Online casinos and your data
ExplainerOnline casinos collect, store and use huge volumes of player data. In this explainer, we look at exactly what information they hold on you and how you can access it
Online casinos gather and hold huge volumes of data and information on every single player that has signed up to, deposited and played at their site.
There are many reasons why online casinos gather and hold this data, from ID verification to payment processing to providing you with a personalised experience.
But not all players are aware of the information that online casinos collect, how that data is gathered and stored and the ways in which it is used.
Below, we clearly explain the different types of data online casinos gather on players and how that information is collected, stored and used.
We explain how you can access the data that online casinos hold on you and how to have that data erased if you no longer want the casino to have access to your personal information.
We also speak with a data privacy expert to learn more about your data rights and what you can do to better protect your personal information.
Online casinos gather and hold two types of player data:
There are two different types of data that online casinos collect and hold:
- Personal information
- Non-personal information
Let’s look at each in a little more detail below.
This information is used to identify each player. Remember, the UK Gambling Commission requires online casinos to verify a player’s identity before allowing them to deposit and play.
In most cases, personal information is provided directly by the player when they sign up to a casino and create an account. Information provided includes:
- Full name
- Email address
- Telephone number
- Homes address
- Data of birth
Players are also required to provide financial information, such as the method they wish to use to deposit and withdraw. This includes data such as credit card numbers.
Online casinos will also gather personal information that you do not input, and this is usually obtained from the device you are accessing the casino from.
Data collected includes your location and IP address as well as your activity at the casino including pages viewed, clicks, actions and even the website you visited before arriving at the casino.
This information is not provided by players and is considered “un-identified” and “non-identifiable”. This simply means that the casino is not aware of the individual person the data belongs to.
This data is gathered when you use the casino and includes information such as aggregated usage information (data from several sources) and technical information transmitted by your device.
This includes the browser and operating system you are using, language preference, the time of day you are accessing the online casino and the website domain you came from.
How do online casinos gather player data?
There are several ways in which online casinos gather player data. As mentioned above, some of this you provide yourself when registering for or funding an online casino wagering account.
Popular online casino, Cozino, told Find My UK Casino that it also collects information when players place a bet or talk with customer support agents via email, live chat or telephone.
This includes recording telephone conversations with its customer support agents, so long as the player has given their consent for Cozino to do this.
Most online casinos will also gather information when you access, view, share, contribute to and communicate with their brands on social media.
More on cookies below.
What are Cookies and how do they work?
Cookies are text files that usually contain two bits of information. A website name and a unique user ID. You can read these files on your computer using Notebook or Word.
When you visit an online casino, or any website for that matter, for the first time a Cookie is downloaded onto your computer or mobile device.
The next time you visit that online casino, your computer or mobile device checks to see if it has a Cookie from that site and then sends the information in that Cookie back to the online casino.
The online casino then knows you have visited the site before and can then tailor the information, content and offers it provides to you knowing you are a returning visitor.
Cookies can also be used to gather information on the length of time you spend on each page at an online casino, the links you click and even what features you do and don’t engage with.
Why online casinos gather data on their players:
There are several reasons why online casinos gather and store your personal and non-personal information, from allowing you to open an account to being required to do so by the government.
Let’s look at the key reasons in a little more detail below.
Open an account and process payments:
Online casinos need personal information such as your name, age, address and contact details to verify your ID and allow you to create an account, deposit and start playing.
Online casino operators also need this information to process deposits and withdrawals, especially when working with third-party payment providers and banks.
Send marketing collateral to players:
Online casinos like to send their players updates about new offers, promotions, tournaments and even games launching, and this is usually done via email, SMS and occasionally letter.
Without gathering and storing your personal information, online casinos would not be able to send these updates to you. Of course, they do this to encourage you to keep playing with them.
But this is something you can control, and all online casinos recommended by Find My UK Casino allow you to choose how – if at all – the casino can contact you.
To improve your experience at the casino:
A player’s personal information and data is also used to improve the experience they receive at the casino, allowing the operator to provide a more personal and tailored offering.
For example, online casinos segment players into hundreds of different groups and then send each group a different promotion or offer based on their playing preferences and habits.
Some online casinos will also track the games you play and then recommended other titles based on the slots and table games you play the most.
