially, data protection laws require any company that uses a customer’s personal information to safeguard that data. Companies must ask the user’s consent for that data to be processed in any way. They must also provide guarantees that the customer’s data is secure in their systems and not vulnerable to breaches.
The Gambling Commission regulate GDPR for the betting industry, and it is their responsibility to make businesses aware of their obligations. Principles of transparency, security, accountability, and understanding the risk that is created for customers who use their data online.
Why collect data?
This is another important point that we should consider for a moment. Why is it that companies wish to collect data on their users? Well, first of all, we typically only refer to the data that the customer needs to supply to actually use the service. So, in that sense, they aren’t ‘collecting’ data so much as making provisions to safely store the necessary data.
Beyond that, though, in the world of online betting, there is good reason to be clear about what data is being collected. Money laundering is a big problem in online betting, and the overall market, globally, is expected to be worth almost £93 billion by 2023. This makes the problem of money laundering a huge one to tackle, and processing user’s data in a strict way that complies with GDPR is essential to combatting this.
So, how exactly do betting companies implement GDPR?
Consent
The most basic and universal element of data processing online is consent. A user’s express consent needs to be requested before any data can be processed in any way, and it has to be an opt-in system. You can’t default to consent. It needs to be a clear, affirmative action.
When it comes to gambling sites, this is no different. A customer’s first sense should be that they are in control of what happens with the data they use on the site. What’s been clear in the past few years has been the reputation that can be destroyed by lack of compliance with GDPR. One of the biggest stories that brought this issue to people’s attention was the revelation that Facebook had been selling the data of millions of users to third parties without their consent. Activity on the site after the story broke dropped by as much as 20% in April 2018.
So, in other words, companies now know that they have to do a lot more to build trust with customers. The first step is always being absolutely clear about the consent you’re getting. There should be no ambiguity, none of the consent policy should be up for interpretation. Furthermore, this particular type of consent should be separate from the rest of the site’s terms of use.
The right to withdraw that consent at any time, too, should be made equally clear. Betting sites have to rely on your consent as the means to process the data you submit to them. There are some other cases in which companies have a legal right to process your data without your consent, but these very rarely apply to betting sites.
Erasure requests
Withdrawing your consent for your data to be used or processed anymore is one important part of how betting sites implement GDPR, but the other point is that they also need to make clear that you can request for your data to be completely wiped or erased at any time.
Many sites, including betting sites, will hold on to your data for years after you’ve stopped using their service. Usually, your consent still applies even if you don’t use the service anymore. So, betting sites have to make clear that you can request the data be erased at any time.
One of the things that worries many people is the fact that so much of their data has been processed by so many sites over the years. When you look at the statistics about internet usage, it becomes clearer than ever that we need strict regulation on these platforms. Estimates suggest that around $1 million dollars’ worth of goods are sold every minute on the internet. By 2030, it’s estimated that as many as 9/10 people will be habitual internet users. We all need to be completely clear on how we are managing this ocean of personal data.
Of course, there are still a few requirements for having your data erased. First and foremost, the data can’t still be necessary to using the service. If the site is still using the data, it will only erase it if you are not going to use it anymore.
So, if you withdraw your consent for the processing of your data, then this will mean you meet the requirements for having your data erased from the site. There are certain other requirements that the platform must meet, too, like avoiding undue delay, and they must always complete the erasure in one month from the time it is requested.
Being prepared for breaches
Security on sites is getting tighter and tighter with each year that passes, but that doesn’t mean breaches are impossible. In fact, being prepared for it to happen, however unlikely it might be, is one of the most important ways to implement GDPR.
Naturally, the first step in being prepared is putting everything in place to make sure it doesn’t happen. There are many means of doing this, but it’s ultimately about the quality and security of the app or site that they’ve built. Security measures must be constantly updated and strengthened to address new and emerging means of malicious hacking.
If a breach does happen, in a sense the site has failed in GDPR. But that doesn’t mean its data protection obligations end at that point. The platform will still need to inform their Data Protection Officer, assess the scope of the breach, and inform the relevant parties.
In 2013, over 3 billion accounts on Yahoo were compromised by a data breach. In 2019, 540 million Facebook accounts were exposed. There’s no understating just how serious these breaches can be, and how even the best sites with the strongest security can unfortunately be exposed. That said, again, security measures get stronger and stronger every day.
Penalisation
The biggest online betting sites might make huge profits, but GDPR is implemented, finally, in how sites are penalised for data breaches and noncompliance. Typically, the punishment will come in the form of a very large fine. As far as UK laws go, the maximum fine is set at either or £17.5 million or 4% of the site’s annual global turnover—whichever is the greater amount. This is a sizeable chunk of any organisation’s profits.
Betting sites in particular can however be penalised with bans and suspending data transfers. In other words, the site won’t be allowed to continue operating.
Of course, this isn’t implemented by the sites as such—but they will, doubtless, take all this into account when building their platforms.
Ultimately, its in everyone’s best interests for all the sites we use to be GDPR compliant. You only have to look at the figures I’ve mentioned to see just how important an issue this is in our current society. We all want to be able to safely use our data online, and while we as users have some obligations to be sensible with our personal information, ultimately the onus is on the platforms to make clear how they are managing this gargantuan issue.
You needn’t worry, though, because when it comes to betting sites you are in good hands with the well-established platforms. Armed with the knowledge I’ve provided here, you can equally know what to look for in a trustworthy site. If you’re considering a platform whose GDPR policy isn’t up to scratch with what we’ve looked at today, you should take your business elsewhere.
New customers & 18+ only. Min. deposit of £/€10. Qualifying real money bet of £/€10. Min odds greater than or equal to 1.5 required. E/W bets excluded. Offer credited within 48 hours. Additional T&Cs apply. Please gamble responsibly | T&C apply
18+ New customers only. Opt in, bet £10+ at odds 2.00+, in 7 days. No cash out. Get 3x £10 Free Bets on selected events. Plus a £10 Slot Bonus, selected games, wager 20x to withdraw max £250. 7 day bonuses expiry. Card payments only. T&Cs apply, see below. begambleaware.org | T&C apply
Min deposit requirement. Free Bets are paid as Bet Credits and are available for use upon settlement of bets to value of qualifying deposit. Min odds, bet and payment method exclusions apply. Returns exclude Bet Credits stake. Time limits and T&Cs apply. Registration required. | T&C apply
18+, New customers sign up with code "bet10get5". Deposit £10 or more and place a £10 bet at min odds 2.0. Get a £5 free bet and 10 Free Spins on Astro Newts Megaways. Free bets expire after 7 days. Full terms apply. 18+ BeGambleAware.org | T&C apply
New players only 18+, www.begambleaware.org Terms apply, please gamble responsibly #Ad New players only, min deposit £10, wagering 45x, max bet £5 with bonus funds, 100% up to £100 bonus on 1st deposit. No max cash out on deposit offers. Skrill or Neteller excluded. | T&C apply
Welcome bonus for new players only | Maximum bonus is 100% up to £100 | Min. deposit is £10 | No max cash out | Wagering is 40x bonus | Maximum bet with an active bonus is £5 Eligibility is restricted for suspected abuse | Skrill & Neteller deposits excluded for welcome bonus | Cashback when offered, applies to deposits where no bonus is included | Cashback is cash with no restrictions | | T&C apply
Carl Hughes is a leading expert on sports and casino betting. Carl began his career with a BSc in Sport, Exercise and Health Sciences from the University of Birmingham before working within the industry for some of the bigger names (GVC and Bet365) and has been praised as being "a leading sports betting commentator".
