A recovering gambling addict has won his case against Sky Betting & Gaming (SBG) in the UK High Court, which ruled the online gambling provider acted unlawfully in its use of his personal data for profiling and targeted advertising.
On 23 January 2023, the Court found that Sky Betting – operated by Bonne Terre Limited and Hestview Limited – did not have a lawful basis to collect the anonymised claimant's personal data through cookies or to then profile him for the purposes of serving direct marketing online.
The judgment – which described the profiling practices in this case as “parasitic” – recognized that online gambling is a particularly risky environment in which users' discernment and autonomy can be undermined, and that data controllers therefore have heightened obligations to ensure they obtain valid consent.
It noted the UK General Data Protection Regulation (GDPR) is clear that consent for data processing must be “freely given”, “specific”, “informed” and “unambiguous”, a standard that Sky Betting failed to meet given the degree to which the claimant's decision-making was “impaired to a real degree” by his gambling addiction.
The judgment added that “there is an obviously enhanced risk of defective consent in such a cohort”, and that “it is not necessary for online gambling providers to market to their customers in order to allow them to gamble. It is something they choose to do for their own commercial reasons”.
It further noted that consent cannot be freely given where, in cases like this, there is a “clear imbalance” between data controller and data subject.
According to legal firm AWO, which represented the claimant, the ruling marks a legal first for the UK's multibillion-pound online gambling sector, and could have major implications for all gambling companies that may have also been illegally profiling thousands – if not tens of thousands. – of their vulnerable customers for years.
Shocked and disgusted
AWO legal director Ravi Naik said: “My client is pleased to be vindicated. The High Court judgment is an unalloyed victory, recognizing what our client has always maintained: he did not and could not have consented to being relentlessly tracked and intimately profiled by SBG in order to encourage him to gamble sums which he could not afford. He was – and remains – shocked and disgusted at the extent of SBG's data collection and profiling.
“As part of his recovery, one of my client's aims has been to draw attention to these unlawful practices and reduce their impact on others. It took great courage for him to stand up for that cause and seek to improve the lot of those impacted by such practices. Hopefully this judgment will reduce harm to vulnerable people by serving as a warning to online gambling companies – and others involved in the online advertising system – that they must comply with the law in their marketing practices.”
The case was brought after the claimant submitted a number of Data Subject Access Requests (DSARs) to Sky Betting, which revealed it had collected a vast amount of very detailed and intimate data about him.
However, AWO noted this represented only a small portion of the data ultimately disclosed to him through legal proceedings, which made it clear to the claimant he had been extensively tracked and profiled as a prolific gambler of potentially very high business value to Sky Betting.
The evidence in the case showed that at any one time, each individual being tracked by Sky Betting is assigned around 500 behavioral data points that are continuously updated by real-time data. This is in addition to data received from third parties like Signal (83 different data points) or Iovation (19,000 data points), as reported by the BBC in March 2021,
The judgment said the firm's marketing team “uses customer behavior data, and analytical and propensity modeling to monitor the effects of their marketing campaigns”, meaning there “is something of a continuous feedback loop using customers' responses” to the adverts they are served.
It added that Sky Betting's “witnesses accepted that some of the marketing team's most attractive 'high-value' customers might, looked at through the safer gambling lens and with a complete set of information, also be its customers most at risk of harm or actually harmful”.
However, the court found that while the modeling in place had identified the claimant as a “high-value” customer and marketed to him as such, “it never identified him as at high enough risk for [its] marketing suppression” measures.
“The financial triggers for suppression were set at levels beyond the realistically possible reach of a man of the claimant's modest means, even when he was spending all the money he could get his hands on and more,” said the judgment.
While Sky Betting argued that the claimant cannot have failed to notice the highly tailored nature of the marketing being directed at him, the judge disagreed: “I accept the claimant's evidence that he was genuinely astonished by the revelation of the scale and sophistication – and even the fact – of the operation to play his own behavior back to him as targeted marketing.”
The ruling added that “in the claimant's case, the raw data comprised the cumulative fine detail of behavior he had himself recognized at the time as harmful and out of control. And it was being used to enable and encourage him to do more.”
Sky Betting was previously reprimanded by the Information Commissioner's Office in September 2024 for unlawfully sharing customers' information with advertising companies.
The data regulator found that while there was no evidence that Sky Betting had deliberately targeted vulnerable gamblers, it did find that the company had processed people's data through the use of advertising cookies without consent over a seven-week period between January and March 2023.
Computer Weekly approached Sky Betting for comment but received no response by time of publication.