2010 Complaint to ICO regarding online gambling

 

Privacy International

265 Strand

London  WC2R 1BH

 

1st October 2010

 

Mr Christopher Graham,

Information Commissioner

The Office of the Information Commissioner,

Water Lane,

Wycliffe House,

Wilmslow, Cheshire SK9 5AF

UNITED KINGDOM

 

Dear Mr. Graham,

Complaint:  UK online gaming industry

I am writing on behalf of a  number of complainants to Privacy International with regard to the  practices of companies which constitute the UK online gaming industry.

The complainants have stated that most large gaming sites do not provide a facility for account deletion, and that in rare cases where account closure is possible, personal data are not deleted from the sites.

Furthermore, research conducted by Privacy International into a sample number of sites reveals privacy policies that are incomplete, deceptive or non-existent. All privacy policies that we read fail to notify customer that personal data will be retained permanently even after an arduous process of account closure. In the case of Bet Fred we were unable to find any privacy policy whatever.

We believe these widespread practices not only contravene the Data Protection Act but they also serve to exploit and deceive UK gaming customers.

We request that you conduct an investigation into this matter, and where necessary liaise with your international counterparts (particularly in Gibraltar) and the Article 29 Working Group.

We also request that you seek cooperation with the UK Gambling Commission to ensure that where possible guidance can be created to provide best practice for companies operating in the UK.

Background to the issue

In 2006 we wrote to your predecessor to complain about the account deletion practices of a number of (non gaming) online sites including Amazon, eBaY and Friends Reunited. This complaint followed a Privacy International study (attached) which identified the specific aspects relating to particular sites, and demonstrated the difficulty (or impossibility in some cases) facing customers who wished to have their accounts and their personal information deleted permanently.

We are pleased that in the time since that complaint some progress has been made with regard to account deletion. eBay in particular made a substantial effort to work with us to reform and clarify its account deletion process.

In conversations with Data Protection Commissioners at that time it was clear that customers have the right under Data Protection rules to expect that companies will provide a simple means to close accounts and delete personal information. Many online companies (including YouTube and MySpace) include the “delete account” function as a default part of the account management page. This is seen as being important both to Best Practice and to aid legal compliance. However no such facility has been enabled by most of the sites in the UK gaming industry.

As we pointed out in our 2006 study:

“We believe that these account deletion and disclosure arrangements – or their absence – breach key elements of the Data Protection Act. No customer could reasonably be expected to invest the considerable time and effort required to investigate these sites, nor in our view should any responsible company create such obstacles. In our view it is in these companies financial interest to hide the account deletion function, and thus they have acted in an entirely self-serving manner that denies millions of customers an important right.”

Overview of the gaming sites

Over the past two years Privacy International has received complaints relating to around a dozen gaming sites that are particularly popular in the UK. We chose to scrutinise four that we felt were representative of the industry: William Hill, Ladbrokes, Bet Fred and Bet 365.

These sites are defined as “Remote Gambling” operations and in many cases are required to be licenced through the UK Gambling Commission  even where they are based overseas http://www.gamblingcommission.gov.uk/gambling_sectors/remote/about_the_remote_gambling_indu/about_remote_gambling.aspx

Each site has a substantial number of UK customers, although each is licensed by the Gibraltar Licensing Authority and regulated by the Gibraltar Gambling Commissioner. With the exception of Ladbrokes (the head office of which is in the UK) all have their registered office in Gibraltar. Most support a physical office in the UK to which correspondence can be sent.

Account closure

None of the sites surveyed provided an immediate online means of account closure. The default position for all sites we observed was a “self exclusion” process that suspended activity on the account, though in each case this required the customer to telephone the company and be subjected to identification and other processes. We understand that this situation is not universal. Virgin Games for example does provide an online mechanism for self exclusion. However no site that we have seen provides a “close account” function nor do they describe how accounts may be closed.

However even if sites were to permit closure of accounts, this action would not remove personal data. Nearly all sites (usually under the responsible gambling sections) provide statements such as “Any account that is simply ‘closed’ can be re-opened at any time.” (see  https://members.bet365.com/home/mainpage.asp and

http://williamhill-lang.custhelp.com/cgi-bin/williamhill_lang.cfg/php/enduser/std_adp.php?p_faqid=2733 )

These notices indicate that companies do not have a deletion policy and that personal information will be retained for as long as possible in the event that customers wish to re-open their accounts. No privacy policy makes any mention of retention periods. This practice, in our view, constitutes reprehensible behaviour.

We would be grateful if you would investigate this matter with a view to prosecuting companies for instituting these widespread unlawful practices.

Yours sincerely,

Simon Davies

Director

Privacy International