ICO (UK) - Bonne Terre Ltd and Sky Betting and Gaming
From GDPRhub
| ICO - Bonne Terre Ltd and Sky Betting and Gaming | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | 58(2)(b) 6(1)(a) GDPR 7(1) UK GDPR Article 5(1)(a) UK GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.10.2022 |
| Decided: | 02.09.2024 |
| Published: | 17.09.2024 |
| Fine: | n/a |
| Parties: | Sky Betting and Gaming |
| National Case Number/Name: | Bonne Terre Ltd and Sky Betting and Gaming |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | ao |
The DPA reprimanded an online betting provider for unlawfully placing cookies before users could interact with the website’s cookie banner and for sharing personal data with third parties.
English Summary
Facts
The controller, an online gaming and betting services provider, used third-party tracking technology including cookies to collect personal data for marketing purposes. Following a report by an advocacy organisation alleging that the controller transfers extensive amounts of data to third parties without the data subjects’ consent, the ICO commenced an investigation.
It found that when users visited the website they were required to consent to cookies. However, even before consent was given through selection in the cookie banner, cookies were placed on visitors’ devices. The mere visit on the website initiated processing of personal data which was transferred to third parties without the knowledge or consent of the users.
The ICO alerted the controller of its non-compliant practices on 2 March 2023 and by the next day, the controller had taken steps to rectify the issue. The rectification of the issue was confirmed by the ICO through the form of technical testing on the 17 March 2023.
Holding
On the 17 March 2023, the controller had stated that all processing of personal data took place on the legal basis of consent. Therefore, the ICO concluded that from 10 January 2023 until 3 March 2023, the processing took place unlawfully. Certain cookies were deployed without the knowledge or consent of the users before they interacted with the cookie banner.
Stating that unlawful disclosure of personal data to third parties is a matter of significant public concern, particularly in a commercial context, the ICO held the processing to be unlawful. The ICO reprimanded the controller under Article 58(2)(b) UK GDPR for violating Articles 5(1)(a), 6(1)(a) and 7(1) UK GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
REPRIMAND
BONNE T ERRELIMITED
T/AS KYB ETTING ANDG AMING
Reprimand issued by the Information
Commissioner concerning infringements of Article
5(1)(a), Article 6(1)(a) and Article 7(1) UK GDPR
by Bonne Terre Limited
2 September 2024 UK GENERAL DATA PROTECTION REGULATION
(Article 58(2)(b))
CORRECTIVE POWERS OF THE INFORMATION COMMISSIONER
REPRIMAND
2 September 2024
To: Bonne Terre Limited
Of: 4 Wellington Place, Leeds, LS1 4AP
FAO:
Email:
2 September 2024
PART I: INTRODUCTION AND SUMMARY
1. Bonne Terre Limited t/a Sky Betting and Gaming (“Bonne Terre”), is a
UK establishment (with UK establishment number: BR022210) of Bonne
1
Terre Limited , a foreign company incorporated in Guernsey and
registered with Companies House in England and Wales with company
number FC037121.
1Bonne Terre is wholly owned by Flutter Entertainment plc (registered with the Companies
Registration Office in Ireland with company number 16956).
12. Bonne Terre provides various online betting and gaming products which
offer paid-for gambling services to individual consumers. These include
services provided through the domain name www.skybet.com
(“SkyBet”).
3. This Reprimand relates to the processing of personal data through the
use of certain cookies which were set on the browsers of individuals
(“Visitors”) when they accessed SkyBet during the period 10 January
2023 to 3 March 2023 (the “Processing Operations”).
4. Bonne Terre embeds third-party tracking technologies including cookies
on SkyBet for the purpose of facilitating the collection of personal data.
In so doing, Bonne Terre determines the purposes and means of the
Processing Operations. The Information Commissioner (the
“Commissioner”) therefore finds that Bonne Terre is a “controller” as
defined in sections 3(6), 5 and 6 of the Data Protection Act 2018 (“DPA
2018”) and Article 4(7) of the UK General Data Protection Regulation
(“UK GDPR”) in relation to the Processing Operations.
