Online gambling companies collect and store massive amounts of player data. Player and device IDs, geo and demographic information, playing history, payment transactions and tracking data are just a few examples of the data that companies collect, store and use for various purposes. The data collection is performed to enhance players’ user experiences, to profile in order to provide players with personalized entertainment, as well as to comply with regulatory requirements, such as KYC, anti-money laundering requirements, gaming legislation and gaming license conditions.
The way gambling companies deal with data will be fundamentally changed under the new law.
What is GDPR?
GDPR – the new EU regulation on data protection (2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), which enter into force in May 2018 and is replacing all existing national data protection laws in Europe and will have an extraterritorial effect.
The regulation establishes new rules on how the companies must work with data – new and more extensive players’ rights, a number of limitations on which (and how) player data can be collected and processed, a stricter consent regime, data minimization, limitations to marketing activities and many others. It has a great impact on how the gaming industry in Europe operates now.
Why is it important?
The practical implications of the GDPR for gaming operators and providers will be that they have changed existing operations, build and implement new tools and functionalities, create policies, processes and procedures, and employ a data protection officer to ensure compliance with the new obligations. This, in connection with increased data privacy requirements and reporting obligations, means higher operating costs and many limitations to business operations and all this at the risk of paying fines of up to 4% of the total global annual turnover or 20 million EUR, whichever is higher, in case of non-compliance.
The personal data of players, although not treated as a special category of personal data (read: sensitive data) under the definition of the GDPR, is or can be highly sensitive and, in the event of a breach, can result in high fines and damages. Gambling and betting can be deemed as an immoral or unethical activity in certain countries and within certain social and religious groups; therefore leakage of such data, even when the disclosed information may at first sight seem very innocent (for instance, a simple piece of information that a person x plays with operator y), may in some circumstances destroy the person’s reputation in the event that the information is released to the media or even to work colleagues or family. This can easily result in high damages and, therefore, calls for much higher privacy and security standards for data processing than those of other online industries.
Large amounts of player data and its use in various systems, databases and reporting tools creates a situation where even data which is not personal data may serve to identify a person when combined with other data collected by the same or other systems and, as such, can constitute personal data. For instance, a simple combination of date of birth, gender and postal code can, in certain countries, be enough to identify an individual and the information must, therefore, in some circumstances be treated as personal data. This means that the systems and processes of dealing with player data have been reviewed, thoroughly assessed and adjusted in order to avoid the unconscious disclosure or sharing of personal data.
Data protection officer (DPO) appointed to facilitate compliance with the provisions of the GDPR will not be personally responsible in the event of non-compliance. Therefore, the main responsibility for data protection compliance will rest with the top management of the companies and, as a result of this, we may observe key officials losing their jobs or resigning following substantial reputation damage due to media reporting, or significant fines for personal data breaches may be imposed by authorities on the companies they represent.
Who will be affected?
The GDPR will mostly affect the industry actors operating B2C, which represent the interface with the players and are currently very much data-driven companies. As a result of this, they are most vulnerable to the risks of severe fines, player complaints, reputation damage and even the loss of gaming licences.
Most heavily affected will be the gaming operators, which are primarily responsible for player data acting as a data controller. They normally manage and control player accounts, provide customer support, monitor games and playing history and new player acquisition, but are also responsible for player registration, KYC and reporting. These activities require significant amounts of data, which results in many obligations towards players, including the facilitating of all data subject consent, notification obligations and responding to requests by customer concerning their data throughout the term of the relationship and even after it has elapsed.
Furthermore, even affiliates and other marketing and online providers will be highly impacted, as they can be considered both as data controllers, co-controllers or processors, depending on the actual set-up and relationship with the operators. Even more important will be data processing agreements between various actors, as it is these that will regulate the obligations relating to personal data, and allocate and set the levels of liability and indemnity in case of data breaches.
The amount of data collected and/or processed by games providers and gaming platform providers is usually also very high, but the amount of personal data is much more limited due to the fact that they have much less direct interaction with players. The purpose of the use of data by gaming providers is more to enhance games and the performance of platforms and systems and user experience. As a rule, therefore, there is no need to use personally identifiable data instead of anonymised information or data in an aggregated form, which is not considered as personal data under the GDPR.
What are the industry challenges?
The GDPR represents three main challenges for the gaming industry.
