Gaming Eminence tackles regulation and technology with Jo Joyce Senior Counsel of Taylor Wessing. In this interview we touch upon customer data points, processing and storing data in different regions, leveraging tech to analyse customer data, habit forming apps and cyber security.
*please note the below are opinions of Jo Joyce and do not represent legal advise from Taylor Wessing.
GE) As an iGaming Operator, growing a business goes hand in hand with an increase in customers through data gathering. When it comes to customer data points firms should consider to capture, what would be your recommendation on what information is a requirement vs something that would be seen as going against the data minimisation principle? What would be the risks of not taking this into consideration?
JJ) Data minimisation is a crucial GDPR principle but it needn't be a barrier to acquiring more customers or more effectively engaging with an existing customer base. What data points are appropriate to collect will depend upon many factors but it is perfectly acceptable to collect significant amounts of personal data, provided that the collection and use of each data point can be properly justified.
An essential step is to be as transparent as possible with customers when collecting their data so that they understand what the data will be used for and what they can do about that (e.g. their rights to object or request changes). Data minimisation is about ensuring that the minimum amount of personal data is used to achieve any legitimate purpose, rather than preventing the use of data at all. If there is a way to achieve the same results by using anonymised data then that should be the approach taken but what is appropriate will depend upon the desired outcome.
For general data analysis, for site or game improvement, personal identifiers can often be excluded from a data set (or ideally not collected at all) without significant impact on the quality of the analysis but customer personalisation will inevitably require the use of personal data specific to the customer. Provided that any proposed use of personal data is properly risk assessed and explained to customers in a clear privacy notice, data minimisation will not be a barrier to proper customer data analysis.
It is also important to remember that sometimes the use of personal data is essential to fulfil other regulatory obligations and, in scenarios where there is a duty of care, effective age verification techniques and customer safeguarding practices are essential for the iGaming industry for regulatory purposes but also to maintain good ethical credentials. These sorts of checks and safeguarding activities will require the processing of ID documents, credit card references, or in some cases the use of facial analysis software to identify underage individuals. The amount of data required and the frequency with which it is updated will vary depending upon the countries in which the business is operating and the type of gaming offered. In every case though, clear risk assessments, restriction of employee access to data and user-friendly privacy notices will help to balance the tension between customer care and data minimisation.
GE) The iGaming/Gambling industry is one that is growing rapidly post pandemic, with firms building data hubs to store and manage the overwhelming amounts of customer data received. As laws vary from region to region in the processing of all this personal data, what are the top three areas the majority of operators tend to overlook that could open themselves up to issues down the road?
JJ) 1 - Consent isn't the only thing that matters
There is a common misconception in the industry (and across many other sectors) that obtaining consent for all data processing activities is a) necessary and b) sufficient. It is essential to have a legal basis for any use of personal data but the individual's consent is only one possible legal basis and in many cases (such as where data is used for regulatory compliance purposes) it will not be the most appropriate basis, because under the GDPR, consent can always be withdrawn.
2 - Sensitive data - you may have more than you realise
Special category data is sensitive personal information that is subject to extra protections and safeguards. The data falling into special categories includes health data, data about political or philosophical views, and biometric data. Many iGaming organisations may think that they don't collect any special category data but it is important to be aware of the risks of inadvertently collecting such information or other data from which special category data can be inferred (proxy data) for example, information about a customer's mental health may be processed as part of a safeguarding exercise or assessment of risky behaviours. Beyond the EU other data, such as financial data, may be treated as sensitive so it is important to have an understanding of which categories of information are subject to extra restrictions before entering a new market or expanding services in an existing one.
3 - Age and ID verification challenges
Robust age and identity checks are increasingly important to mitigate underage gambling and fraud complaints. However, the process for checking identity and age has to be compliant with privacy requirements and these will not be consistent in every market. The use of facial scanning is likely to mean the collection of biometric data so the use of such technology should only be considered following careful risk assessment. Similarly, the retention of copy ID documents is likely to be problematic, as well as risky from a cyber security perspective. Regulatory and security checks should be carefully planned to ensure they reduce overall risk and don't simply displace it.
GE) With the innovation we are seeing in technology, specifically with the ability to leverage customer data for visualisation, reporting analytics and Machine Learning to name a few. What are typical areas you see operators fall short in the balance of utilising tech vs the regulatory obligation they must adhere to?
