We don’t know, but it’s desperately needed.
At present the Information Commissioner’s Office (ICO) is fining charities for data breaches, but not gambling companies; why?
As you all know ‘Justice for Punters’ has been relentlessly pursuing an answer as to why gambling companies are allowed to spy on their customers without being open and clear about it, or even at all? This lack of clarity infringes the Data Protection Act (1998) in our view and crucially, based on two rulings by the Information Commissioner’s Office, they do too. But and it’s a big but, the ICO are doing nothing about it, except to ask gambling companies to update their privacy policies. ‘Justice for Punters’ apologises for being cynical and suggesting this will not solve the problem. What follows is a classic example of why we are not really cynical, but practical.
One our volunteers recently accessed their long defunct PaddyPower account (‘defunct’ is defined as; useless for sports betting due to stake factoring, e.g. offered 10p bets instead of £10 ones, but still open to lose their house and car in the casino). They had one unread email.
This is the link: https://support.paddypower.com/app/answers/detail/a_id/9 in the email.
Some extracts and some comments from PP/BF’s new privacy policy
“Other communication data (including IP address). Note that we do not extract any personal information (e.g. email address or name) that may be in a web browser’s user preference file.”
A case in the EU courts recently deemed an IP address as personal information. Oops!
“(c) Technical information relating to the device that you use to access our Services.”
We assume this relates to the use of Iovation (iesnare), so why not say it and how it is exactly used? This technical information is very, very extensive and attempts, when analysed, to identify your e-device as being unique to you, e.g. like a fingerprint, but called a footprint in the IT world.
“To allow quicker account registration should you open a betting account with another company within the Group (for example, if you were to open an account with Paddy Power, we could use the verification documents submitted to Betfair to comply with our legal and regulatory requirements)”
This is nothing new and quite legal, but a warning that PaddyPower now has access to all your betting history on the Betfair platforms and both companies will continue to share their collected data about you from differing websites and from any other service they run, e.g. telephone betting.
“Your information may be processed in the following ways:
(j) To carry out risk management;”
This is an admission that all data collected from you, be it personal or e-device data (which becomes personal when analysed and combined with personal data [ICO ruling]) is used to close or factor accounts of those who win or those who show signs that they may win. Basically sports betting with traditional bookmakers is ‘dead’ for customers unless they lose or promote the image of the gambling industry in the media and/or in parliament. No privacy policies or general terms and conditions can be clear, honest and fair until this point is apparent. Sports betting with traditional bookmakers is no longer ‘betting’ in the true sense. Skill of any sort is not tolerated and this should be made absolutely clear on account sign-up. New customers should be asked to read and tick a box that states that the said website,
“Does not tolerate and will ban all customers who attempt to win using skill.”
“Your Personal Information may, for the purposes described above, be transferred or disclosed to any company within the Group or, subject to appropriate agreement, to third parties, for the processing of that Personal Information on our behalf. The Group may, from time to time, retain trusted third parties to process your Personal Information for the purposes listed above and such processing will be governed by a contract in the form required by law.”
Difficult to comment on this one; it surely cannot be legal unless the phrase, “subject to appropriate agreement” is clarified?
“You can amend your browser settings to block some or all cookies. To do this, follow the instructions provided by your browser manufacturer.”
This one is easy; not true, this does not stop the downloading of Iovation (iesnare).
Analytics Cookies | These are used to collect information about how visitors use our Websites. We use the information to compile reports and to help us improve the Websites. | The cookies collect information in an anonymous form, including the number of visitors to the Websites, where visitors have come to the Websites from and the pages they visited. |
Once again, this one is easy; not true, Iovation (iesnare) is listed in the category ‘Site Analytics’ by Ghostery and it does a lot more than what is admitted to here.
“You also have a right to request a copy of any personal information that we hold about you. Should you wish to make such a request you should contact us in writing at:
Subject Access Requests c/o Legal Department, Paddy Power Betfair plc, Waterfront, Hammersmith Embankment, London W6 9HP with a cheque payment for £10 made payable to Paddy Power Betfair plc.
Or
Subject Access Requests c/o Customer Services, Paddy Power Betfair plc, Power Tower, Belfield Business Park, Clonskeagh, Dublin 4, with a cheque made payable for €6.35.”
Nothing new, but we would like to remind everyone that you can do this. We would suggest you do, because quite legally you can force any gambling company to reveal all data they hold about you and this includes information requests they have made to Iovation. This may include things like; “Do you suspect this account is being used for arbing?” Yes we do have conclusive proof that some companies regularly ask this, so what other questions are being asked without the customer’s knowledge?”
If you’ve ever had an account restricted or closed, for many companies it is highly likely they will have made a data request to Iovation without you knowing. You have a right to know what was asked about you and your account activity. Submit your Subject Access Request NOW! (See our letter template that makes it easy: https://justiceforpunters.org/other-punter-injustices/subject-access-request-sar-template/). We have also produced a guide entitled ‘Bookmakers on Oddschecker: Office addresses; registered, head & regional’: https://justiceforpunters.org/bookmakers-on-od…ed-head-regional/ Not all these companies use Iovation, but you may still want to find out what data they used to restrict or close your account?
As always with gambling companies when you ask questions they do not want to answer, it will not be hassle free. At present we have one member who is attempting to get his full data, including Iovation data, but predictably the major gambling company concerned are lying. Why is this type of culture endemic? The company reveals some data, and then when he tells them he knows they hold more, the company comes back with a little more, so the game continues.
Conclusion
There you have it. Is this progress? Yes, it is, but is it progress that is of any use to the customer at all; no. This will only happen when the present law is fully enforced alongside severe punishments. We do not need any legal or regulatory changes, the ICO can fine up to 500K for data breaches now, so all they need to do is get on with it. At present the ICO is fining charities for data breaches, but not gambling companies. Where is the logic in that? Surely if both sectors are committing data breaches they should be treated in a similar way?
As is quite evident all this data collection and analysis, be it overt or covert, is allowing gambling companies to cease trading with anyone who may win at sports betting and to frame their marketing to encourage losing customers (98%) to lose more. This is immoral and must be stopped. Incredibly through a combination of better data protection enforcement and the adoption of the minimum bet/liability laws that already exist in Australia, we can stop it now.
But, do our regulators and government have the will to make the correct moral decisions? We will see.