5. Bonne Terre makes the following statement in its Privacy Policy , “when
you access or use our content, products, and Services, we may collect
information from your devices through the use of “cookies” and similar
technologies.”
6. As a controller in relation to the personal data processed through the
Processing Operations, Bonne Terre was responsible for implementing
appropriate technical and organisational measures to ensure and to be
2
Bonne Terre Privacy Policy, dated 24 October 2022.
2 able to demonstrate that the Processing Operations were performed in
accordance with the UK GDPR (Article 24(1) UK GDPR).
7. The Commissioner hereby issues Bonne Terre with a Reprimand under
Article 58(2)(b) UK GDPR, in the terms set out in this Reprimand. This
Reprimand relates to infringements by Bonne Terre of Articles 5(1)(a),
6(1)(a) and 7(1) UK GDPR as a result of the Processing Operations.
PART II: FACTUAL BACKGROUND
8. In January 2022, Clean Up Gambling 3 published a report 4 which
commented on data flows in the online gambling industry, including the
data processing practices of Bonne Terre and a number of its partners.
The report’s findings included an allegation that Bonne Terre transferred
extensive amounts of personal data to third parties without data subjects’
informed consent.
9. On 26 October 2022, the Commissioner issued a letter to Bonne Terre,
informing Bonne Terre that he had decided to conduct an investigation
(the “Investigation”) into whether Bonne Terre was processing personal
data in compliance with the DPA 2018 and the UK GDPR. The
Investigation included an assessment of Bonne Terre’s compliance with
its obligations under the UK GDPR and DPA 2018 in relation to its sharing
of personal data with third parties for marketing purposes.
10. During the Investigation, the Commissioner identified that Visitors
encountered a pop-up (the consent management platform or “CMP”)
when they first visited SkyBet which informed Visitors that, “If you
“accept All Cookies” you are agreeing to the storing of cookies on your
3Clean Up Gambling are a UK advocacy organisation.
4Bonne Terre Privacy Policy, dated 24 October 2022.
3 device to enhance site navigation, assist with our marketing efforts, and
analysis of product usage.” The CMP provided Visitors with the option to
“Accept all cookies” which was treated as consent to the collection of
Visitors’ personal data by third parties (the “AdTech Vendors”) via
tracking technologies including cookies. Data processed on this basis
included device information and unique identifiers, which fall within the
definition of personal data as set out at Article 4(1) UK GDPR.
11. The Commissioner identified that certain cookies (further referenced in
paragraph 20 below) were being deployed before Visitors interacted with
the CMP, with the result that Visitors’ personal data was being processed
and made available to AdTech Vendors through the use of cookies and
without Visitors’ knowledge or consent.
12. The Commissioner alerted Bonne Terre to its non-compliant practices in
relation to SkyBet on 2 March 2023. By 3 March 2023, Bonne Terre had
taken steps to rectify the issue. In its letter to the Information
Commissioner’s Office (“ICO”) dated 17 March 2023, Bonne Terre stated:
“We confirm that the problem identified on the Skybet site on the morning
nd rd
of Thursday 2 March 2023 was fixed on the morning of Friday 3 March
5
2023.” This was verified by the ICO through technical testing on 17
March 2023.
13. On 13 February 2024, the Commissioner sent a Notice of Intent to issue
a Reprimand to Bonne Terre setting out the Commissioner’s provisional
findings that Bonne Terre had infringed Articles 5(1)(a), 6(1)(a) and 7(1)
UK GDPR. Bonne Terre submitted written representations (the
“Representations”) to the Commissioner in response to the Notice of
5
Bonne Terre’s letter to the ICO dated 17 March 2023, p. 6, section 1.1.2
4 Intent on 10 April 2024. This Reprimand takes into account Bonne Terre’s
Representations and, where appropriate, makes specific reference to
them.
14. Having carefully considered the Representations, the Commissioner finds
that Bonne Terre has infringed Articles 5(1)(a), 6(1)(a) and 7(1) UK
GDPR.
