Skip to content

Expert Insights

06 December 2016

Don’t gamble with data protection – betting industry comes under ICO spotlight

The UK Information Commissioner's Office (ICO) has announced an investigation of more than 400 companies suspected of using people's personal details to promote online gambling websites. This is part of a wider inquiry into the use of personal data by the gambling sector as a whole.

The move has been triggered by a string of complaints to the ICO from private citizens who have received unsolicited text messages from gambling service providers.

The regulator has required the companies concerned to produce information relating to how they obtain and use people's personal details, as well as how they send marketing texts. This includes where they got people's personal information from and how many texts they sent.

The ICO has indicated that it expects strict compliance, whether data processing is carried out internally or has delegated to an external supplier. Indeed, the ICO considers that the complaints could have originated from practices around "affiliate marketing", which occurs where firms offer to pay organisations that bring them new customers, sometimes leading to a situation where neither party is taking any responsibility for complying with the rules.

The regulator has further suggested that the inquiry could culminate in its taking enforcement action. That could include criminal prosecution, non-criminal enforcement and audit and financial penalties fine of up to £500,000. If businesses do not respond to the request for information, the ICO can use its powers to force this to be produced.

This is not the first time the gambling industry has come under the spotlight for data compliance issues. In 2012, Privacy International (an activist group) made allegations that online gaming companies were setting up in offshore tax havens such as Gibraltar, Malta, Jersey, the Isle of Man, Antigua and Barbuda, and Guernsey and exploiting the weaker privacy protections within those jurisdictions.

Privacy International also called upon the ICO to do more to monitor the activities of gambling companies after the regulator failed to act on a complaint it filed in 2012 (closing its file after just three months). This stands in stark contrast to serious inroads which the ICO is now making into policing the industry.

The investigation is not only a wake-up call to the gambling industry but to businesses as a whole. Businesses in any sector are frequently under pressure to find new customers and maintain margins, which may lead to a temptation to cut corners with legal compliance or to pass the buck to a supplier and turn a blind eye to potential problems. The clear message from the ICO is that this is a high risk strategy. Companies must seek advice on practices such as affiliate marketing and conduct careful due diligence on suppliers who will carry out data processing activities on their behalf.

Failure to do so could be a false economy that is ultimately outweighed by a heavy fine.

This article was written by Paul Henty. For more information, please contact Paul on +44 (0)20 7427 6506 or at