The casino will also use your information when investigating any complaints or issues you may have submitted to customer support, such as a game freezing mid spin or a payout being declined.
They are legally required to do so:
Another reason why online casinos gather and hold player data is because they are required to do so by the country they are based in, or by the regulator that has issued their licence.
For example, the UK Gambling Commission requires the online casino operators it licenses to verify a player’s age before allowing them to deposit and play. To do this, they need to gather ID data.
Player data may be used to investigate violations of an online casino’s T&Cs and usage policies. They may also have to provide data to governments, regulators and law enforcement.
How and where is player data stored:
Player data and information is stored on secure severs, usually in a data centre. Data centres can be located all over the world, but popular locations include the UK, Malta and Gibraltar.
The transfer of your personal information, and financial transactions, are also kept secure through a variety of security protocols and firewalls.
Cozino, for example, uses a Secure Socket Layer (SSL) Encryption to ensure that all data and financial transactions are 100% safe and secure.
It is broken down as follows:
Protocol: TLS 1.2
Key exchange: ECDHE_RSA with X25519
In short, this means there is no chance your personal information can be intercepted by anyone other than Cozino while it is being transferred from you to its systems and servers.
How to access the information an online casino holds on you:
Under the General Data Protection Regulation (GDPR) you have the right to access the information and data that an online casino has gathered and stored on you.
Gaining access to the information a casino holds on you is really simple, you just need to ask for it. The best way of doing this is to contact customer support, either via live chat or email.
In some cases, customer support may refer you to the online casino’s data protection department or they may be able to liaise with the data protection department on your behalf.
You will then be sent a document containing all of the data and information the online casino holds on you.
How to request for an online casino to delete your data:
Under GDPR, you also have the right of erasure. This means you can request that an online casino deletes all of the personal information and data that it holds on you.
To do this, simply contact customer support and request that the online casino deletes all of your personal information. Customer support may refer you to the casino’s data protection department.
The online casino will then erase your information, so long as there is no good reason for them to continue processing it.
Such reasons might include an ongoing dispute you have with that casino or any pending transactions that have yet to be cleared. Once they have done this, they will notify you by email.
What happens if you ask for your data to be deleted:
There is nothing wrong with asking an online casino to erase the information and data it holds on you, but if you do decide to do this then you will no longer be able to play at that casino.
This is because the online casino needs information and data from you in order to be able to process payments and provide its services to you.
If you no longer wish to play at that particular casino then this will not be a problem. But if you do then you will have to provide the data and information the casino requires to continue playing.
Ask the expert: A Q&A with data protection specialist Scott Nicholson
While UK-licensed online casinos are transparent about the data they gather on players, we wanted to speak with a data expert to better understand whether they really do need this information.
Find My UK Casino (FMUC): Is this the sort of data/information you would expect an online casino to gather and hold on players?
Scott Nicholson (SN): Casinos need data on the individual’s name, date of birth, address and contact details such as a telephone number or email address. This is so that the person can play and the casino can meet its legal obligations in regard to crime, money laundering and other such legislation.
The casino will need financial details if the player wishes to play for money so that payments can be made and taken. And for credit card processing there are restrictions under PCI DSS to ensure certain aspects of card data remain encrypted.
In February 2019 the Gambling Commission announced that online gambling companies must verify customer age. Therefore, identification documents will also be processed but they shouldn’t really retain all of this data, only enough to verify the checks were completed accordingly.
All these categories of personal data will be necessary to carry out the individual’s request to play and the casino’s legal obligations. The type of information which is unlikely to be necessary from a data protection point of view is an individual’s gender or occupation.
If special categories of personal data such as religion, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs are asked for, this is likely to be unnecessary and, unless the casino can show otherwise, will be unlawful.
FMUC: Is it really necessary for online casinos to gather and hold this data? Are there any legal requirements in the UK for them to gather and hold player data?
SN: The Data Protection Act 2018 stipulates that the processing of personal data must have a lawful basis. There are six lawful bases and the casino must record using at least one of these.
An example of one such basis is to implement a contract with the individual, such as an online account (which players need to open to play) or service.
Processing personal data without one of these bases is unlawful and is punishable by a fine of up to 4% of the company’s global annual turnover, €20million, whichever is higher. The casino must, therefore, have a lawful basis to process personal data.