15. In summary, the processing of personal data taking place pursuant to the
Processing Operations was carried out unlawfully from 10 January 2023
to 3 March 2023. Despite the Processing Operations purportedly being
carried out in reliance on consent for the purposes of Articles 5(1)(a) and
6(1)(a) UK GDPR, the collection of personal data for marketing purposes,
via third-party tracking technologies, commenced before Visitors had
given their consent to the processing of their personal data for those
purposes in a way which satisfied the requirements of Article 7(1) UK
GDPR, read in conjunction with Article 4(11) UK GDPR. The reasons for
the Commissioner’s findings are set out below.
16. To the extent that they are relevant to this notice, the Commissioner’s
functions are set out under Article 58(2)(b) of the UK GDPR.
PART III: THE INFRINGEMENTS
17. The Commissioner has found that Bonne Terre infringed Articles 5(1)(a),
6(1)(a) and 7(1) UK GDPR in respect of the Processing Operations (the
“Infringements”).
18. The Commissioner has found that personal data was being processed by
certain third-party tracking technologies which were deployed on
5 Visitors’ browsers, when they accessed SkyBet before they interacted
6
with the CMP. This occurred from 10 January 2023 to 3 March 2023.
19. Bonne Terre confirmed to the Commissioner that all processing of
personal data by marketing cookies was on the basis of the Visitors’
consent, 7 meaning that Bonne Terre and the AdTech Vendors were
relying on the Article 6(1)(a) UK GDPR lawful basis of consent for the
processing of Visitors’ personal data for the marketing purposes set out
in the CMP.8
20. However, in the course of the Investigation, the Commissioner identified
that certain third-party marketing cookies were being deployed before
Visitors had provided their consent, resulting in the processing of
individuals’ personal data without consent or any other valid lawful basis.
9
MediaMath, a demand side platform contracted by Bonne Terre, used a
pixel embedded within SkyBet to facilitate the setting of approximately
40 third-party marketing cookies, which were placed on Visitors’ devices
before the Visitors set their preferences within the CMP (i.e. before
consent could have been obtained).
21. As a result of the above practices, Visitors’ personal data was made
available to and processed by AdTech Vendors without Visitors’ valid
6Response from Bonne Terre dated 17 March 2023 (responding to ICO’s Letter 6 March
2023), Section 1.1
7
Response from Bonne Terre dated 17 March 2023 (responding to ICO’s Letter 6 March 2023),
Section 1.2.2.
8The CMP at the time of the breach stated, under “Third Party Marketing / Targeting Cookies”
that: “These cookies are used to deliver Flutter Entertainment plc group advertisements
relevant to you, based upon your interests. They are also used to limit the number of times
you see an advertisement as well as help measure the effectiveness of an advertising
campaign.”
9
A demand side platform (DSP) buys inventory (space on websites) based on behavioural,
and often personal data. If the impression matches the advertiser’s target audience then a
bid is placed via the DSP.
6 consent, in breach of the requirement for the processing of personal data
to be lawful and fair under Articles 5(1)(a), 6(1)(a) and 7(1) UK GDPR.
PART IV: DECISION TO ISSUE THIS REPRIMAND
22. In deciding to issue this Reprimand, the Commissioner has considered
the potential harms caused by the contraventions.
23. The Infringements were the collection, via the MediaMath pixel, and
disclosure of personal data relating to Visitors for marketing purposes
without valid consent or any other lawful basis, as set out in paragraph
20 above. Bonne Terre confirmed that it was relying on consent as its
lawful basis for processing personal data by the cookies deployed in
accordance with Article 6(1)(a) UK GDPR. The Commissioner concludes
that this processing occurred without valid consent in accordance with
Article 6(1)(a) UK GDPR or any other lawful basis, for the period from 10
January 2023 to 3 March 2023, in contravention of Articles 5(1)(a), 6
(1)(a) and 7(1) UK GDPR.
