DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Gambling and Sports Betting Companies: Player Data, Responsible Gambling, and Regulatory Compliance

#gdpr #privacy #compliance #gambling

GDPR for Gambling and Sports Betting Companies: Player Data, Responsible Gambling, and Regulatory Compliance

Gambling companies hold some of the most sensitive personal data of any industry. Financial transactions, behavioural patterns, addiction signals, identity documents, bank statements, and responsible gambling flags — all collected and processed in a sector that is already under intense regulatory scrutiny.

The combination of the UK Gambling Commission's licence conditions, GDPR's requirements under UK and EU law, and the FCA's anti-money laundering regime creates a compliance matrix that many operators struggle to navigate. This guide covers the key GDPR obligations for gambling and sports betting companies — practical, specific, and structured around how the industry actually operates.

Why Gambling Companies Face Heightened GDPR Scrutiny

Most industries process personal data for marketing and service delivery. Gambling companies do that — and then process data that can indicate financial vulnerability, gambling disorder, and psychological harm. That changes the risk calculus significantly.

The ICO has consistently identified gambling as a sector of concern, not because operators are uniquely negligent, but because:

  • Financial harm data: Transaction histories reveal spending patterns that can indicate problem gambling. Processing this data creates obligations that go beyond standard financial services.
  • Addiction signals: Responsible gambling systems track session length, deposit frequency, loss patterns, and self-imposed limits. This data is behavioural health data in all but name.
  • Vulnerable population exposure: Unlike most consumer services, gambling operators know they are regularly interacting with people experiencing harm. GDPR's accountability principle requires that you act on that knowledge.
  • Regulatory overlap: Gambling Commission licence conditions, ICO guidance, and FCA AML requirements each impose data-related obligations that don't always point in the same direction.

The ICO and Gambling Commission have joint enforcement capacity. An operator who fails on player data protection can find themselves facing investigation from both regulators simultaneously.

Gambling Commission Licence Conditions and GDPR Overlap

The Gambling Commission's Licence Conditions and Codes of Practice (LCCP) create data-related obligations that interact directly with GDPR.

LCCP Social Responsibility Code 3.4 requires operators to implement effective responsible gambling tools, including self-exclusion. Processing the data required to operate these tools — tracking player behaviour, linking self-exclusion records, monitoring for breaches — requires a lawful basis under GDPR.

LCCP Ordinary Code 2.1 covers player protection, including identifying customers who may be at risk. To comply, operators must process behavioural data. That processing must be documented in your Records of Processing Activities (ROPA).

LCCP AML requirements mandate KYC checks, source of funds verification, and transaction monitoring. This data is collected under legal obligation (Article 6(1)(c) of GDPR) — but the retention periods, access controls, and data minimisation requirements still apply.

The practical implication: your GDPR documentation must reflect your Gambling Commission obligations. The lawful bases you rely on, the retention periods you set, and the third parties you share data with should all be traceable back to specific regulatory requirements.

Self-Exclusion Databases and GAMSTOP

GAMSTOP is the UK's national self-exclusion scheme. Operators licensed by the Gambling Commission are required to check GAMSTOP before allowing customers to gamble and to refer customers to GAMSTOP when they self-exclude.

From a GDPR perspective, this creates several obligations:

Data sharing with GAMSTOP: When a customer self-excludes, you share their personal data (name, email, date of birth, postcode) with GAMSTOP. This data sharing must be disclosed in your privacy notice. GAMSTOP is a data controller in its own right; your privacy notice should identify this sharing and its purpose.

Receiving GAMSTOP data: When you check a new customer against GAMSTOP, you process their data for the purpose of protecting a vulnerable individual. The lawful basis is legitimate interest (protecting the player) or legal obligation (licence condition), depending on how you document it.

Retention of self-exclusion records: Self-exclusion records must be retained for the duration of the exclusion plus a reasonable period after. Deleting them prematurely creates regulatory risk. GDPR's storage limitation principle requires you to justify that retention — which you can, by reference to the regulatory requirement.

Re-registration attempts: If a self-excluded player tries to re-register, you need to retain enough data to identify them. This creates a tension with the right to erasure. You cannot fully erase a self-exclusion record while the exclusion is still in force — and the ICO has confirmed that regulatory compliance can override erasure requests in this context.

