High Court Ruling on Sky Betting and Gaming: A Wake-Up Call for the Sector
High Court Ruling on Sky Betting and Gaming: A Wake-Up Call for the Sector
In January this year, and in a case which could have wide-ranging ramifications for the gambling and gaming industry the High Court ruled that Sky Betting & Gaming (SBG) had violated UK data protection laws through non-compliant targeted marketing of a vulnerable customer, because of a lack of (operative) consent during the material time.
Context & background
The case examines the validity of the consent due to the nature of the targeted direct marketing of a vulnerable customer, where their ability to provide informed consent is diminished when they became addicted to gambling over a course of a few years. The case also considered the obligations of an operator, and the imbalance of power between the parties, given the vast amount of information available to the operator.
This case concerned an addicted vulnerable customer (the Claimant) who filed a case against SBG for targeting them and unlawfully using their personal data obtained using cookies, without the required consent for profiling and direct marketing. The claimant had been a customer with SBG for over 9 years losing a significant amount of money in that period and subsequent to the filing of a data subject access request (DASR) with SBG, it transpired that SBG and a number of third parties were holding a significant amount of information which was being used to profile and target the Claimant as a high value customer which led to them being marketed to in ways that fuelled their existing gambling addiction.
The case further confirmed that the processing of the Claimant’s personal data (deemed to be ‘excessive’) was continuous in nature without any safeguards built in by SBG i.e. to have a risk threshold built into the marketing lists to ensure that any problem gamblers and/or worrying gambling behaviours could be identified triggering the requirement to stop sending marketing activity – this just didn’t exist or if it did, it was set at unrealistic levels.
This was particularly pertinent, given the claimant’s addiction to gambling, that they were not able to operate cohesively and to object to the excessive direct marketing. The impact of this had meant that the Claimant, was sold gambling where their autonomous ability to resist that selling is substantially diminished. The Claimant received around 1,389 emails, offering free spins and bonus prizes, and engaged with 98% of them, taking advantage of the Claimants current state of mind in respect of gambling.
Consent as a legal basis for processing – a closer look
It is important to return to the GDPR’s definition of the key attributes of when consent can be relied upon i.e. that it is ‘freely given’, ‘specific’, ‘informed’ and ‘unambiguous’. It is clear from the case that when a gambling customer initially engages with the operator and consents to direct marketing, there is no question of a presumption or even a starting point of absent or defective consent. But there is a question of managing the risk of it, and ensuring that consent remains valid, over the course of the engagement as the customer’s’ ability to consent may have impaired due to the addiction.
Taking into account Recital 43 in the GDPR, it is also important to recognise that it is difficult to rely on consent being freely given when there is a clear imbalance of rights between the data controller and data subject – when looking at this case and the personal situation of the Claimant being recognised as an addictive gambler, it becomes apparent very quickly that this Recital is most likely relevant to the amount of targeted marketing that was being sent at the time.
When looking at Recital 43 and then applying the logic around the balancing of the rights of the individual with the interests of the operator, this also makes it difficult for any gambling operator to switch legal basis from consent to legitimate interests and in fact the Court also suggested in its ruling that this would not be possible.
In addition, at which point consent is obtained is also an important factor in ensuring consent remains valid. Recital 43 of the GDPR guides that consent is 'presumed' not to have been freely given where services an individual 'needs' cannot be obtained without privacy consents despite such consents not being necessary for the performance of the service. And it is not necessary for online gambling providers to market to their customers to allow them to gamble. It is something they choose to do for their own commercial reasons. The clear imbalance is part of the relevant factual matrix for the consenting behaviour in this case.
The wider impact of this judgement
This judgement has a much wider implication that just affecting the Gaming and Gambling sector and concerns any sector that may be taking advantage of targeted direct marketing to vulnerable customers. This specific judgement focuses the mind on how operators are using personal data in the background and whether any data processing activities are continuing to meet the definition of any consent collected from individuals.
As a result, it is vital that operators continue to stay close to the detail of all data processing activity linked to the output of any direct marketing initiatives to ensure that the attributes of an effective consent can continue to be demonstrated.
What should your organisation be doing?
If your organisation is involved with direct marketing activity, there are several considerations to think about to support in mitigating against any risks of data protection and consent non-compliance:
1. Fully understand the organisations exposure to data processing activities that relate to direct marketing – A fundamental requirement of any effective data protection compliance program is to understand and document all data processing activities. It is vital that your organisation understands all processing activities that feeds into direct marketing activity so that all data protection compliance considerations can be applied. This will include the use of cookies on organisational websites to ensure the relevant consents have been set up and collected from website users.
2. Review cookie policies and direct marketing processes – Important that your organisation continually reviews existing policies and procedures to ensure up to date and still considered fit for purpose.
3. Ensure that your organisation has a fully embedded and effective consent management system in place – Have a fully embedded well-established consent management system in place. It is important that an effective system ensures that consents are collected, recorded and reviewed in a timely manner along with ensuring that the requirements of GDPR and the Gambling Commissions Codes of Practice are adhered to ensure gambling is conducted in a fair and open way, protecting children and other vulnerable persons from being harmed or exploited by gambling, and making assistance available to individuals who are or may be affected by problems related to gambling.
4. Ensure safeguards are built into direct marketing-based processing activities to ensure consent attributes are maintained – It is important that when your organisation understands all data processing activity related to direct marketing that risk identifiers are built into the overall process i.e. the identification and setting of flags and/or trigger points to identify abnormal behaviours and/or vulnerable customers because of direct marketing activity.
5. Ensure a balancing test is regularly completed – It is important (so as not to fall foul of GDPR Recital 43) that an organisation ensures that the rights of any individual are not imbalanced against the interests of the organisation which would deem any consent being relied upon as ineffective. To achieve this, it is important to continually review the balancing test considering the specific activities being completed as part of the direct marketing initiatives and ensure these are fully documented.
If you have any questions or concerns, or would like further information, we have a dedicated Privacy and Data Protection team that can support your organisation with data protection compliance both in the UK and globally.