24. The Commissioner has had regard to the Representations which outline
the restrictions which Bonne Terre is subject to as a result of its operating
licence, issued pursuant to the Gambling Act 2005.
25. In particular, in assessing the seriousness of the Infringements, the
Commissioner notes the following measures adopted by Bonne Terre as
described in the Representations:
25.1 When an individual registers as an online account holder through
one of Bonne Terre’s online product or service domains (a
“Customer”), Bonne Terre is required to ensure that the Customer
meets the general requirements applicable to gambling account
7 holders in the UK, namely, that the Customer is old enough to
gamble and has not self-excluded 10 from gambling. If Bonne Terre
identifies that an individual is trying to re-register while self-
excluded or registered with GAMSTOP (a gambling self-exclusion
scheme), the request to open an account will be refused.
25.2 Bonne Terre undertakes profiling to assess whether a Customer or
an individual seeking to register as a Customer should be removed
from targeted marketing based both on explicit Customer
preference and other marketing suppression flags, such as whether
a Customer has failed the verification process or whether a
Customer is at or near their spend limit and has a zero balance.
Bonne Terre explained that there are over 30 suppression flags
which are considered when building marketing audiences, including
when Customers have: reached their deposit limit; been identified
as a high risk by the CRISP (Customer Risk Propensity) Model 11; an
active or previous GAMSTOP 12 registration; or an active self-
exclusion agreement with Bonne Terre.
26. The Commissioner notes the safeguards outlined in Paragraph 25 above
in limiting access to gambling services offered via SkyBet and reducing
the volume of targeted marketing being served to Customers who have
triggered the relevant suppression. The Commissioner acknowledges the
likely impact of these restrictions and safeguards in reducing the
10Self-exclusion is a formal agreement entered into by a gambling customer with either a
single gambling operator or multi-operators to not gamble. Reasonable steps must be taken
by the relevant gambling operators to prevent the customer from gambling.
11
CRISP is a propensity model designed by Bonne Terre to identify customers at risk of
gambling-related harm. The model uses historical self-exclusion and GAMSTOP data
alongside approximately 80 short-term and long-term features to output a probability that
they will self-exclude. Phase 2 Response from Bonne Terre dated 13 January 2023, Section
21.2.5
12Registering for GAMSTOP will block a prospective customer from online logging into or
setting up gambling accounts with businesses licensed in Great Britain if a UK resident.
8 seriousness of the Infringements but notes that the controls only apply
to Customers. .
27 Bonne Terre further asserts in the Representations that its relationship
with MediaMath was governed by a Master Service Agreement which
provided for contractual controls that limited MediaMath’s use of data
collected via SkyBet, resulting in MediaMath only being allowed to use
the data for limited commercial purposes. In addition, Bonne Terre
submits that the Infringements did not result in any disclosure to
MediaMath of the fact that data subjects had interacted with a gambling
website and that this significantly limited any potential harm arising from
the Infringements. The Commissioner notes these Representations and
has taken the contractual controls and limits on sharing with MediaMath
into account in assessing the seriousness of the Infringements.
28. Unlawful disclosure of personal data to third parties is a matter of
significant public concern, particularly where it occurs in a commercial
context. The ICO Public Awareness Survey 13 published in September
2022 found that 56% of those surveyed were “very concerned” about
organisations/companies using their personal data without their
permission, and 91% of those surveyed were concerned about this to
some extent. Broader research has similarly found that a significant
majority of data subjects are concerned about their inability to effectively
control the use of their personal data, particularly the sharing of personal
data between parties for commercial purposes. 14
13ICO Public Awareness Survey
14Digital Footprints - Communications Consumer Panel; Charter of Fundamental Rights and
General Data Protection Regulation - May 2019 - Eurobarometer survey (europa.eu); Control,
Alt or Delete? Consumer research on attitudes to data collection and use (which.co.uk); Are
you following me? (which.co.uk); Are You Still Following Me? - Which? Policy and insight. A
929. These concerns are highly relevant in the context of advertising
technology, where personal data is collected, combined, and used for
commercial purposes, often in potentially opaque ways.