KYC Data: Passports, Bank Statements, and Source of Funds

Know Your Customer checks collect some of the most sensitive personal data that exists: government-issued identity documents, bank statements showing full financial history, payslips, tax returns, and beneficial ownership information.

Lawful basis: KYC is conducted under legal obligation (the Proceeds of Crime Act, Money Laundering Regulations, and Gambling Commission requirements). Article 6(1)(c) of GDPR provides the lawful basis. For identity documents specifically, Article 9 does not typically apply — but the sensitivity of the data requires appropriate technical and organisational security measures.

Data minimisation: The temptation is to retain all KYC documents indefinitely. GDPR requires you to retain only what is necessary. For AML purposes, the Money Laundering Regulations require five years from the end of the business relationship. After that, documents should be deleted unless there is a specific, documented reason to retain them.

Access controls: KYC documents should be accessible only to compliance and customer verification teams. Broad internal access — allowing customer support agents to view passport scans, for example — is difficult to justify under the data minimisation and security principles.

Third-party verification: Most operators use third-party identity verification services (Jumio, Onfido, Yoti, etc.). These are data processors. You need a Data Processing Agreement (DPA) with each one, and your privacy notice must disclose that identity verification is conducted by a third party.

Responsible Gambling Flags as Special Category Data

This is the most legally complex area of gambling GDPR compliance, and the one where operators most often get it wrong.

Responsible gambling systems track and flag players who may be experiencing harm. These flags — "player showing signs of problem gambling," "deposit velocity exceeds threshold," "player has set cooling-off period" — constitute health-related data in substance even if not in label.

The ICO's guidance on special category data covers information that reveals physical or mental health. Problem gambling is recognised as a behavioural health condition (ICD-11, DSM-5). A flag indicating that a player may be experiencing gambling disorder is health data.

If responsible gambling flags constitute special category data, you need an Article 9 condition to process them. The most applicable grounds are:

  • Article 9(2)(b): Processing necessary for obligations in the field of employment, social security, and social protection law — applicable where Gambling Commission licence conditions require you to identify at-risk players.
  • Article 9(2)(g): Processing necessary for reasons of substantial public interest — applicable to the public health dimension of responsible gambling.

In practice, most operators don't document responsible gambling processing as special category data. This is a compliance gap. Review how your RG system is documented in your ROPA.

Player Profiling and Personalised Marketing

Gambling companies have sophisticated player profiling capabilities: game preferences, betting patterns, session timing, RTP sensitivity, bonus responsiveness. This data is used for personalised marketing, product recommendations, and retention campaigns.

Under GDPR, profiling for marketing purposes requires:

  • A valid lawful basis: Usually consent (for direct marketing) or legitimate interest (for product personalisation within an existing customer relationship).
  • A legitimate interests assessment: If you rely on legitimate interest for personalisation, you need a documented LIA that balances your commercial interest against the player's right to privacy — and in gambling, the player's interest in not being manipulated into gambling more.
  • Profiling transparency: Your privacy notice must explain that you profile players, what data you use, and what decisions or content the profiling influences.
  • Article 22 consideration: If personalisation crosses into automated decision-making with significant effect (e.g., automated account restriction, automated bonus withdrawal), Article 22 applies and you must provide human review mechanisms.

The line between legitimate service personalisation and surveillance-style profiling that exploits vulnerable players is not just an ethical question — it is a regulatory one. The Gambling Commission's 2023 guidance on customer interaction explicitly calls out using player data to maximise spending as a practice that may breach social responsibility licence conditions.

Bonus and Promotional Marketing: Consent vs Legitimate Interest

Email and SMS promotions are a significant revenue driver for gambling operators. They are also a frequent source of GDPR and PECR enforcement action.

The PECR position: Under PECR, electronic marketing to individuals (not businesses) requires prior consent. This means opt-in consent obtained at registration or subsequently. Existing customer exemptions under PECR apply only where you are marketing "similar products or services" to customers who have not opted out — and in gambling, the ICO has taken a narrow view of what "similar" means.

