Data. It is the most valuable commodity for digital businesses across a wide range of sectors which is why organisations gather, segment, analyse and act upon huge volumes of information each day.
There are many reasons why companies gather data. In some cases, it is to better understand customers while in others it is to target them with highly personalised marketing collateral.
Then, of course, there are businesses in tightly regulated industries such as finance and online gambling that are required to gather data as part of the licences they must obtain and hold.
This puts data into two clear categories – information that organisations are required to collect and information organisations want to collect.
There is nothing wrong with businesses gathering both types of data, but questions are being raised over whether the current level of data gathering is approaching excessive.
To decide whether this is the case, let’s first look at the different types of data that digital businesses collect, segment, analyse and store. In this case, let’s look at an online casino site.
Online casinos use personal information to identify the player before allowing them to deposit and start playing at the online casino.
This includes first name, middle name, surname, email address, telephone number and date of birth. Financial information such as debit card number is also taken.
Online casinos are not the only digital businesses to gather this sort of personal information – if you open an account with PayPal or Revolut you will have to provide the same data.
Online gambling in the UK is highly regulated by the Gambling Commission and operators must obtain a licence in order to accept players.
As part of this, they are required to gather personal information in order to ensure that players are over the age of 18 years and to help combat money-laundering and fraud.
The other type of data digital organisations gather and process is non-personal information.
Non-personal information includes things like aggregated usage data and technical information sent from the device the user is accessing the website from.
This includes browser/operating system, language, time of access and previous sites visited.
In the online gambling space, operators are not required to gather this information by the UK Gambling Commission. They do so because they want to.
Why? Because when combined with the personal information they hold it can be used to improve marketing activity, the product offered to users and more.
The Rule Of Consent:
Gathering non-personal information is legally fine so long as organisations can prove under the Data Protection Act 2018 that they are doing so lawfully.
Under the act, there are six lawful bases for any company to gather data and information. The six lawful bases are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
For online gambling organisations, the usual basis for gathering personal data is contractual – players enter a contract in order to play at a particular site.
But the UK Gambling Commission also likes to see operators do all they can to monitor player behaviour and habits to prevent problem gambling.
To do this, they need behavioural and usage data and to gather this data they usually claim consent – consent will be given by the player when they accept the operator’s terms and conditions.
Data protection specialist Scott Dixon recently spoke to Find My UK Casino, an information portal about new online casinos, about his thoughts on how information is being gathered and used.
Dixon says that many companies – in and out of the online gambling sector – are using consent as the lawful basis to collect and process information.
In some cases, however, Dixon believes that consent does not meet the requirements of data protection legislation and could therefore be unlawful.
Another area of concern is Cookies. This is what Dixon had to say about data and cookies:
“Cookie use is currently a challenging area, but one that the regulators have a close eye on.
Data is of huge value to all digital organisations and the need to gather, analyse and process it is obvious for all to see.
In most cases, organisations are gathering personal and non-personal information within the boundaries of the law and the Data Protection Act, but only just.
Regulators are slowly tightening their requirements and expectations, and businesses should also consider whether the current approach they are taking to data is responsible.
They should also look at whether they are providing customers with clear information about the data they are gathering, why and under what basis.
Ultimately, businesses will be required to do this by law but those that wish to be honest and transparent with their customers/clients should make these changes now.