ICO (UK) - Bonne Terre Ltd and Sky Betting and Gaming

From GDPRhub
Revision as of 09:05, 8 October 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Bonne Terre Ltd and Sky Betting and Gaming |ECLI= |Original_Source_Name_1=ICO |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/reprimands/4031023/bonne-terre-limited-reprimand.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Ori...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Bonne Terre Ltd and Sky Betting and Gaming
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
58(2)(b)
6(1)(a) GDPR
7(1) UK GDPR
Article 5(1)(a) UK GDPR
Type: Investigation
Outcome: Violation Found
Started: 26.10.2022
Decided: 02.09.2024
Published: 17.09.2024
Fine: n/a
Parties: Sky Betting and Gaming
National Case Number/Name: Bonne Terre Ltd and Sky Betting and Gaming
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: ao

The DPA reprimanded an online betting provider for unlawfully placing cookies before users could interact with the website’s cookie banner and for sharing personal data with third parties.

English Summary

Facts

The controller, an online gaming and betting services provider, used third-party tracking technology including cookies to collect personal data for marketing purposes. Following a report by an advocacy organisation alleging that the controller transfers extensive amounts of data to third parties without the data subjects’ consent, the ICO commenced an investigation.

It found that when users visited the website they were required to consent to cookies. However, even before consent was given through selection in the cookie banner, cookies were placed on visitors’ devices. The mere visit on the website initiated processing of personal data which was transferred to third parties without the knowledge or consent of the users.

The ICO alerted the controller of its non-compliant practices on 2 March 2023 and by the next day, the controller had taken steps to rectify the issue. The rectification of the issue was confirmed by the ICO through the form of technical testing on the 17 March 2023.

Holding

On the 17 March 2023, the controller had stated that all processing of personal data took place on the legal basis of consent. Therefore, the ICO concluded that from 10 January 2023 until 3 March 2023, the processing took place unlawfully. Certain cookies were deployed without the knowledge or consent of the users before they interacted with the cookie banner.

Stating that unlawful disclosure of personal data to third parties is a matter of significant public concern, particularly in a commercial context, the ICO held the processing to be unlawful. The ICO reprimanded the controller under Article 58(2)(b) UK GDPR for violating Articles 5(1)(a), 6(1)(a) and 7(1) UK GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

REPRIMAND


                   BONNE T ERRELIMITED
            T/AS KYB ETTING ANDG AMING

          Reprimand issued by the Information
Commissioner concerning infringements of Article
5(1)(a), Article 6(1)(a) and Article 7(1) UK GDPR
                    by Bonne Terre Limited














                           2 September 2024            UK GENERAL DATA PROTECTION REGULATION
                           (Article 58(2)(b))

    CORRECTIVE POWERS OF THE INFORMATION COMMISSIONER



                              REPRIMAND


                           2 September 2024





To:   Bonne Terre Limited

Of:   4 Wellington Place, Leeds, LS1 4AP





      FAO:

      Email:



      2 September 2024




PART I: INTRODUCTION AND SUMMARY


1.  Bonne Terre Limited t/a Sky Betting and Gaming (“Bonne Terre”), is a

    UK establishment (with UK establishment number: BR022210) of Bonne
                  1
    Terre Limited , a foreign company incorporated in Guernsey and

    registered with Companies House in England and Wales with company
    number FC037121.





1Bonne Terre is wholly owned by Flutter Entertainment plc (registered with the Companies
 Registration Office in Ireland with company number 16956).



                                   12.   Bonne Terre provides various online betting and gaming products which

     offer paid-for gambling services to individual consumers. These include

     services  provided    through   the   domain    name    www.skybet.com

     (“SkyBet”).


3.   This Reprimand relates to the processing of personal data through the

     use of certain cookies which were set on the browsers of individuals
     (“Visitors”) when they accessed SkyBet during the period 10 January

     2023 to 3 March 2023 (the “Processing Operations”).


4.  Bonne Terre embeds third-party tracking technologies including cookies

     on SkyBet for the purpose of facilitating the collection of personal data.