Extensive Marketing. Online player acquisition, profiling, the use of cookies and tracking currently form a large part of gaming operators’ marketing strategies. Most of these activities will, under the GDPR, require transparency and, in principle, the explicit consent of players. This will make it more difficult for gaming operators and affiliates to conduct their marketing operations and it will be necessary to cease the usual practices relating to players who have refused to give consent or who have withdrawn their consent at a later stage. The withdrawal of consent to data processing is fully permitted at any time whereas the operators are not allowed to refuse to provide the service without such consent (unless the data is necessary for the operations or for compliance with legal and regulatory requirements). In order to continue with extensive marketing activities, the operators will have to find smart ways to “buy the consent” by offering players various incentives and better user experience, rather than automatically using players’ data based on implicit consent and without giving players precise information about which, where and how data will be used.
Conflicting Regulatory Requirements. Practical implementation of the requirements in the light of other regulatory obligations will be very complex and difficult. The gaming industry is a regulated sector, meaning that gaming operators are subject to the many obligations imposed on them by national gaming laws and license conditions. Gaming companies are also subject to anti-money laundering laws, rules for responsible gambling, codes of practice, and others. “Juggling” multiple conflicting obligations will not be easy. The regulations and the enforcing authorities require almost unlimited access to data and impose extensive reporting obligations on operators. In practice, this means that certain categories of data must be retained for a longer time than would otherwise be permitted by the GDPR, in order to meet the regulatory obligations. The diversification of data necessary to simultaneously meet and balance the requirements of various regulations (delete vs. retain data) under AML, gaming laws and other legal retention obligations which vary from country to country, makes it very difficult to make correct assessments and requires the establishment of different data strategies for different categories of data and different legislation. For international gaming companies with operations in many jurisdictions, this will create extra workload, including implementing changes to their current processes and systems to meet the requirements.
Abuse by Players. Finally, there is a risk that players may try to misuse the rights granted by the regulation, especially the data access right (the right to gain access to one’s own data held by the data controller) and the right to be forgotten (the right to have the data held by the data controller deleted from their systems). The gaming industry is not free from problem gambling. Pathological and compulsive gambling and other gambling problems exist and may lead operators to take the necessary actions to limit or prevent players from further playing, for instance by closing down player accounts. Moreover, some players tend to react emotionally to losing, especially losing big bets. Such and similar situations may cause players to make various impulsive requests, such as requests for the deletion of their data, to be forgotten, repeated data access requests or requests to transfer their data to other gaming operators (data portability).
What will the future bring?
The enforcement of the GDPR brings standardization in the area of data protection. This is due to the fact that the regulation introduces a single set of rules that applies to the entire EU, which also includes providers in other countries engaging in business in Europe. Furthermore, since implementation and interpretation of the provisions of the GDPR is complex, data controllers will most likely first look around to see how other (usually bigger) companies deal with the challenges of the GDPR and then try to adopt a similar approach.
In order to resolve the conflicting obligations imposed on gaming companies by different legislation, there must be dialogue between data protection authorities, gaming regulators and other authorities in order for their obligations to become aligned and to establish standard practice and unambiguous data retention rules.
The GDPR also allows, and actually encourages, associations and bodies representing data controllers and processors to establish codes of conduct to facilitate the effective application of the provisions of the GDPR. Various gaming associations and trade organisations have codes codes of conduct and rules introduced among their members and throughout the industry which take into account the specific needs and risks of the gaming industry. Such initiatives certainly represent a major step towards the standardized protection of players’ data.
Industry cooperation is encouraged and the trade associations and other industry stakeholders can work out common standards and formats to facilitate data portability between gaming operators and other industry providers. Data portability concerns a player’s right to move their data from one data controller to another by various means such as direct download or data transmission via API, which creates a great challenge for gaming operators, also with regard to compliance with other regulatory requirements – for instance, player verification for the purpose of AML or national gaming legislation.
The next big change going forward in this area will be the new ePrivacy Regulation (Regulation on Privacy and Electronic Communications), which has been submitted as a proposal by European Commission. This regulation will be even more detailed in its scope and will bring stricter rules on direct marketing, cookies, profiling, the tracking of players on the internet and overall communication with players, including a higher standard for consent (explicit consent/opt-in) for direct marketing and the tracking of cookies.
There are, therefore, many challenges ahead for the online gaming industry and only time will show the size of the impact the new regulations will have on the industry and how the companies will adopt the changes and manage their business in order to retain current revenues, player base and growth rate in the new environment.