30. The ICO has previously identified 15 various potential harms arising from
tracking technologies deployed for marketing purposes, including both
harm suffered by individuals and societal harms with collective
consequences.
31. For the purposes of this Reprimand, the Commissioner has also
considered the potential harms arising from the Infringements, which
include loss of autonomy and potentially a sense of manipulation or
influence, since data subjects were deprived of the opportunity to confirm
that they did not consent to the collection and disclosure of their personal
data; loss of control of their personal data, where expectations of
effective choice may not have been met in instances where personal data
was collected prior to Visitors giving or refusing consent; and intrusion
into data subjects’ lives, including a possible sense of surveillance by way
of unwanted targeted advertising where cookies were deployed on the
browsers of Visitors who chose to reject third-party tracking. 16
32. The ICO has specifically addressed the need for effective choice in the
advertising technology context in its previous publications and other
communications. For example, the ICO’s 2019 Update Report into Adtech
and Real Time Bidding 17stated that “[c]ookies used for the purposes of
online advertising… require prior consent”. Despite Bonne Terre’s
2016 survey by the European Commission found that 96% of UK consumers thought that it
was important that their personal information on their computer, tablet or smartphone could
only be accessed with their permission
15Opinion on data protection and privacy expectations for online advertising proposals , p.18
16Overview of Data Protection Harms and the ICO Taxonomy p. 24.
17Update Report into AdTech and Real Time Bidding (ico.org.uk), p. 18.
10 18
statement that it had adopted that position, it failed in practice to
implement it in the circumstances identified in paragraph 20 above for
the period from 10 January 2023 to 3 March 2023.
33. Finally, the Commissioner has had regard to the fact that the Processing
Operations took place in the context of visits made to gambling websites.
Research has indicated that vulnerable 19 data subjects are concerned
about gambling addictions being manipulated in the targeted advertising
context. 20
34. The Commissioner has issued this Reprimand in respect of the
Infringements on the basis that, in all the circumstances, and having
regard to the matters listed in the Commissioner’s Regulatory Action
21
Policy , a Reprimand is an effective, proportionate and dissuasive
measure.
PART V: FURTHER ACTION RECOMMENDED
35. The Commissioner recommends that in order to ensure Bonne Terre’s
future compliance with Articles 5(1)(a), 6(1) and 7(1) UK GDPR and to
maintain best practice, Bonne Terre should continue to review and
monitor its processes to ensure that all non-essential cookies and tags
18Response from Bonne Terre dated 17 March 2023 (responding to ICO’s Letter 6 March
2023), Section 1.2.2, confirming that all marketing cookies were deployed on the basis of the
19sitors’ consent.
For the purposes of this research, Which? defined vulnerable consumers as people aged 80
years and over; people belonging to a lower socio-economic group (DE); people with a long-
term physical or mental health condition/disability; and people who do not feel confident
speaking, reading or writing in English.
20 Control, Alt or Delete? Consumer research on attitudes to data collection and use
(which.co.uk); see also Online targeting: Final report and recommendations - GOV.UK
(www.gov.uk), showing that 77% of those surveyed considered the use of personal data by
a gambling company to find people most interested in placing a bet to be unacceptable.
21Regulatory Action Policy (ico.org.uk)
11 are deployed on Bonne Terre’s domains only after valid Visitor consent
has been obtained.
36. If, in future, the Commissioner has grounds to suspect that Bonne Terre
is not complying with its obligations under the UK GDPR and/or DPA
2018, and there has been repetition of the Infringements set out in this
Reprimand (which could be avoided by following the Commissioner’s
recommendations or taking alternative appropriate steps), this may be
taken into account as an aggravating factor, in accordance with the ICO
Regulatory Action Policy and Article 83(2)(i) UK GDPR, in deciding
whether to take further formal regulatory action.
Dated the 2nd day of September 2024
Stephen Bonner
Deputy Commissioner, Regulatory Supervision
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
12