     In so doing, Bonne Terre determines the purposes and means of the

     Processing Operations. The Information Commissioner (the

     “Commissioner”) therefore finds that Bonne Terre is a “controller” as

     defined in sections 3(6), 5 and 6 of the Data Protection Act 2018 (“DPA
     2018”) and Article 4(7) of the UK General Data Protection Regulation

     (“UK GDPR”) in relation to the Processing Operations.


5.   Bonne Terre makes the following statement in its Privacy Policy , “when

     you access or use our content, products, and Services, we may collect

     information from your devices through the use of “cookies” and similar

     technologies.”


6.   As a controller in relation to the personal data processed through the

     Processing Operations, Bonne Terre was responsible for implementing
     appropriate technical and organisational measures to ensure and to be






2
 Bonne Terre Privacy Policy, dated 24 October 2022.

                                     2     able to demonstrate that the Processing Operations were performed in
     accordance with the UK GDPR (Article 24(1) UK GDPR).


7.   The Commissioner hereby issues Bonne Terre with a Reprimand under

     Article 58(2)(b) UK GDPR, in the terms set out in this Reprimand. This

     Reprimand relates to infringements by Bonne Terre of Articles 5(1)(a),

     6(1)(a) and 7(1) UK GDPR as a result of the Processing Operations.


PART II: FACTUAL BACKGROUND


8.   In January 2022, Clean Up Gambling        3 published a report   4 which

     commented on data flows in the online gambling industry, including the

     data processing practices of Bonne Terre and a number of its partners.

     The report’s findings included an allegation that Bonne Terre transferred

     extensive amounts of personal data to third parties without data subjects’

     informed consent.


9.   On 26 October 2022, the Commissioner issued a letter to Bonne Terre,

     informing Bonne Terre that he had decided to conduct an investigation

     (the “Investigation”) into whether Bonne Terre was processing personal

     data in compliance with the DPA 2018 and the UK GDPR. The
     Investigation included an assessment of Bonne Terre’s compliance with

     its obligations under the UK GDPR and DPA 2018 in relation to its sharing

     of personal data with third parties for marketing purposes.


10. During the Investigation, the Commissioner identified that Visitors

     encountered a pop-up (the consent management platform or “CMP”)

     when they first visited SkyBet which informed Visitors that, “If you

     “accept All Cookies” you are agreeing to the storing of cookies on your


3Clean Up Gambling are a UK advocacy organisation.
4Bonne Terre Privacy Policy, dated 24 October 2022.


                                     3     device to enhance site navigation, assist with our marketing efforts, and

     analysis of product usage.” The CMP provided Visitors with the option to

     “Accept all cookies” which was treated as consent to the collection of

     Visitors’ personal data by third parties (the “AdTech Vendors”) via

     tracking technologies including cookies. Data processed on this basis

     included device information and unique identifiers, which fall within the

     definition of personal data as set out at Article 4(1) UK GDPR.


11. The Commissioner identified that certain cookies (further referenced in

     paragraph 20 below) were being deployed before Visitors interacted with
     the CMP, with the result that Visitors’ personal data was being processed

     and made available to AdTech Vendors through the use of cookies and

     without Visitors’ knowledge or consent.


12. The Commissioner alerted Bonne Terre to its non-compliant practices in

     relation to SkyBet on 2 March 2023. By 3 March 2023, Bonne Terre had

     taken steps to rectify the issue. In its letter to the Information

     Commissioner’s Office (“ICO”) dated 17 March 2023, Bonne Terre stated:

     “We confirm that the problem identified on the Skybet site on the morning
                  nd                                                  rd
     of Thursday 2   March 2023 was fixed on the morning of Friday 3    March
            5
     2023.”  This was verified by the ICO through technical testing on 17
     March 2023.


13. On 13 February 2024, the Commissioner sent a Notice of Intent to issue

     a Reprimand to Bonne Terre setting out the Commissioner’s provisional

     findings that Bonne Terre had infringed Articles 5(1)(a), 6(1)(a) and 7(1)

     UK   GDPR.   Bonne    Terre  submitted   written   representations   (the

     “Representations”) to the Commissioner in response to the Notice of



5
 Bonne Terre’s letter to the ICO dated 17 March 2023, p. 6, section 1.1.2

                                     4     Intent on 10 April 2024. This Reprimand takes into account Bonne Terre’s

     Representations and, where appropriate, makes specific reference to
     them.