Consent quality: Many gambling operators obtained marketing consent through bundled terms and conditions at registration. This does not meet the GDPR standard for valid consent — freely given, specific, informed, unambiguous, and unbundled from terms acceptance. If your marketing list was built this way, it needs to be cleansed.

Opt-out processing: When a player opts out of marketing, you must process that opt-out promptly (within days, not the 28-day period some operators apply). Continued marketing after opt-out is a PECR breach.

Promotional terms and consent: Creating a promotional offer and making it conditional on receiving marketing communications is a consent validity problem — consent must be freely given, and conditioning a benefit on consent makes it coerced.

Age Verification Data Retention

Gambling operators must verify that customers are 18 or over before permitting gambling. This typically involves collecting date of birth at registration and, for higher-value or higher-risk customers, documentary evidence of age.

Retention principle: Once age has been verified, the primary purpose of the age verification data has been fulfilled. Retaining documentary age verification evidence indefinitely is difficult to justify. You should have a policy of deleting documentary age evidence after the verification process is complete, unless there is a specific ongoing regulatory reason to retain it.

The conflict: AML requirements may require retention of identity documents for five years from end of relationship. Age verification documents and AML identity documents may be the same document — a passport, for example. In that case, the AML retention period governs.

Children's data: If your age verification fails and a minor accesses gambling services, you have processed a child's data. The ICO's Children's Code applies additional requirements to platforms accessible to children. For gambling operators, preventing child access is a Gambling Commission licence condition, and breaches carry significant regulatory consequences beyond GDPR.

Transaction Records and AML Obligations vs GDPR Storage Limitation

One of the most practically significant GDPR tensions in gambling is between AML retention requirements and GDPR's storage limitation principle.

AML retention: The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 require retention of customer due diligence records and transaction records for five years from the end of the business relationship. This is a legal obligation that overrides GDPR storage limitation.

GDPR storage limitation: Article 5(1)(e) requires that personal data be retained no longer than necessary. For transaction records, the AML obligation defines what is necessary.

Beyond AML retention: After the five-year AML period expires, transaction records should be reviewed for deletion. Retaining them indefinitely because they might be useful for customer service queries or dispute resolution is not a sufficient justification.

Practical framework: Create a clear data retention schedule that maps each category of player data to its retention period and the regulatory basis for that period. For transaction records: five years post-relationship end. For marketing data: duration of consent. For game session logs: typically 12 months unless there is a specific dispute resolution basis.

Third-Party Data Sharing: Affiliates, Payment Processors, and Fraud Prevention

Gambling operators share player data with a network of third parties. Each sharing arrangement requires legal grounding and documentation.

Affiliates: Affiliate marketing networks receive tracking data that can be used to attribute player sign-ups. Under GDPR, affiliates who receive personal data about players are data processors or joint controllers. Most affiliate agreements do not adequately address this. Review your affiliate contracts for DPA provisions.

Payment processors: Payment processors are data processors. You need DPAs with each processor. Payment data sharing for refund processing or chargeback resolution has a clear legal basis; sharing payment data with processors for purposes beyond payment processing requires specific justification.

Fraud prevention services: CIFAS and similar fraud prevention services operate as credit reference agency equivalents for fraud data. Sharing player data with CIFAS is permitted under legitimate interest (preventing fraud), but must be disclosed in your privacy notice and documented in your ROPA.

Self-exclusion sharing: Beyond GAMSTOP, operators may share self-exclusion data with affiliated brands under a group structure. This sharing requires either a joint controller agreement or a DPA, and players must be informed of it.

Data Subject Rights in Gambling: The Right to Erasure vs Regulatory Retention

Data subject rights are frequently exercised in gambling — often by players who have experienced significant losses and want their data deleted or their account history removed.

Right to erasure limitations: GDPR's right to erasure (Article 17) is not absolute. It does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims. In gambling, this means:

  • AML transaction records cannot be erased during the retention period
  • Self-exclusion records cannot be erased while the exclusion is active
  • Records relevant to ongoing regulatory investigations or player complaints cannot be erased

Right of access: Data subject access requests (DSARs) in gambling can be complex — game session logs, transaction histories, responsible gambling flags, internal notes on player behaviour. You have one month to respond. Build a DSAR process that can locate and compile all player data across your systems within that timeframe.

