ICO’s reprimand of Sky Bet places spotlight on data protection

IOC’s reprimand of Sky Bet places spotlight on data protection
Credit: Kanr2425 / Shutterstock

Data is one of the most valuable assets available to companies active in the digital sphere, but it is also becoming an increasingly regulated commodity, often with good reason. A regulatory enforcement action in the UK has highlighted the significance of this.

Sky Betting and Gaming (Sky Bet), one of the country’s leading online betting companies and part of the gambling monolith Flutter Entertainment, has been reprimanded by the Information Commissioner’s Office (ICO), the UK’s national data protection authority.

The ICO has targeted Sky Bet for unlawfully processing people’s data through advertising cookies without their consent. The agency accuses Sky Bet of processing personal information between 10 January and 3 March 2023 which was then shared with advertising technology companies before customers had an option to accept or reject advertising cookies.

In March 2023, Sky Bet made changes to its platform so that users could reject cookies before information was shared, as a result of the ICO investigation. Whilst the data in question does not concern payments, it highlights the delicate nature of handling customer data in the modern digital economy – something of vital significance to the payments sector.

“We’ve all seen adverts online that seem designed specifically for us, such as an ad for trainers after signing up to a gym online,” said Stephen Bonner, Deputy Commissioner at the ICO.

“Some people may be happy to consent to receive these, but others may not be comfortable receiving similar adverts, especially when it comes to sensitive aspects of our digital activity. 

“For example, if you are visiting a gambling website or looking up concerning health symptoms, you may want to prevent this personal information being shared with advertisers.”

Data’s role of course transcends marketing and advertising and is of crucial significance to both payments and gaming, and in particular the point at which these do space coverage during the depositing, withdrawal and KYC process.

Gaming operators have access to vast tracts of customers data via payments processes – bank account details, card numbers, names and addresses. Ensuring this data is protected is vital, operators would find themselves facing a significant public relations and regulatory nightmare if Ticketmaster or Santander-esque data breaches were to occur.

Bonner remarked: “Our enforcement action against Sky Betting and Gaming is a warning that there will be consequences if organisations breach the law, and people are denied the choice over targeted advertising. 

“We are preparing to scrutinise the next 100 most frequented websites, so I urge all organisations to assess their cookie banners now to make sure consent can be freely given before a letter arrives from the regulator.” 

Data protection has also been catching the attention of legislative and political authorities. The Conservative government had been taking its own approach to data protection with the Data Protection and Digital Innovation (DPDI) Bill, but this was shelved during the July general election.

The now-governing Labour Party – some of whose MPs were very critical of the Conservative’s DPDI Bill’s banking surveillance powers – has now launched its own legislation in this area, the Smart Data Bill.

One of the Bill’s three main provisions is the creation of Smart Data Schemes, which PM Keir Starmer’s administration hopes will allow secure sharing of customer data with authorised third party-providers.

This could have great significance for the development of the UK’s Open Banking network, with data sharing a central aspect of Open Banking but also a source of some consumer concern around it. Open Banking in turn is taking on more importance in the gaming sector, particularly as a touted solution to customer affordability issues.

Against this changing political backdrop, The ICO has been undertaking efforts to protect data. This has included the auditing of several data management platforms to understand how the wider data industry handles personal information, something which has led to investigations into some companies for potential failure to comply with data protection laws.