GDPR and the iGaming industry: what will change as from this May?
We've all heard about it in one way or another: the General Data Protection Regulation (GDPR) is due to come into force on the 25th of May 2018, at which point all EU companies and non-EU companies that deal with EU citizens' personal data will need to comply with this law. Inevitably, being an industry that’s heavily reliant on consumer data when it comes to developing and marketing its products, the GDPR will significantly affect the iGaming sector. We’ve done a bit of research in order to figure out exactly what’s likely to change for both operators and players in the next weeks.
What changes can we expect under the new GDPR?
Regulation (EU) 2016/679 (known as "GDPR") is primarily about granting more rights to consumers with regard to how their personal data is collected, processed, stored and transferred both within and outside the EU. This law will replace the1995 Data Protection Directive (Directive 95/46/EC). The UK government has also confirmed that despite Brexit, it will also fully adhere to the principles of this new law. Below, we've taken a quick look at the main amendments of the GDPR and how these will affect players and operators.
Heftier fines will ensure more compliance
From May 25th onwards, companies will be regulated by a so-called ‘supervisory authority’ in each EU Member State, and fines for breaching the regulation will go up to 4% of the annual global turnover or 20 million euros (whichever of these two is greater). This will force companies to be extremely cautions with the way they collect and process data. In the iGaming sector, just like in all other sectors, customers will be able to file direct claims against both operators and affiliates if they believe that their privacy rights are being breached, which will then be investigated by the authority.
A clearer, more transparent way of obtaining consent
Under the new regulation, consent will become a necessary requirement for companies to be able to process clients’ data. This means that operators may no longer obtain consent via opt-outs or assume that it has been given just because the customer has remained silent. Instead, customers need to actively give consent, for instance by ticking a box.
In the case of online casinos, players who are already registered with a casino can expect to be notified of such a process and will need to give their consent in order to continue receiving marketing communications. Of course, information on how data will be collected and used, what kind of marketing communications will be sent and via which channels needs to be specific, clear and easily understood by the average person, and companies must do away with any legal jargon. If consent is not given, all types of marketing communications sent directly to players should stop as from the 25th of May.
This aspect can bring with it several advantages for players; they can now opt to receive communications that are more relevant to their preferences. This will encourage operators to target marketing material and promotions more effectively to prevent too many players from unsubscribing, and with some effort, casinos may even establish a stronger relationship with their players in this way.
The Data Portability Right
Once the GDPR comes into effect, customers will also have the right to receive a copy of all personal data relating to them that is held by a company. This is known as data portability right, and may apply where data has been collected following consent:
“the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent [—] or on a contract [—]; and (b) the processing is carried out by automated means." (Article 20 of the GDPR).
The data concerned includes players’ gambling history and their financial situation. However, this right shall not apply in cases where data has been processed on grounds of ‘legitimate interest’, which refers to any type of processing for a reasonable purpose and could apply to a wide spectrum of cases.
In the iGaming industry, this right may lead to an advantage for new entrants in the market. New casinos can obtain customers' data more easily by convincing players to exercise this right and transfer their personal data to them in return for an attractive casino bonus. On the other hand, well-established operators will be challenged to develop attractive loyalty schemes to retain players – which is not bad news for players overall!
The right to be forgotten
Another fundamental right under the new GDPR, the right to be forgotten, means that players who have given their personal data in the past can request the casino to get rid of it. As stated in Article 17 of the GDPR, this right will only apply when:
(a) "the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based [...], and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)".
However, in the case of online casinos, the right to be forgotten brings with it several implications, and it does not mean that players can exercise it in all cases. In fact, the UK Gambling Commission is currently demanding that gambling companies should retain customers’ data for five years after the relationship ends (i.e. after a player has stopped all activity with the operator), “where the data in any way relates to regulatory compliance.” This is necessary with regard to potential cases of money laundering, since the right to be forgotten, if exercised in all circumstances, can encourage launderers to take advantage of it following a withdrawal so that their history will not become known. For this reason, we believe that the right to be forgotten under the GDPR will be subject to several limitations.
Our conclusion on these impending changes
It looks like the GDPR might bring with it several advantages for players in the long run, as online operators will be forced to make an effort to retain players, which could mean more attractive offers and loyalty schemes! And of course, the increased efforts to ensure compliance will also translate into clearer terms and conditions, as well as more transparent information about how player data will be used.
On the other hand, casino and sportsbook operators will have to be extra cautious to ensure compliance and might face challenges when it comes to preventing too many customers from exercising the right to be forgotten and the data portability right. That said, many operators are well-prepared for this change, and many have already implemented changes to ensure compliance and gain players' trust. It seems like increased transparency and more control over one's personal data are the way forward under the GDPR, and we're sure that the best online casinos are ready to take up any challenges this will bring with it and establish an even stronger relationship with their customers!