By Tom Chadwick
How safe is your data with betting companies?
DATA protection laws received an overhaul back in May 2018 with the introduction of General Data Protection Regulation (GDPR) and the gambling industry did not escape these reforms.
Some of the aims of the new regulation were to ensure that customers had better access to their data and a right to have their data erased. But some suspect that the gambling industry is already trying to get around some of it’s obligations in relation to the new data laws.
In fact, the Gambling Commission offered specific guidance to firms at the time to ensure that they remained compliant. In their advice note to betting firms, the Gambling Commission pointed out “We take the view that GDPR is not intended to prevent operators from taking steps which are necessary in the public interest, or are necessary to comply with regulatory requirements under a gambling licence.
GDPR should not be improperly used as an excuse to avoid taking steps which enable compliance with licence conditions, promote socially responsible gambling, and promote the licensing objectives.
Sounds responsible so far, although Gambling Compliance, a UK advisory website referred to the note as a “warning shot” to the gambling industry that they could not use the new data laws to shirk their responsibilities in relation to money laundering and player protection.
But a year on some say that GDPR is already becoming a farce in the gambling industry, with its interpretation seeming to differ between many gambling companies.
Erasure of data – are gambling companies willing to erase data?
If we take a look at any number of online UK betting sites, we can see that customers have the right to erasure “subject to legal obligations”. Surprisingly there is no further information on what their legal obligations are and the term itself is fraught with ambiguity.
The following is taken from the privacy policy on the Website of William Hill in 2019, one of the UK’s largest bookies, “To comply with regulatory requirements, we need to retain your information for at least 7 years after your account has been closed in line with our Privacy Policy”. That’s “at least” 7 years!
Fraud and money laundering are problems which are particularly problematic within the gambling industry and these give an easy out for companies to retain data. It can be as simple as opening 2 accounts with the same company to get 2 free bets. Under these circumstances, betting companies can retain your data because they need to ensure that you don’t attempt to open any more accounts. This is enough to retain data for “fraud prevention purposes”.
Advice provided by the Remote Gambling Association, again post GDPR, states “Customers have the right to have their data ‘erased’ in certain specified situations”. Again, what these specified situations consist of remain unexplained.
Taking further into account the fact that those who have gambled online almost always have their details checked through a third party fraud prevention agency such as Iovation, can mean it’s almost impossible to know that your data has ever been fully erased. If the original betting company won’t delete your data for 7 years after you ask them, then can we really believe they’ll show enough diligence to contact a third party company to erase data?
While it is still worth writing to gambling companies and asking them to delete your data, it’s best to remain pessimistic that all of your data will be erased.
Subject Access Request – can I obtain my own personal data?
Some gamblers have contacted betting companies to obtain a copy of all the data a company holds on them.
The procedure, known as a subject access request, allows any individual to access all (well, most) of the data that a company holds in relation to them. There is a fairly sizable exception to this however in that any data containing personal thoughts or opinions of employees does not have to be disclosed. Clearly this could apply to a number of situations and once again is open to the interpretation of the individual providing you with your data.
On top of this, some individuals have complained that once they have received their data, it is in effect nonsensical. This is because companies can use codes or words to describe situations which have no meaning to the individual receiving their own data. For example, one man who had a betting account closed without explanation sent a Subject Access Request to the betting company. He duly received a copy of his data, but to his disappointment, there was only one entry in relation to the closure of the account which simply read “exchange/high”. There is no obligation on a company to clarify what any of this actually means.
Business emails which may give data some context or help understand behind the scenes conversations do not have to be disclosed as part of the disclosure of data. So really, even a full disclosure of data within the provisions of the law fall short of giving the individual a full picture of their data and how these sites have potentially used this data.
How secure is your data?
Now we have seen that gambling companies can keep data on an individual regardless of a request for erasure, we have to ask how that data is stored and how secure it ultimately is in the hands of the gambling companies.
Firstly, it is worth pointing out that the gambling industry has long been a target for criminals. It is even reflected in popular film and fiction like ‘The Sting’ or ‘Lock, Stock and Two Smoking Barrels’. There is a certain romanticism about the idea of criminals taking large sums of money in what can almost be seen as a victimless crime.
But the reality is there are victims and that the crimes committed against betting companies tend to be a lot more mundane. However, the effects on the user of these sites can be devastating with consequences such as ID theft, fraud and financial theft.
Cyber attacks come in many forms, but the ones users of gambling sites should be concerned with are hacks to obtain a customer’s personal data. These details can then be sold on the dark web, used for identity fraud or even ransomware attacks.
There are numerous stories of customer’s accounts being hacked in online betting. Most times, the purpose is to steal funds, but these accounts contain potentially more personal data than any other type of account except bank accounts. The individual’s name, address, date of birth, financial habits and so on are all contained within an online betting account.
With gambling companies still seemingly reluctant to delete customer’s data, even with the advent of GDPR, it is important that if you have formerly gambled that you contact these companies and ask them to delete your data. It is also advisable to fully close your accounts in order to minimise the risk of any ID theft.
It seems that gambling companies can still keep a former customer’s data for at least 7 years to comply with their own privacy policies, but you can still make some steps to minimise the risk of your data being misused.
Firstly, contact the company and tell them you want your data removed. Even if they won’t fully erase, this at least means they should no longer use your data for marketing purposes, meaning they should not contact ex problem gamblers with alluring offers to entice them back.
Secondly, closing your account and asking for your data to be removed at least removes the risk of your account being compromised by a hacker. Your details will still be stored by the company for a number of years, but to access them, the hacker would need to get past more than just your username and password.
With these measures in place, the risks are minimized, but it seems that gambling companies are not keen to erase data of former customers. In order to keep personal data secure, listen for any potential data breaches involving betting companies or sites you may have used in the past.