Online gambling industry 'ignores' data protection and privacy laws

Privacy International founder blasts gambling companies over privacy and data protection - and the ICO for failing to take action

Simon Davies, founder of Privacy International, has blasted the online gaming industry for inadequately protecting gamblers' privacy and failing to adhere to basic principles of data protection.

In many cases, the companies hide behind the weaker laws offered by offshore tax havens, including Gibraltar, Malta, Jersey, the Isle of Man, Antigua and Barbuda, and Guernsey, rather than adhering to higher European Union standards, he claims.

"This flourishing economic sector swims in an ocean of institutional illegality that places tens of millions of its customers at risk," wrote Davies in a post on his new blog.

After examining the industry for more than two years, Davies described the "malpractice" that is rife in the sector as the worst he has seen in any licensed industry.

"There is a handful of online operators who, to some extent, make an effort at fairness and compliance. There are also examples of regulators who have attempted to do their job. By and large, though, the online gambling industry operates its personal information practices in lawless territory," wrote Davies.

He added: "The rights and protections that we should enjoy are being flouted by an industry that uses its unique economic positioning to confound regulators and induce small jurisdictions into submission."

Globally, the online gambling industry enjoys an estimated revenue of $135bn (£85bn). Some four per cent of adults in the UK are estimated to bet online every year.

The problem, from a data protection point of view, says Davies, is that sites collect huge amounts of sensitive data about their users. "It is routine for sites to demand passport and credit card scans, drivers' licences, utility bills and other personal documents. All the available evidence indicates that this information is stored permanently," wrote Davies.

As a rule, however, companies do not delete this data when it is no longer required - contrary to the third and fifth principles of the Data Protection Act - preferring to keep it stored in case the gambler returns. "It is extremely difficult to close an online gambling account and, in my experience, impossible to have your data deleted."

However, when Davies filed a complaint with the Information Commissioner's Office (ICO) in the UK, the file was closed after three months. It claimed that the matter was not important and that the complaint did not warrant further action.

[Turn to next page]

Online gambling industry 'ignores' data protection and privacy laws

Privacy International founder blasts gambling companies over privacy and data protection - and the ICO for failing to take action

Bonus chips
Having opened accounts with around 12 online gambling sites to test their privacy and data protection policies, Davies also tried to close those accounts, requesting full deletion of all his data.

Platinum Play locked his account and refused to action his request until he told them why he wanted to close the account: "In order to close it, we will need to know the reason you chose to close your account," it demanded.

32Red's response, though, was a saga in itself. In response to his request, the company offered him "a bonus of 100 chips" and, should that not be a suitable enticement to stay, demanded further private information before his request could be passed on to the "casino manager".

However, it then demanded that he fill, sign and return a "self-exclusion agreement" - a voluntary account suspension for "problem gamblers". And even after this hurdle had been overcome, 32Red refused to delete all his details "for data protection legalities".

After another complaint, 32Red responded: "... we can retain your personal information in our files to resolve disputes, to enforce our user agreement, and to comply with any and all technical and legal requirements, and constraints related to the security, integrity and operation of the site."

Davies concluded: "At the heart of the compliance problem identified here is the game of 'pass the parcel' between data protection regulators and gambling authorities. You could drive a starship through the security and privacy vagueness in the licence conditions, yet the mere existence of those vague conditions is enough to allow data protection authorities off the hook."

The attitude of online gambling sites to the deletion of personal data stands in contrast to the approach taken by online auction giant eBay when Privacy International challenged online retailers over privacy and data protection.

While the ICO refused to take action, eBay ordered its engineers to come up with a solution, and implemented a full account deletion procedure within six months.

Computing has asked the ICO, and a number of online gambling operators, to respond to the points raised by Davies, as well as a number of our own questions.

Their responses will be published on this site when they are received.