«

»

How the online gambling industry turns data protection into a joke

By Simon Davies

If parliaments ever needed hard evidence to justify meaningful privacy and data protection law, they need look no further than the systemic bad practice of the online gambling industry.

This flourishing economic sector swims in an ocean of institutional illegality that places tens of millions of its customers at risk. The outcome of my scrutiny of this industry over two years is a picture of malpractice at a level I have not witnessed in any other licensed industry.

Of even greater concern perhaps is the ambivalence of the data protection authorities that should have been vigilant of these companies.

Yes, I accept that there are exceptions to the rule. There is a handful of online operators who to some extent make an effort at fairness and compliance. There are also examples of regulators who have attempted to do their job. By and large though, the online gambling industry operates its personal information practices in lawless territory.

This flourishing economic sector swims in an ocean of institutional illegality that places tens of millions of its customers at risk.

I should warn in advance that this blog contains references to data protection. Please don’t let this put you off. Soldier on. The message I want to offer is that the rights and protections that we should enjoy are being flouted by an industry that uses its unique economic positioning to confound regulators and induce small jurisdictions into submission. It’s a sad but interesting tale.

Online gambling in the form of Internet casinos and online betting shops (also known in the trade as “iGambling” or “Remote gambling”) has been around since 1994 and now sucks down global revenue of around $135 billion a year.

Put into perspective, that’s about nine times the revenue of the entire global music recording industry, or the annual income of Microsoft and the US Postal Service combined. PWC estimates a compound 9 percent annual growth for the industry over the next few years.

It’s difficult to determine how many people gamble online, but most estimates put the figure in the tens of millions. In the UK, between 2009 and 2010, 4% of adults (about two million people) had bet online. Extrapolated, this could put the global online gambling population at between 35 and 70 million people.

the rights and protections that we should enjoy are being flouted by an industry that uses its unique economic positioning to confound regulators and induce small jurisdictions into submission

The conundrum on my mind is that despite the existence of various licensing bodies, who exactly is it that protects the privacy and data protection interests of these millions of users? Most of the sites are located in small territories and economically opportunistic jurisdictions such as Jersey, the Isle of Man, Antigua and Barbuda, Malta and Guernsey. The gambling sites provide substantial revenue for these territories and historically the companies have been able to exercise policy arbitrage in which they can easily transfer to jurisdictions that offer the best tax advantage and minimum regulatory interference. Data protection appears to have been lost in the process.

There are two important factors to keep in mind. First, in the course of their day-to-day operations online gaming companies collect vast amounts of sensitive personal information related to behavioural patterns and finances. Second, the industry has a collective archive of personal identification records that would eclipse all but the largest government agencies. It is routine for sites to demand the transmission of passport and credit card scans, drivers licenses, utility bills and other personal documents. All the available evidence indicates that this information is stored permanently.

It goes without saying that with such a vast and rich reserve of sensitive data, gambling companies should be meticulous in observing data protection rights – particularly the requirement to delete personal information when it is no longer required. As a rule, they don’t. It is extremely difficult to close an online gambling account, and in my experience impossible to have your data deleted.

What I will do in this blog is focus on one aspect of the industry’s unlawful behaviour; the legal requirement to eliminate data that is excessive or unnecessary. For those unfamiliar with data protection, this is what is often described as the third and the fifth principles:

“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”

And

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

Investigating the sites

About two years ago in an attempt to discover how customer data protection operates in practice I registered accounts on around a dozen sites. In most cases I failed to observe any respect for privacy or data protection rights or data protection law at any level whatever.

In most cases I failed to observe any respect for privacy or data protection rights or data protection law at any level whatever.

Consequently, on 1st October 2010 In my then capacity as director of Privacy International I wrote to the UK Information Commissioner signalling my concerns and warning: “most large gaming sites do not provide a facility for account deletion, and that in rare cases where account closure is possible personal data are not deleted from the sites.”

Citing specific sources I went on to explain that the evidence revealed “privacy policies that are incomplete, deceptive or non-existent [and] fail to notify customers that personal data will be retained permanently even after an arduous process of account closure.”

The situation was, in my view, an open and shut case of wholesale violation of data protection law. And yet, three months later, the investigations section of the ICO responded by advising the matter was not regarded as important and that the complaint did not warrant further action.

This level of disinterest came as no surprise. The ICO has traditionally tended to side with industry on complex or sensitive complaints and has sought pragmatic solutions. In this instance it did not even bother to justify the decision to overturn the complaint.

The ICO has traditionally tended to side with industry on complex or sensitive complaints and has sought pragmatic solutions.

I then decided to take the matter directly to authorities within the jurisdictions in which these companies operate, and so on 23rd August 2011 I wrote to Peter Harris, who at the time was data protection commissioner of Guernsey:

“Whether mandated or not by law, many online casinos are requiring a significant amount of sensitive identity data from their customers. In the past it seems this data was only required once a play or winnings threshold had been reached. It appears now that customers are required to disclose full identity following registration.”

