hello@tecplus.co.uk
Contact

Gambling Data & Marketing: what could come from a review by the ICO and GC

Date

May 6th, 2025

Category

Article, Data Protection

No comments
Firefly Show data being extracted from a mobile phone and being stored to create a virtual person in 2

Against the backdrop of updated licence conditions and recent negative press in the UK about marketing practices, a review of how gambling companies use customer data for marketing purposes will likely result in changes and operators need to be getting ready for what comes next.

The Chief Executive of the Gambling Commission in the UK stated in a speech to the BGC AGM earlier this year that:

There will be joint work with the Information Commissioner’s Office (ICO) and the Commission on data use for marketing.

It is hard to conclude from this statement what the work will actually be, but the speech went on to say that the review will be robust and references previous work done by the ICO on cookies.

A good outcome for the industry will be a Code of Conduct for using data for marketing purposes – I think that this is the right outcome – but the gambling industry is a target and I suspect regulators will flex some of their enforcement muscles if they find non-compliance with ePrivacy or licence requirements. Not necessarily fines, maybe reprimands.

Advertising gambling products is not new, and gambling companies use many of the same tools and techniques that other businesses use. What has changed over the years is the amount of data available to target advertisements to people and the perception of gambling company’s data practices.

If a company knows you like their products, they will target you through available channels and personalise your experience. Again, this is not new. Companies in different sectors use the same practices. The difference with gambling companies is that they are marketing a product which could potentially be harmful in acute circumstances. Gambling companies rely on their internal safer gambling controls to identify vulnerable customers and prevent them from experiencing harm.

Traditional broadcast advertisements (think billboards, radio, and old-school TV ads) do not use much personal data. You might try to understand what programmes your customers watch and listen to, the location they are most likely to consume this media, and place advertisements in these spaces – but this is a bit of a spray-and-pray approach.

Consumer-tech has advanced so much that when social media, cookies, and tracker data is combined with data that gambling companies hold about customer’s betting behaviour, you begin to create rich profiles about what content your customers will be most receptive to seeing and where they might see them the most.

Most companies will profile customers based on interests. If you place a bet on the outcome of a football match it is reasonable that you might like to see football-related marketing. You may also be able to infer from that bet the team that the customer supports and adding other data points such as their stake amount, their address, the time they placed the bet, their journey through the web to get to that bet you start building a better picture of who that customer is.

Augmenting this data with cookies and trackers (like pixels) and other data points that are available from digital advertisers, you can then begin to work out how you can reach the customer with relevant messages when they are not on your website or app.

Customers might be subscribed to receive emails, phone and SMS communications – traditional direct electronic communications. They may have even consented to setting cookies and trackers but there are many other ways to reach customers. Personalised on-site advertising, social media, and targeted TV ads are up there as newer forms of online direct marketing.

Back to the ICO & GC review I expect that that they will ask the basics:

  1. Do you understand your data practices for direct marketing?
  2. Have you got compliant consent for cookies, trackers, and SDKs?
  3. Are your legitimate interests for profiling balanced?
  4. Are you being transparent about how you are using data for marketing purposes?
  5. Are you upholding people’s right to object to their data being used for marketing purposes?
  6. How are you identifying customers who are at risk of harm?

For data protection and regulatory compliance folk this is will not be new, and they will know that when you go down the rabbit-hole of marketing via cookies there is a murky world of Demand Side Platforms (DSPs) and other parties in the supply chain making sure your adverts hit the right people.

If I were an operator preparing for this type of review I would concentrate on:

  1. Understanding my marketing data landscape, get a grip on the who/what/where/when/how/why questions about data moving through my systems that result in direct marketing in any form.
  2. Being as transparent as possible. Profiling and digital direct marketing is hard to understand, translating this into an easy to read privacy notice is a difficult but necessary task.
  3. Get assurances around consent and balance those legitimate interests! The right to object will be important and pushing that through your marketing technology stack will be tricky to navigate.
  4. Validate customer protection tools work. The final backstop for preventing customers experiencing harm. There will be blindspots which are unavoidable but you should be able to get good assurances that you can detect vulnerable customers and prevent them from experiencing harm. Suppression lists are a good example to prevent these people from receiving marketing.
  5. Manage your affiliates. I don’t think it will be the focus of the review but marketing by influencers is more popular. Your agreements with affiliates and your expectations of them should be water-tight.

After you have done this then it is a question of bracing to see what the regulators do. My eyes were immediately drawn to the ‘robust’ wording of the GC speech so I expect that any review of using customer data for direct marketing will be thorough. If gambling companies have mature compliance programmes then they should be able to weather the storm but the unknown variable factor is whether regulators will want to demonstrate they are being tough on gambling.

 

Link to CEO of GC speech: https://www.gamblingcommission.gov.uk/news/article/bgc-agm-andrew-rhodes-speech-2025

Link to recent press about marketing by gambling companies: https://www.theguardian.com/society/2025/feb/08/gambling-firms-secretly-shared-users-data-with-facebook-without-permission

Cracked Labs report on digital profiling in gambling: https://crackedlabs.org/en/gambling-data