JJ) Lack of transparency is the key issue
The GDPR led the way in enshrining the concepts of privacy by design and default in EU law. Many other jurisdictions are picking up these concepts in their own privacy regimes and now transparency and clarity in legal notices is perhaps more important than the content of them. If terms are overly complex or unclear, they are unlikely to be enforceable. If consent to use data is based on an unclear privacy notice, that consent will likely be invalid. Ensuring that privacy notices are clear and sufficiently detailed, without being so long that they overwhelm the reader is a major challenge and legal design approaches - focusing on the user experience - are rapidly becoming essential for service providers, such as iGaming platforms, which need to communicate a significant amount of relatively complex information in such a way as to ensure it can be relied upon as legally binding.
Lack of regulatory engagement
One major error made by iGaming operators is a desire to avoid regulatory scrutiny and to attempt to go under the radar of data regulators as a result. In the UK in particular the Information Commissioner strongly welcomes positive engagement, particularly from higher risk or regulated sectors and active engagement with regulators can help to build a relationship that will be valuable in the event of a security incident. There may also be the possibility to shape sector specific guidance and enforcement procedures.
GE) Success can be measured by many iGaming Operators on their ability to establish and maintain voluntary user engagement via web and mobile applications, though with this comes the potential for a rise in habit forming apps that can lead to problem gambling. Firstly, what regulatory risk might operators open themselves up to by not being aware of the impact of engagement habits? Secondly, what data or process can be used to mitigate that risk?
JJ) Gambling regulation is not harmonised across the EU and varies significantly in other jurisdictions so a failure to manage user habits and put safeguards in place is likely to lead to different consequences in different regimes. For example, failure to safeguard UK-based players is likely to lead to enforcement action from the Gambling Commission which could lead to the revocation of the business' Operating Licence.
In some countries failure to meet licencing or regulatory requirements could carry criminal penalties. There is the possibility of civil claims being brought by individuals or their families if it is found that you are in breach of a duty of care to users. This may create significant reputational as well as legal liabilities.
Monitoring risky or problematic behaviour of course comes with its own risks and any processes put in place must be assessed for data protection compliance. However, some level of account monitoring - identifying very frequent users, significant or regular losses or erratic hours of use - is likely to be essential.
Offering self-monitoring tools and making it easy for users to limit, access restrict, or delete their own accounts (and prevent reactivation) is highly encouraged but it is important to ensure user terms allow you the option to block users without their consent if risky patterns of behaviour are evident on their accounts. It is also recommended that you track payment methods to identify users creating multiple user accounts.
All of these safeguards require the processing of personal data and it is essential that clear privacy notices are made available. It is also important to make sure that the right basis for data processing is identified - consent is unlikely to be appropriate as users should not be able to opt out of safeguarding processes.
GE) The gambling industry has always been a target for cyber criminals due to its nature and as technology develops, so do the tools used by these individuals. Where do you often see those working in the iGaming/Gambling industry fall short with cyber security data that most are actually unaware of?
JJ) Although iGaming/gambling platforms are at high risk of cyber crime, the biggest risk points may not be within the organisation but on the user side. Ease of use is crucial for any App or platform and there will often be a strong inclination towards making the sign-in process easier and allowing users to stay logged in for longer. However, the lack of robust sign-in protocols and the use of shared devices is highly likely to lead to security breaches and fraud at user level.
The use of user focused design to make secure use of the platform/App the path of least resistance is crucial. User focused design can be deployed to plan the login process and create occasional security checks to make strong security easier to maintain (and the use of two factor authentication can massively reduce user-error induced risks.)
A related issue that the sector needs to be aware of is the risk of over-engineering security protocols. Just as users need to find it easy to use the platform or App securely, employees also need to find security compliance easy. Training is important and cutting corners should be a disciplinary matter but unless compliance activities and security protocols are straightforward and logical, they will still not be adhered too. Businesses need to design their privacy and cyber security programmes to work with the workforce they have, not the one they might wish to have.
About our contributor
Jo is a Senior Counsel and an information rights specialist in the Commercial Technology and Data team. She has over ten years of experience advising on contentious and non-contentious data and IP matters. Jo works with clients of all sorts to develop data privacy strategies. Jo has extensive experience of managing cybersecurity breaches and data and confidential information-focused litigation.
Much of Jo's work involves explaining complex privacy issues to groups of all ability levels; and in addition to running popular privacy training courses she is a leading proponent of Taylor Wessing's innovative legal design programme, tackling legal problems of all sorts with user focused design-thinking. She was listed as a Rising Star by Managing Intellectual Property in 2017, 2018 and 2019 and as one of Global Data Review's Top 40 Under 40 in 2018.