“What is demanded could be considered more rigorous than the identity requirements for most national ID cards. It is not uncommon for passport, driving licence, bank statements, current utility bills and scans of credit cards to be required. Given that there are tens of millions of online gaming customers it is feasible that collectively the gaming industry manages and maintains one of the biggest reserves of identity data in Europe. Customers are requested to either post the information or send scans via email. Little or nothing is disclosed about security provisions or oversight. The Gaming Commissions of most jurisdictions are silent on the issue.”

That day, Peter Harris provided an “interim” response citing the local licensing guidelines and pledged to provide a more detailed response. I received no further correspondence from him on the issue.

Perhaps predictably, the companies are able to continue their policy of data protection avoidance.

Company practices in detail: the three stages of obfuscation

Stage one: Stall as much as possible

On 13th June 2012, to test whether there was a standard set of tactics to deny customers their right to close an account and have personal data deleted, I requested casino operator 32Red to close my account. They responded saying:

“Whilst we would carry out the wishes of our customers I would like to offer you a bonus of 100 chips to reconsider your decision. If you wish to take advantage of this offer then please either come onto live chat or reply to this e-mail and the chips will be added.

“If you still wish to close your account then can you please reply with the following security information: Date of Birth, Postcode

“Account closures are carried out by the casino manager and if you do decide to go ahead with the closure I will pass your details to him and you should receive a further reply by e-mail within 72 hours.”

This response is interesting. It introduces three elements of complexity: a last straw for the desperate, a new level of required data and a previously unknown level of bureaucracy.

The response was however not quite as astonishing as the one I received on July 16th from Platinum Play, which advised:

“I have taken the liberty to lock your account for the time being, but in order to close it, we will need to know the reason you choose to close your account.”

No confirmation of account closure was ever received, the last communication stating that the account had been merely “locked”.

I replied three weeks later to 32Red, providing the requested personal data, reiterating my request for the account closure and adding:

“In accordance with my rights under the European Data Protection Directive and relevant legislation would you also please delete all my personal information from your systems. Could you please confirm that this request will be honoured.”

Stage two: ignore the deletion request and refer to self-exclusion

The self-exclusion facility – which is almost impossible to locate on around half of online gambling sites – is a mechanism to enable voluntary suspension of an account. It is used in almost all cases as the only data control option available to consumers. 32Red responded by insisting that I must submit this form:

“This Self Exclusion agreement must be completed and submitted in order for 32Red Online Casino to initiate your request. The period of Self Exclusion will commence once 32Red have sent you email confirmation, usually within 48 hours of your request being received.”

My immediate response was: “I asked that my account be closed and my personal information deleted. I do not want a self-exclusion facility. Can you please confirm that you understand.”

Why was I so opposed to 32Red’s demand? Partially because it was not what I had asked, and partially because the company defines self-exclusion agreements as: “specifically for those customers for whom gambling has become a serious problem”.

Stage three: refuse to delete and then blame the Data Protection Act

32Red finally accepted the reality that I was not going to self-exclude, and then changed its reasoning:

“If you do not wish to self exclude I will request your account closure with our casino manager, he will close your account and email you confirmation. You have been removed from our mailing list and your financial method has been disabled on your casino account, however for data protection legalities your details will remain on our system we are not able to remove them unfortunately. If in the future you wanted to reopen your account we would action this unless you choose to self exclude.”

At the heart of the compliance problem identified here is the game of “pass the parcel” between data protection regulators and gambling authorities.

Note the wording: “your financial method has been disabled on your casino account”. The reference to re-opening the account relates to any period other than the period of self-exclusion. In both cases the casino was advising that none of the data would be deleted, despite my request for “permanent” closure.

I again complained, reiterating my demand and asking for an explanation of why my data could not be deleted. 32Red’s response was entertaining in its breadth:

“As advised within our privacy policy on our site we can retain your personal information in our files to resolve disputes, to enforce our user agreement, and to comply with any and all technical and legal requirements and constraints related to the security, integrity and operation of the Site.”

The essential issues

At the heart of the compliance problem identified here is the game of “pass the parcel” between data protection regulators and gambling authorities. You could drive a starship through the security and privacy vagueness in the license conditions, yet the mere existence of those vague conditions is enough to allow data protection authorities off the hook on investigations.

The question here is whether data protection authorities are likewise prepared to take stock of the violation and seek a constructive solution.

This isn’t a difficult issue to address, nor would it be a precedent. In 2006 Privacy International wrote to the ICO to complain about the account deletion practices of a number of online sites including Amazon, eBaY and Friends Reunited. This complaint followed a Privacy International study that identified the difficulty (or impossibility in some cases) facing customers who wished to have their accounts and their personal information deleted permanently.

While the ICO refused to take action on the complaint, eBaY, under the leadership of global privacy counsel Scott Shipman immediately tasked engineers to resolve the issue. Within six months eBaY had identified all aspects of the challenge and implemented a full account deletion procedure.

The question here is whether data protection authorities are likewise prepared to take stock of the violation and seek a constructive solution.