DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Charity Lotteries and Raffles: Ticket Buyer Data, Prize Claims, and Gambling Commission Overlap

#gdpr #privacy #charity #fundraising

GDPR for Charity Lotteries and Raffles: Ticket Buyer Data, Prize Claims, and Gambling Commission Overlap

Charity lotteries sit at an unusual crossroads: you are running a fundraising activity, a gambling operation, and a marketing programme all at once. Each of those functions generates personal data, each is governed by different rules, and the GDPR obligations that arise from all three interact in ways that many charities have not fully thought through.

This guide covers the key data protection issues for charity lottery operators in the UK — from ticket buyer data and age verification to prize winner publicity and direct marketing follow-up.

Why Charity Lotteries Are a Unique GDPR Risk

Most charities understand they need a privacy policy. Fewer have thought carefully about the specific data flows created by a lottery or raffle.

Running a lottery means you collect more data than a standard donation or event registration. You collect payment and address data for ticket fulfilment. You collect date of birth or age verification data because gambling regulation requires you to. You may photograph or publicly name prize winners. And you have a strong commercial incentive to market to ticket buyers again — because lottery participants are a proven source of recurring income.

Each of those activities has a distinct lawful basis, distinct retention requirements, and distinct risks if handled carelessly. Getting one wrong does not just create a GDPR problem — it may also trigger a Gambling Commission concern about how participant data is being used.

Gambling Commission Registration and Data Obligations

Before considering GDPR, charity lotteries in Great Britain that are not small (i.e. not small society lotteries run under a local authority licence or a simple registered lottery) must be registered with or licensed by the Gambling Commission.

For small society lotteries — those where proceeds do not exceed £20,000 per lottery and total proceeds in a year do not exceed £250,000 — registration is with the local authority rather than the Gambling Commission directly. But the Gambling Commission's Licence Conditions and Codes of Practice still apply to the underlying activity.

The Gambling Commission requires licensed operators to maintain records that overlap significantly with GDPR documentation requirements:

  • Records of participants (ticket buyers)
  • Age verification records
  • Prize payment records
  • Operator and promoter details

These records must be kept for a minimum period under gambling regulation — typically five years for financial records — which creates a tension with GDPR's storage limitation principle. The answer is not to delete records early to satisfy GDPR, but to document the regulatory retention requirement as the justification for keeping them.

Lawful Bases for Ticket Buyer Data

Charity lottery operators often assume that because ticket buyers have chosen to participate, consent covers everything. It does not.

Contract is the appropriate lawful basis for processing ticket buyer data that is necessary to run the lottery itself: name, address, payment details, and ticket allocation. The person has entered a contract (they paid for a ticket and expect to be entered in the draw). Processing their data to fulfil that contract does not require separate consent.

Legal obligation applies to age verification records and financial records that gambling regulation requires you to keep. This basis is narrow — it applies only to the specific processing that the legal obligation requires.

Legitimate interest can cover operational purposes such as fraud prevention, security, and record-keeping for internal audit. It should be assessed using a three-part test: purpose, necessity, and balancing against data subject interests. Document the legitimate interest assessment.

Consent is required for any marketing communications beyond what is strictly necessary to run the lottery. This is a critical distinction. Consent is not required to send a winner notification or a receipt. It is required to send a fundraising newsletter, a future lottery promotion, or a membership recruitment email.

What Data You Collect in Lottery Ticket Sales

A typical online charity lottery collects:

  • Name and postal address — for ticket delivery (physical) or winner contact (digital)
  • Email address — for ticket confirmation, draw notifications, winner contact
  • Payment card details — processed via a payment gateway (not stored by you)
  • Transaction reference — for reconciliation and refund handling
  • Date of birth or age confirmation — for age verification (over 16 in Great Britain, over 18 for some lottery types)
  • IP address and device data — collected automatically by your website and third-party platforms
  • Ticket number allocation — for draw administration

Each category should be documented in your Record of Processing Activities, with the lawful basis, retention period, and any third parties the data is shared with.

Using Lottery Buyer Data for Future Fundraising: The Consent Trap

This is where most charity lottery operators get into difficulty.

A supporter buys lottery tickets. You have their name and email address. You want to invite them to donate, sponsor a fundraising event, or buy tickets in the next lottery. Can you email them?

Under GDPR and the Privacy and Electronic Communications Regulations (PECR), the answer depends on the type of communication and how you collected the data:

For the next lottery draw: If you are running a regular lottery and the participant bought into it, you may be able to contact them about future draws under the soft opt-in rule in PECR Regulation 22 — but only if:

  1. You collected their contact details in the course of a sale (ticket purchase)
  2. You are marketing similar products or services (more lottery tickets)
  3. They have not opted out
  4. You gave them a clear opportunity to opt out when you collected their data

The soft opt-in applies to commercial electronic marketing by commercial senders. Charities have sometimes assumed it does not apply to them or that they are exempt. They are not exempt from PECR. The soft opt-in can apply to charities marketing their own similar activities, but the similar-products requirement is strict.