Furthermore, the casino can only legally collect the minimum amount of personal information required to carry out the request. For example, asking for details of one’s children to open an online account will be deemed excessive.
However, the Gambling Commission also expects online operators to spot any gambling-related harm. This is where having behavioural and usage data on the account holder may be justified but, on first glance, appears excessive.
FMUC: How should online casinos store player data to ensure that it is safe and secure? How can players learn how their data is being stored?
SN: Casinos must undertake an annual security audit by a suitably qualified, independent organisation which aligns to ISO27001:2013. The audit reports, and actions to address any findings, must be sent to the Gambling Commission.
These independent assessments should seek to ensure that vulnerabilities and risks are managed within the casino. This can only be achieved by undertaking many security activities such as regular penetration tests and vulnerability scanning. This needs to be done multiple times a year on all areas of the business.
Casinos must take measures to ensure they have the correct level of security relative to the risk. It’s the casino’s responsibility to protect the personal data they process and provide clear and transparent information to their customers.
FMUC: Should players be concerned about the data online casinos hold on them? Or is it just something they need to accept if playing at an online casino?
If the information does not appear to be necessary for the purpose it is being collected, players should ask why. It is very concerning when personal information is taken and processed without the player’s knowledge or consent. This is often through Cookies.
FMUC: Is there anything players can do to limit the amount of data they provide online casinos?
SN: The casino needs to show that any personal data it collects and processes is necessary and done lawfully. In addition, it needs to be limited to only the personal data needed to carry out the purpose. Any more will go against the principles of data protection legislation and can be punished by monetary fines.
If players think that they are being asked for information unnecessarily, then they should ask why. The casino may have a valid explanation but if not, they can complain to the Information Commissioner’s Office.
Players should check their browser setting to ensure they have content blocking and they could consider ad-blocking software. They should NOT track signals and Cookie storage. However, some of this may restrict their experience at online casino sites.
FMUC: Any recommendations for how players can protect their data when playing at an online casino?
SN: The security of the website and any interactions within it are the responsibility of the casino. However, the steps prior to accessing the casino website are often down to the player. Therefore, standard cyber hygiene practices should be taken, such as:
- Think before you click on links or attachments
- Look for spelling errors or email addresses which don’t seem right
- Verify the website BEFORE providing any details; check the URL begins with https
- If a site has obvious typographical errors, or no evidence of security information, or recognised symbols, avoid it
- Use unique passwords with a minimum of 10 characters made up of upper and lower case letters, numbers and symbols
- Don’t share passwords and change them often
- Use multi factor authentication if available
- Install up to date anti malware security software on all devices
FMUC: What should players do if they believe that an online casino is not gathering and storing data appropriately?
SN: If a player is suspicious about how a casino is processing personal data, they can make a Subject Access Request (SAR). This request is made verbally or in writing and the casino will have 30 calendar days to provide the information (an extension may be applied in certain circumstances).
The casino must provide the following information:
- If the casino is processing their personal data
- The reason personal data is being used
- What types of personal data, i.e. name, email address
- Who has/will the personal data been/be shared with
- How long the personal data will be stored, or the criteria used to decide how long it is stored
- That the player has a right to ask the casino to correct, restrict, delete their personal data or object to their personal data being used
- That the player can make a complaint to the supervisory authority (the ICO for the UK)
- If the player’s personal data was not collected directly from them, the casino must provide information as to how it was obtained
- If the casino is using automated decision making and profiling and the consequences of this for the player
- If the personal data is sent to a country outside the European Economic Area, what safeguarding measures to protect said information have been put in place by the casino
FMUC: Do you expect online casinos to require more data from players in the future?
SN: As individuals become aware of their privacy rights, and SARs and challenges are made, I would hope that casinos will become more transparent about personal data collection.
Recent enforcement actions by regulators have shown the high levels of fines being issued for infringements of legislation.
Casinos may be required to collect more information if dictated to by legislation under gambling laws, but that will be a legal obligation. The collection of further personal data will need a lawful basis and any player can request information as to what that is.
If you have any questions about the information and data online casinos hold on you, contact a member of the Find My UK Casino team here.