14. Having carefully considered the Representations, the Commissioner finds

     that Bonne Terre has infringed Articles 5(1)(a), 6(1)(a) and 7(1) UK

     GDPR.


15. In summary, the processing of personal data taking place pursuant to the

     Processing Operations was carried out unlawfully from 10 January 2023
     to 3 March 2023. Despite the Processing Operations purportedly being

     carried out in reliance on consent for the purposes of Articles 5(1)(a) and

     6(1)(a) UK GDPR, the collection of personal data for marketing purposes,

     via third-party tracking technologies, commenced before Visitors had

     given their consent to the processing of their personal data for those
     purposes in a way which satisfied the requirements of Article 7(1) UK

     GDPR, read in conjunction with Article 4(11) UK GDPR. The reasons for

     the Commissioner’s findings are set out below.


16. To the extent that they are relevant to this notice, the Commissioner’s

     functions are set out under Article 58(2)(b) of the UK GDPR.


PART III: THE INFRINGEMENTS

17.  The Commissioner has found that Bonne Terre infringed Articles 5(1)(a),

     6(1)(a) and 7(1) UK GDPR in respect of the Processing Operations (the

     “Infringements”).


18.  The Commissioner has found that personal data was being processed by

     certain third-party tracking technologies which were deployed on




                                     5      Visitors’ browsers, when they accessed SkyBet before they interacted
                    6
      with the CMP. This occurred from 10 January 2023 to 3 March 2023.


19.   Bonne Terre confirmed to the Commissioner that all processing of

      personal data by marketing cookies was on the basis of the Visitors’

      consent, 7 meaning that Bonne Terre and the AdTech Vendors were

      relying on the Article 6(1)(a) UK GDPR lawful basis of consent for the

      processing of Visitors’ personal data for the marketing purposes set out

      in the CMP.8



20.   However, in the course of the Investigation, the Commissioner identified

      that certain third-party marketing cookies were being deployed before

      Visitors had provided their consent, resulting in the processing of

      individuals’ personal data without consent or any other valid lawful basis.
                                           9
      MediaMath, a demand side platform contracted by Bonne Terre, used a

      pixel embedded within SkyBet to facilitate the setting of approximately

      40 third-party marketing cookies, which were placed on Visitors’ devices

      before the Visitors set their preferences within the CMP (i.e. before

      consent could have been obtained).


21. As a result of the above practices, Visitors’ personal data was made

     available to and processed by AdTech Vendors without Visitors’ valid




6Response from Bonne Terre dated 17 March 2023 (responding to ICO’s Letter 6 March
2023), Section 1.1
7
 Response from Bonne Terre dated 17 March 2023 (responding to ICO’s Letter 6 March 2023),
Section 1.2.2.
8The CMP at the time of the breach stated, under “Third Party Marketing / Targeting Cookies”
that: “These cookies are used to deliver Flutter Entertainment plc group advertisements
relevant to you, based upon your interests. They are also used to limit the number of times
you see an advertisement as well as help measure the effectiveness of an advertising
campaign.”
9
 A demand side platform (DSP) buys inventory (space on websites) based on behavioural,
and often personal data. If the impression matches the advertiser’s target audience then a
bid is placed via the DSP.

                                      6     consent, in breach of the requirement for the processing of personal data

     to be lawful and fair under Articles 5(1)(a), 6(1)(a) and 7(1) UK GDPR.

PART IV: DECISION TO ISSUE THIS REPRIMAND


22. In deciding to issue this Reprimand, the Commissioner has considered

     the potential harms caused by the contraventions.


23. The Infringements were the collection, via the MediaMath pixel, and

     disclosure of personal data relating to Visitors for marketing purposes

     without valid consent or any other lawful basis, as set out in paragraph
     20 above. Bonne Terre confirmed that it was relying on consent as its

     lawful basis for processing personal data by the cookies deployed in

     accordance with Article 6(1)(a) UK GDPR. The Commissioner concludes

     that this processing occurred without valid consent in accordance with

     Article 6(1)(a) UK GDPR or any other lawful basis, for the period from 10
     January 2023 to 3 March 2023, in contravention of Articles 5(1)(a), 6

     (1)(a) and 7(1) UK GDPR.


