ICO cracking down on spam marketing in the online gambling sector

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

The Information Commissioner's Office (ICO), the UK's data protection regulator, is cracking down on the online gambling sector's use of personal data to promote online gambling. It has contacted around 400 companies to threaten them with fines of up to £500,000 if they are found to be collecting and using personal data for marketing in a manner which does not comply with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR).

In its press release, the ICO said it is writing to over 400 companies, all believed to be egaming marketing affiliates, demanding they set out how they use people’s personal details and send marketing texts, including where they got people’s personal information from and how many texts they sent.

What is the ICO worried about?

The ICO has expressed concern that the prolific use of affiliate marketing is resulting in a lack of accountability, with neither the affiliate nor the gambling operator whose services are being marketed taking responsibility for the data collection, or compliance with the marketing rules. The ICO is particularly focused on spam marketing via SMS as a result of the number of concerns and complaints raised by the public amount the number of spam texts they receive from the gambling sector.

What can the ICO do about it?

The ICO can fine organisations up to £500,000 for serious breaches of the DPA and PECR, including in relation to the sending of unwanted marketing emails and texts or live and automated marketing phone calls to individuals. PECR generally prohibits organisations from transmitting, or instigating the transmission of, unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail (which includes SMS), unless the individual has given prior consent to the marketing.

The ICO has recently launched a new code of practice setting out how organisations should be making it clear to individuals what they are doing with their personal information, which Olswang’s data team wrote about in October.

Why is the ICO investigating the gambling industry?

This action by the ICO should not come as a surprise to the gambling industry. The ICO publishes regular updates on its action against spam marketing, particularly for SMS and calls, and the gambling industry frequently appears in the top three most complained about sectors for spam SMS marketing, alongside PPI marketing and accident claims.

In their update in March 2016, the ICO said: "The top most reported topic [for spam texts] was gambling, with 231 concerns; an increase of 49% on January 2016. This topic is often in the top three most reported and we are continuing to work closely with the Gambling Commission on this issue."

Is this investigation limited to the UK?

The approach of the ICO raises interesting jurisdictional questions as well since it is not clear whether the companies it has written to are located within the UK. Given the transnational nature of the online gambling industry, with the preponderance of operators and affiliates offshore, it seems likely that many - if not all - of them are overseas.

The extent to which the ICO has jurisdiction over entities outside the UK is somewhat uncertain, particularly if those entities have no representatives in the UK (which may well be the case with affiliates). The Gambling Commission has regulatory competence over gambling operators situated overseas but who provide services to UK customers, but it is not obvious that the regulatory obligations on operators extend to data protection matters (particular to data protection matters concerning affiliates).

Do the operators need to worry?

Any gambling operators breathing a sigh of relief that this current action is being targeted at affiliates rather than the operators themselves should note that the ICO generally considers that operators should take responsibility (and therefore liability) for the actions of their affiliates.

As mentioned above, PECR refers to the transmission of electronic mail and the instigation of such transmission. The ICO takes a fairly broad (and potentially questionable) interpretation of the word "instigate" in order to hold operators to account for the instigation of spam marketing carried out by an affiliate, even where the affiliate is clearly in breach of its contractual terms with the operator which require it to collect and process personal data for marketing purposes in accordance with applicable law.

The ICO, whilst speaking at the Gambling Commission's Raising Standards Conference in November 2016, is reported to have said that it expects operators to request a copy of their affiliates' databases in order to screen the affiliates' list for appropriate consents and any opt-outs and self-exclusions. If the ICO enforces this position it is likely to result in commercial difficulties for operators as affiliates are unlikely to be willing to share their databases. Such a transfer of data between entities may also give rise to data protection concerns in the relevant countries which in itself may provide a pretext for affiliates to refuse.

In addition, operators should bear in mind that the Gambling Commission holds its licensees responsible for any third parties with whom they contract for the provision of any aspect of the their business related to gambling activities (which would include marketing by an affiliate). As such, operators should be aware that enforcement action could potentially come from the Gambling Commission, as well as the ICO.

What should operators do next?

Operators are advised to review their marketing practices and terms with affiliates to ensure they are sufficiently robust in terms of ensuring compliance with the marketing rules. It is worth bearing in mind that the EU legislation which underpins the marketing rules in the PECR, the Privacy and Electronic Communications Directive, is currently under review (see our recent update here) although changes are unlikely to be imminent given the pace of the EU legislative process. Closer on the horizon however is the replacement of the DPA by the EU General Data Protection Regulation (GDPR) in May 2018, bringing into force (among other things) higher standards for consent and turnover-based fines. Operators should therefore keep an eye on the toughening of the legislation and expect more changes to be required in the next 18 months.

Olswang's data specialists will be taking a look at the impact of the GDPR on the gambling sector in the New Year as part of its GDPR readiness series. In the meantime if you have any questions about data compliance issues for the sector please contact Anna Soilleux-Mills.