What obligations are imposed by the GDPR on gambling and video gaming operators in profiling their players? And what is meant as profiling?
The GDPR is now in place with its massive potential fines, but at the same time, there is a need from gaming operators to know their players better to offer games that are better in line with their preferences as well as to better protect them as part of their responsible gaming activities.
I already covered in this blog post the top 5 issues for gaming operators under the GDPR and I discussed gaming affiliates in this other article “Gaming affiliates: how the EU privacy regulation might impact them?“, but I will now focus on a widespread scenario on which we are assisting our gaming clients.
Players’ profiling vs. segmentation, what is the difference for gambling operators under the GDPR?
The marketing team frequently addresses this question. The marketing team of companies insists that segmentation is not profiling and that they shall necessarily be able to do it.
Unfortunately, the position of data protection authorities on the scope of profiling is quite broad. Even the division of gambling players in broad categories might fall among the profiling activities under the GDPR. But, depending on how detailed is profiling and the type of service provided to players, the data protection law requirements change.
Privacy consent not always required!
The possibility to rely on profiling is an important innovation under the GDPR and would be applicable also in the gaming sector concerning the types of segmentation that are not meant to provide a more “aggressive” marketing offering, but to offer games that more in line with the category of games preferred by players.
For instance, legitimate interest might be considered (depending on the peculiarities of the case) the legal basis to display to players only contents relating to the operator’s sports betting offering, if this is a sports betting player.
At the same time, if a VIP program requires the profiling of the activity of gambling or betting players and such players expressly needed to join that program, it might be argued that no additional privacy consent is required under the GDPR since the profiling is part of the service that the player decided to purchase from the operator.
Finally, no GDPR required consent will be necessary to perform the profiling activities that are required by the law, such as those required to comply with anti-money laundering and responsible gambling obligations.
Once consent is required, you need to get it right!
If your scenario does not fall under any of the categories above, it is likely that you will need a privacy consent under the GDPR. The applicable requirements of consent under the General Data Protection Regulation are outlined in the blog post “Legitimate interest, the performance of a contract and privacy consent under the GDPR“, but can be summarized as follows:
1. Players’ privacy consent has to be “free“
Privacy consent cannot be a condition to register to a gaming platform, linked to the acceptance of the terms and conditions of the website or included as part of consent to other services.
2. Players’ consent cannot be “pre-ticked“
This scenario is frequent. But the GDPR expressly bans such practice. The default setting should be for the denial of the consent. And such a situation opens an additional question as to the validity of privacy consents obtained in the past before the coming into force of the GDPR.
3. Players’ consent might not be “incentivized“
On such an issue, the position of data protection authorities across the EU is inconsistent. Can operators offer a bonus only to players that grant their privacy consent? Is this a limitation to the players’ freedom to choose his privacy preferences? Different regulators took different views on the matter, and therefore, the issue has to be sorted under local laws.
4. Players’ privacy consent has to be “granular“
This is another aspect of which different data protection authorities have different positions. Is it necessary for instance to have a separate consent per channel of communication (e.g., SMS, email, postal mail)? The scenario changes depending on the relevant jurisdiction. But it is consistent the approach from regulators on the impossibility to have the same consent whereby players accept both the delivery of marketing communications and their profiling.
5. Players’ privacy consent has to be informed
You can read in this blog post “Privacy information notice – more complicated with the GDPR” some insights on how to draft a privacy information notice. But it happens quite frequently that there are privacy information notices that are incredibly complex and long. Most of their provisions do not apply to a specific country or service and the information for instance on the legal basis of processing, and the types of data processing activities that can be performed is contradictory and very confusing. This kind of privacy information notices is likely to be challenged and deemed not compliant with the GDPR.
You can read on the same topic the following article “Top 5 privacy issues for gaming operators under the GDPR“.