24. The Commissioner has had regard to the Representations which outline

     the restrictions which Bonne Terre is subject to as a result of its operating

     licence, issued pursuant to the Gambling Act 2005.


25. In particular, in assessing the seriousness of the Infringements, the
     Commissioner notes the following measures adopted by Bonne Terre as

     described in the Representations:


     25.1 When an individual registers as an online account holder through

           one of Bonne Terre’s online product or service domains (a

           “Customer”), Bonne Terre is required to ensure that the Customer
           meets the general requirements applicable to gambling account



                                     7           holders in the UK, namely, that the Customer is old enough to

           gamble and has not self-excluded  10 from gambling. If Bonne Terre

           identifies that an individual is trying to re-register while self-

           excluded or registered with GAMSTOP (a gambling self-exclusion

           scheme), the request to open an account will be refused.

     25.2 Bonne Terre undertakes profiling to assess whether a Customer or

           an individual seeking to register as a Customer should be removed

           from targeted    marketing   based    both on    explicit Customer

           preference and other marketing suppression flags, such as whether

           a Customer has failed the verification process or whether a

           Customer is at or near their spend limit and has a zero balance.

           Bonne Terre explained that there are over 30 suppression flags

           which are considered when building marketing audiences, including

           when Customers have: reached their deposit limit; been identified

           as a high risk by the CRISP (Customer Risk Propensity) Model  11; an

           active or previous GAMSTOP     12 registration; or an active self-

           exclusion agreement with Bonne Terre.


26. The Commissioner notes the safeguards outlined in Paragraph 25 above

     in limiting access to gambling services offered via SkyBet and reducing

     the volume of targeted marketing being served to Customers who have

     triggered the relevant suppression. The Commissioner acknowledges the

     likely impact of these restrictions and safeguards in reducing the


10Self-exclusion is a formal agreement entered into by a gambling customer with either a
single gambling operator or multi-operators to not gamble. Reasonable steps must be taken
by the relevant gambling operators to prevent the customer from gambling.
11
  CRISP is a propensity model designed by Bonne Terre to identify customers at risk of
gambling-related harm. The model uses historical self-exclusion and GAMSTOP data
alongside approximately 80 short-term and long-term features to output a probability that
they will self-exclude. Phase 2 Response from Bonne Terre dated 13 January 2023, Section
21.2.5
12Registering for GAMSTOP will block a prospective customer from online logging into or
setting up gambling accounts with businesses licensed in Great Britain if a UK resident.

                                     8     seriousness of the Infringements but notes that the controls only apply
     to Customers. .


27   Bonne Terre further asserts in the Representations that its relationship

     with MediaMath was governed by a Master Service Agreement which

     provided for contractual controls that limited MediaMath’s use of data

     collected via SkyBet, resulting in MediaMath only being allowed to use

     the data for limited commercial purposes. In addition, Bonne Terre

     submits that the Infringements did not result in any disclosure to

     MediaMath of the fact that data subjects had interacted with a gambling

     website and that this significantly limited any potential harm arising from

     the Infringements. The Commissioner notes these Representations and

     has taken the contractual controls and limits on sharing with MediaMath

     into account in assessing the seriousness of the Infringements.


28. Unlawful disclosure of personal data to third parties is a matter of

     significant public concern, particularly where it occurs in a commercial
     context. The ICO Public Awareness Survey      13 published in September

     2022 found that 56% of those surveyed were “very concerned” about

     organisations/companies    using   their  personal  data   without   their

     permission, and 91% of those surveyed were concerned about this to

     some extent. Broader research has similarly found that a significant

     majority of data subjects are concerned about their inability to effectively

     control the use of their personal data, particularly the sharing of personal

     data between parties for commercial purposes.   14



13ICO Public Awareness Survey
14Digital Footprints - Communications Consumer Panel; Charter of Fundamental Rights and
General Data Protection Regulation - May 2019 - Eurobarometer survey (europa.eu); Control,
Alt or Delete? Consumer research on attitudes to data collection and use (which.co.uk); Are
you following me? (which.co.uk); Are You Still Following Me? - Which? Policy and insight. A



                                     929. These concerns are highly relevant in the context of advertising

     technology, where personal data is collected, combined, and used for

     commercial purposes, often in potentially opaque ways.