Right to restriction: Players can request restriction of processing (for example, while disputing a transaction). During restriction, you cannot use that data for marketing or profiling, though you can retain it.

Practical approach: When you receive an erasure request, map it against your retention schedule. Identify which data can be erased immediately (expired marketing consents, superseded verification documents), which must be retained (AML records, active self-exclusion data), and provide a clear written response explaining what has been deleted and what has been retained and why.

ICO and Gambling Commission Joint Enforcement

The ICO and Gambling Commission have a formal information-sharing arrangement. A player complaint to one regulator can trigger scrutiny from the other.

Notable enforcement patterns:

  • Spam marketing complaints: Players who opt out of gambling marketing and continue to receive it frequently complain to the ICO. PECR enforcement in gambling has resulted in fines in the hundreds of thousands of pounds.
  • Data breach investigations: A gambling operator data breach is likely to trigger both ICO investigation (under GDPR) and Gambling Commission review (under LCCP requirements for player data security).
  • Vulnerable player data misuse: Using responsible gambling data to target lapsed players with win-back campaigns is a practice that has attracted attention from both regulators.

The practical implication: your GDPR compliance programme should be designed with both regulators in mind. ICO-facing documentation (privacy notices, ROPA, DPIAs) and Gambling Commission-facing documentation (social responsibility policies, AML procedures) should be consistent.

PECR and SMS/Email Marketing for Promotions

The Privacy and Electronic Communications Regulations 2003 apply to all electronic marketing — email, SMS, and automated calls. For gambling operators, the key requirements are:

  • Prior consent for individual customers: Any marketing to individuals requires explicit opt-in consent. The soft opt-in (existing customer exemption) requires that you are marketing similar products to customers who have not opted out, and that you gave them an opt-out opportunity when you collected their data.
  • Suppression lists: You must maintain suppression lists of people who have opted out. These lists must be checked before every send.
  • Third-party consent: If you acquire marketing lists from third parties (lead generation, affiliate partners), you must verify that valid consent was obtained specifically for gambling marketing from your brand. Generic financial services marketing consent does not cover gambling.
  • Identification requirements: Every marketing message must clearly identify the sender. Using trading names that obscure the licensed operator identity is a PECR breach.

10 Common GDPR Mistakes Gambling Companies Make

1. Treating self-exclusion data as ordinary customer data. Self-exclusion records have specific retention obligations and cannot be deleted on request during an active exclusion.

2. Documenting responsible gambling flags without considering Article 9. If your RG system flags potential problem gambling, that data may be special category health data requiring Article 9 grounds.

3. Vague privacy notices that don't disclose regulatory sharing. Players must be informed that you share their data with GAMSTOP, fraud prevention services, and the Gambling Commission where required.

4. Using bundled consent for marketing. Consent obtained through terms acceptance at registration is not valid GDPR consent for marketing. You need a separate, specific opt-in.

5. Retaining KYC documents beyond AML retention periods. Five years from end of relationship. After that, delete unless there is a specific documented reason.

6. No Data Processing Agreements with affiliate partners. Affiliates who receive player attribution data are data processors or joint controllers. Contracts must reflect this.

7. Ignoring DSAR complexity. A gambling DSAR involves game logs, transactions, responsible gambling flags, internal notes, and marketing records. Without a structured process, you will miss the one-month deadline.

8. Continuing marketing after opt-out. Immediate opt-out processing is required. Continued marketing after opt-out is a PECR breach and an ICO enforcement trigger.

9. No DPIA for high-risk processing. Player profiling, automated responsible gambling decisions, and large-scale processing of financial data all likely require a Data Protection Impact Assessment.

10. No consistent data retention schedule. Different retention rules apply to different data types. Without a documented schedule mapped to regulatory requirements, you will either delete too early (regulatory risk) or too late (GDPR risk).

Scan Your Website Now

Custodia's automated privacy scanner identifies the trackers, cookies, and data collection happening on your gambling or betting website — and flags the compliance gaps you need to address.

Scan your website free at app.custodia-privacy.com/scan

Last updated: March 2026

Top comments (0)