For general fundraising appeals: The soft opt-in does not cover a general fundraising email to lottery participants. You need explicit consent. Many charities conflate lottery participation with donation supporter status. They are different relationships.

For membership recruitment: Inviting a lottery ticket buyer to become a charity member or regular donor requires consent unless you can construct a legitimate interest case — which is difficult when the person has never expressed interest in becoming a member.

The practical consequence: your lottery ticket purchase flow should include a clearly worded marketing consent checkbox that is unchecked by default.

Prize Winner Data: Publicity, Photos, and Privacy Rights

When someone wins a prize, a new set of data protection questions arises.

Announcing a winner is a legitimate and expected part of running a lottery. The Gambling Commission expects winners to be contactable and identifiable for audit purposes. But public announcement of a winner's full name, town, photograph, and prize value goes beyond operational necessity.

Publication of winner names: Many charities publish "Jane Smith from Manchester wins £500!" on their website or social media. This is processing personal data for promotional purposes. The lawful basis is typically legitimate interest — the charity has a legitimate interest in demonstrating that prizes are genuinely awarded. But the balancing test requires you to consider whether full name and location is necessary, or whether "Jane from Manchester" would serve the same transparency purpose with less privacy impact.

Winner photographs: Using a winner's photograph in promotional materials requires explicit consent. You cannot rely on legitimate interest for identifiable photographs used for marketing. Obtain written consent, specify how the image will be used and for how long, and give the winner the right to withdraw consent.

Winner address data: Full postal address should not be published. It is required for cheque dispatch or prize delivery, but that is an operational purpose — not a publicity purpose.

Right to remain anonymous: Data subjects have the right to object to processing for direct marketing under GDPR Article 21. A winner who does not want their name published should be able to decline. Your lottery terms and conditions should state whether winner names may be published and give participants the ability to opt out of publicity at the point of entry.

Third-Party Lottery Platforms as Processors

Many charities run their lottery through third-party platforms: Enthuse, JustGiving Lottery, Lottery Hero, Easyfundraising, or similar services.

When a third party processes personal data on your behalf — collecting ticket buyer details, running the draw, processing payments — they are acting as a data processor under GDPR Article 28. You, the charity, remain the data controller.

This means:

  1. You must have a Data Processing Agreement (DPA) in place with the platform
  2. The DPA must specify the scope of processing, security requirements, data subject rights obligations, and sub-processor arrangements
  3. You must carry out due diligence on the processor's security practices
  4. You remain responsible if the processor mishandles data

Most established lottery platforms have standard DPAs available. Request one, review it, and retain a copy. If a platform cannot provide a DPA, do not use them for processing personal data.

Also check where the platform stores data. Post-Brexit, transfers from the UK to countries outside the UK adequacy framework require additional safeguards.

Data Retention: Gambling Commission vs GDPR

The Gambling Commission requires operators to retain certain records — including participant records and financial transactions — for defined periods, typically five years for financial records and longer for some compliance documentation.

GDPR's storage limitation principle says you should not keep personal data longer than necessary. These two obligations can appear to conflict.

They do not actually conflict: regulatory retention requirements constitute a legal obligation under GDPR Article 6(1)(c), which provides a lawful basis for retention. But the obligation to retain for regulatory purposes does not extend to all data. You must:

  • Identify specifically which data must be retained under gambling regulation and for how long
  • Anonymise or delete data that is not required by regulation once the operational purpose has ended
  • Document the retention schedule in your ROPA

In practice: ticket buyer name, contact details, transaction amount, and ticket allocation may need to be retained for five years. Marketing preferences, website analytics, and IP address logs do not.

Age Verification Data and Its Special Handling

All UK gambling activities require participants to be 16 or 18 (depending on lottery type). Collecting and verifying age creates a specific data handling obligation.

Do not store more than you need. For most charity lotteries, collecting a date of birth and checking it is sufficient. You do not need to retain a copy of a driving licence or passport unless the Gambling Commission's licensing conditions specifically require documentary evidence for your lottery type.

Retain what regulation requires, delete the rest. If your platform performs a date-of-birth check and records a pass/fail, the date of birth itself can often be pseudonymised or deleted once the verification is complete, with only the verification record retained.

Age verification data is sensitive. It links to a specific individual and their legal right to participate. Apply appropriate security controls and limit staff access.

Direct Marketing to Past Ticket Buyers: PECR and Soft Opt-In

The soft opt-in rule under PECR Regulation 22 allows organisations that have obtained contact details in the course of a sale to market similar products and services without fresh consent — provided the recipient was given a clear opportunity to opt out at the time.