30. The ICO has previously identified  15 various potential harms arising from

     tracking technologies deployed for marketing purposes, including both

     harm suffered by individuals and societal harms with collective

     consequences.


31. For the purposes of this Reprimand, the Commissioner has also

     considered the potential harms arising from the Infringements, which

     include loss of autonomy and potentially a sense of manipulation or

     influence, since data subjects were deprived of the opportunity to confirm

     that they did not consent to the collection and disclosure of their personal

     data; loss of control of their personal data, where expectations of

     effective choice may not have been met in instances where personal data

     was collected prior to Visitors giving or refusing consent; and intrusion

     into data subjects’ lives, including a possible sense of surveillance by way

     of unwanted targeted advertising where cookies were deployed on the

     browsers of Visitors who chose to reject third-party tracking. 16


32. The ICO has specifically addressed the need for effective choice in the

     advertising technology context in its previous publications and other

     communications. For example, the ICO’s 2019 Update Report into Adtech

     and Real Time Bidding   17stated that “[c]ookies used for the purposes of

     online advertising… require prior consent”. Despite Bonne Terre’s



2016 survey by the European Commission found that 96% of UK consumers thought that it
was important that their personal information on their computer, tablet or smartphone could
only be accessed with their permission
15Opinion on data protection and privacy expectations for online advertising proposals , p.18
16Overview of Data Protection Harms and the ICO Taxonomy p. 24.
17Update Report into AdTech and Real Time Bidding (ico.org.uk), p. 18.

                                      10                                                         18
     statement that it had adopted that position,           it failed in practice to

     implement it in the circumstances identified in paragraph 20 above for

     the period from 10 January 2023 to 3 March 2023.


33. Finally, the Commissioner has had regard to the fact that the Processing

     Operations took place in the context of visits made to gambling websites.

     Research has indicated that vulnerable       19 data subjects are concerned

     about gambling addictions being manipulated in the targeted advertising

     context. 20



34. The Commissioner has issued this Reprimand in respect of the

     Infringements on the basis that, in all the circumstances, and having

     regard to the matters listed in the Commissioner’s Regulatory Action
           21
     Policy , a Reprimand is an effective, proportionate and dissuasive

     measure.


 PART V: FURTHER ACTION RECOMMENDED


35. The Commissioner recommends that in order to ensure Bonne Terre’s

     future compliance with Articles 5(1)(a), 6(1) and 7(1) UK GDPR and to

     maintain best practice, Bonne Terre should continue to review and


     monitor its processes to ensure that all non-essential cookies and tags




18Response from Bonne Terre dated 17 March 2023 (responding to ICO’s Letter 6 March
2023), Section 1.2.2, confirming that all marketing cookies were deployed on the basis of the

19sitors’ consent.
  For the purposes of this research, Which? defined vulnerable consumers as people aged 80
years and over; people belonging to a lower socio-economic group (DE); people with a long-
term physical or mental health condition/disability; and people who do not feel confident
speaking, reading or writing in English.
20 Control, Alt or Delete? Consumer research on attitudes to data collection and use
(which.co.uk); see also Online targeting: Final report and recommendations - GOV.UK

(www.gov.uk), showing that 77% of those surveyed considered the use of personal data by
a gambling company to find people most interested in placing a bet to be unacceptable.
21Regulatory Action Policy (ico.org.uk)

                                        11     are deployed on Bonne Terre’s domains only after valid Visitor consent

     has been obtained.

36. If, in future, the Commissioner has grounds to suspect that Bonne Terre

     is not complying with its obligations under the UK GDPR and/or DPA

     2018, and there has been repetition of the Infringements set out in this

     Reprimand (which could be avoided by following the Commissioner’s

     recommendations or taking alternative appropriate steps), this may be

     taken into account as an aggravating factor, in accordance with the ICO
     Regulatory Action Policy and Article 83(2)(i) UK GDPR, in deciding

     whether to take further formal regulatory action.





Dated the 2nd day of September 2024




Stephen Bonner

Deputy Commissioner, Regulatory Supervision

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF










                                   12