EGBA launches consultation on GDPR code of conduct

28 January 2020

The European Gaming and Betting Association (EGBA) has launched a consultation on a code of conduct for the igaming industry’s compliance with the European Union’s General Data Protection Regulation (GDPR).

The association aims to gather feedback from EU-based online gambling operators, regulators and other interested parties as it looks to ensure the code is widely adopted, ensuring a high level of compliance with the GDPR across the industry.

The GDPR 2016/679 was adopted by the European Union in April 2016, with all member states, including the UK, required to implement new regulations to protect personal data across the bloc.

EGBA noted that it poses several challenges for a number of different sectors that process and manage customer data, including the gaming sector. This prompted it to develop the code of conduct, to set out best practice for the industry to follow.

The code states that data must only be processed when there is a lawful need for it to be collected and when it will be used fairly, with operators having been transparent about the need to collect the data.

The reasons as to why the data must be collected must be made clear to consumers, while operators must also ensure only necessary information is gathered. Operators must also ensure the data is accurate and up-to-date, that it is stored in an anonymised way or deleted when no longer required, and that security measures are taken to ensure it is kept securely.

Data collection can only be carried out when the consumer consent is clearly and unambiguously given, though an active motion (such as ticking a box) or declaration (such as clicking ok in a text box). Players must also be granted an easy to follow way of withdrawing consent, with operators required to periodically check whether their players are still happy for their data to be collected or stored.

Gaming companies must not use mechanisms such as pre-ticked opt-in boxes, and should provide different options for differing levels of data collection, the code goes on to state. The opt-ins should also be separated from operators’ terms and conditions.

Consumers should also be able to access their data in a way that allows them to use it across multiple providers. There will be exceptions, such as a player’s account history or algorithmic analyses of their gambling behaviour.

The code goes on to cover the sharing of data, either systematically (such as for specific projects including research) or in exceptional circumstances (including police requests). It states that operators must have established processes or partnerships to facilitate each eventuality. The customer must be informed that their data could be used in this way as part of the original opt-in process.

In case of breaches, either where data is lost, stolen or unlawfully amended, operators must create response teams to deal with the issue. As stated by GDPR 2016/679, operators must also notify customers of any such breach within 72 hours.

The public consultation runs until 25 February, during which time all stakeholders may submit comments or recommendations by email. These will be taken into account in the following weeks, with a view to publishing the final code on the EBGA website in spring this year.

At this point interested parties will be able to sign up, to state that they will comply with its terms.