For charity lotteries, this creates a narrow but real permission to contact past ticket buyers about future lottery draws. The requirements:

  • The contact details must have been collected in the course of a commercial transaction (ticket purchase)
  • The marketing must relate to similar products or services — future lottery tickets, not general charity fundraising
  • The individual must have been given a clear opportunity to opt out at the point of purchase
  • The individual must not subsequently have opted out

If you operate a regular monthly lottery and a buyer purchased tickets last month, you can email them about this month's draw provided the above conditions are met. You cannot email them about your annual gala dinner, your Christmas appeal, or your membership campaign without separate consent.

Document your soft opt-in reliance in your marketing records. If challenged by the ICO, you need to demonstrate that each of the four conditions was met.

DSARs from Lottery Participants

Lottery participants have the same data subject rights as any other individual whose data you process. That includes the right to:

  • Request a copy of all personal data you hold about them (Subject Access Request)
  • Request correction of inaccurate data
  • Request deletion, subject to retention requirements (lottery records you are required to keep cannot be deleted on demand)
  • Object to processing for direct marketing (this must be honoured immediately)

DSARs from lottery participants can be complex because data may be spread across multiple systems: your lottery platform, your CRM, your email marketing tool, your payment processor, and your finance system.

Establish a data map that covers all the places lottery participant data is stored. When a DSAR arrives, you need to be able to query each system within the one-month response deadline.

If your lottery platform holds data as a data processor, you as the controller are responsible for the SAR response. The processor is obliged to assist you.

Cross-Selling Charity Membership to Lottery Entrants

A common charity strategy is to use the lottery as an entry point to a deeper supporter relationship — converting ticket buyers into regular donors or members.

This is legitimate, but requires clean data practices:

  1. Keep marketing consent separate from lottery participation. Ticket purchase does not imply consent to join the charity's mailing list.
  2. Use a double opt-in or clear affirmative action for membership recruitment communications.
  3. Do not pre-tick marketing checkboxes. GDPR requires freely given, specific, informed, and unambiguous consent. Pre-ticked boxes do not meet this standard.
  4. Record consent granularly. If a participant consents to lottery draw notifications but not general fundraising, honour that distinction.

Online Lottery Platforms: Cookie Consent and Analytics

If your lottery is run through a dedicated microsite or embedded widget, cookie consent applies as it does to any website.

Common issues:

  • Analytics cookies firing before consent — Google Analytics, Matomo, and similar tools must not set cookies until consent is obtained
  • Marketing pixels on the lottery page — Facebook Pixel or Google Ads conversion tracking requires consent for analytics and marketing categories
  • Third-party embeds — If you embed a lottery widget from a third-party platform, that embed may set its own cookies. You need to know what those are and include them in your cookie notice
  • Session and payment cookies — Strictly necessary cookies for the transaction itself do not require consent, but must be disclosed

Run a cookie audit on your lottery page specifically. Third-party widgets often introduce cookies that your general website audit may miss.

10 Common GDPR Mistakes Charity Lottery Operators Make

  1. Treating lottery participation as implicit consent to all marketing. It is not. Marketing consent must be separate and explicit.

  2. No Data Processing Agreement with the lottery platform. The platform is a data processor. A DPA is mandatory under GDPR Article 28.

  3. Publishing winner names and photos without consent. Photographs require explicit consent. Full name publication requires a legitimate interest assessment.

  4. Retaining ticket buyer data indefinitely. Set a retention schedule. Most operational data can be deleted or anonymised after the lottery cycle ends. Regulatory data should be retained for the required period only.

  5. No opt-out mechanism on the ticket purchase form. Even if relying on soft opt-in, participants must be given a clear opportunity to opt out of future marketing at the point of purchase.

  6. Age verification data stored unnecessarily. Retain the verification result, not the underlying document or date of birth, unless regulatory requirements specify otherwise.

  7. No DSAR process covering lottery systems. If you cannot respond to a data subject access request from a ticket buyer within one month, you are non-compliant.

  8. Using lottery data for unrelated fundraising campaigns. Sending lottery participants a general fundraising appeal without consent breaches PECR and GDPR.

  9. Cookie consent not covering the lottery page. Third-party lottery widgets frequently introduce additional cookies. Audit the lottery page specifically.

  10. No privacy notice specific to lottery participants. Your general website privacy policy may not adequately describe the lottery-specific data flows. Add a lottery-specific section or supplement.

Take Action

If you run a charity lottery and are not certain your data practices are compliant, start with your website. A free scan from Custodia will show you every cookie, tracker, and third-party connection active on your lottery pages — including any that are firing without consent.

Scan your charity lottery site free →

Last updated: March 2026

Top comments (0)