At the beginning of June J4P asked people to start using GDPR to see if they could get their data erased by gambling companies and to find out what data gambling companies held about them, who they shared it with and how it was processed to make decisions like restricting accounts.
First of all J4P must thank everyone who has contributed and hopefully many will continue to do so, because gambling customers should have the same rights as everybody else.
J4P now has a tripartite meeting promised with the Information Commissioner’s Office (ICO) and the Gambling Commission (GC) where we will present and discuss the evidence we have regarding data abuse by gambling companies and how they are interpreting GDPR for their own ends.
Without boring readers too much the advice for gambling companies about GDPR and how it specifically applies to their industry is sparse (see: Gambling Commission & Remote Gambling Association). The ICO in their usual quirky way obviously didn’t see any need to pay particular attention to an industry they should have known would face dramatic commercial challenges due to GDPR, so they provided no advice. It goes without saying that no organisation linked to any form of officialdom within the EU thought to provide any advice for gambling customers.
The next two sections outline some of what people have found out, but interestingly this has also been published: https://caanberry.com/bet365-account-limited/
Examples of evidence: What gambling companies may hold about customers?
Requests for data reveal all sorts of things, but most of it is mundane and what you would expect, nevertheless it is really useful to prove what many people have always suspected that gambling companies do share data, including collusion that has one sole aim, which is to protect their profits. J4P is yet to see this clearly stated in any terms and conditions, privacy policies or anywhere on a gambling website, which is a breach of privacy law and clear unfair trading under consumer law. For the sake of balance we must admit we’ve haven’t read every detail on every website.
The following are some of the more interesting things you’ve found out:
- This is not the clearest of figures from one of the biggest operators. It is what’s known as an Iovation ‘ticket’. The figure explains how bookmakers may restrict and close accounts within hours of a person opening an account, perhaps before a person has even placed a bet. This breaks EU and UK privacy law under GDPR, but it did under the UK’s Data Protection Act, so it is a mystery why officialdom has never taken any significant action against bookmakers.
This next figure was sent to us awhile ago. Officialdom has had possession of it for nearly two years now. To our knowledge they’ve never investigated it properly despite J4P being able to replicate it on the website it came from. This is nothing short of scandalous.
It does require some explanation due to all the redactions and colour changes. The background is an advert for a new customer offer with a major bookmaker. The foreground is another major bookmaker warning the other bookmaker making the offer that the e-device being used to open the account is a ‘trading risk’ for them. In this case, we can categorically tell you the ‘trading risk’ is nothing to do with fraud; this concerns a winning, restricted customer with the bookmaker who has provided the warning. This is a blatant breach of privacy law, because the e-device data can be linked back to and combined with personal data. Obviously the customer doesn’t usually see this visual, it’s meant for internal bookmaker staff viewing only.
J4P is aware that the gambling industry lobbied government and regulators before GDPR came in to protect their interests. One aspect of this lobbying was the use of Iovation and other similar trackers like Threatmetrix to help with problem gambling. J4P doesn’t have any evidence at all that this has ever been done. Of course it may have, but we are in possession of numerous subject access requests from people with gambling problems and there is no references to the use of any of these super-trackers: Make of that what you will.
What must not be forgotten is gambling companies omit details about Iovation usage and lie about it’s use when fulfilling subject access requests. This is another breach of privacy law.
Another interesting aspect of what people have sent to J4P is how difficult some companies are before they’ll provide a right of access to data:
“Before we are able to comply with your request, we require further information from you to satisfy ourselves as to your identity. Please therefore provide us with:
- a certified copy of your driver’s licence or passport; and
- a certified copy of a recent utility bill showing your current address,
so that we can confirm that you are entitled to receive the information requested.”
It’s really interesting that other companies don’t need this certification.
J4P has more evidence of unscrupulous data use by gambling companies licensed in the UK, but there’s enough here for now to prove a point. If you wish to quickly read about some others that are certainly true or ‘The Times’ newspaper would have been sued have a read of this.
Examples of evidence: Are gambling companies willing to erase data?
The simple and not unexpected answer is no; oh my goodness no, 100% no.
The much less simple part is what excuses do they use for not completing data erasure? It would appear that companies are governed by different legislation as they keep quoting different reasons dependent on the customer and the details on their account, e.g. if an account was restricted three years ago they’ll say they have to retain data for five years, if it’s six years it becomes a retention period of seven years, we’ve even had one company saying 10 years, because the account closure was eight years ago.
Some companies use GC guidelines as their excuse, some use anti-money laundering laws and some use advice from the ‘Remote Gambling Association’.
As was predictable, any reason that comes to the forefront of the mind is used to prevent data erase. It’s widely recognised that the first online casino was launched in 1994. Let’s imagine that Tim Berners-Lee the inventor of the internet opened an account with them in 1994 and started sports betting with them in 1996 and won using skill, which means his account would be restricted, the evidence coming into J4P suggests that Mr Berners-Lee would be refused data erasure as his data had to be kept for 25 years!
J4P is so grateful that people have bothered to collect evidence, please do continue.
It’s clear that officialdom needs to provide specific advice to gambling companies and their CUSTOMERS on what is legal under GDPR and what is not, because companies are certainly not applying the new law in the same way.
J4P looks forward to meeting with officialdom in a tripartite meeting or meetings to get everything sorted out.
GDPR combined with competition law, advertising rules and consumer law now means that gambling companies must be transparent about their trading and use of data. As an example if no winners are allowed when betting using skill this should be made abundantly clear in all advertising, on account registration and within terms and conditions.
J4P doesn’t want the following to happen, because it prefers fair trading to be introduced voluntarily, but if gambling companies and officialdom are unwilling to do this it is probably time for the legal profession to make it happen.