A close look at how the EU General Data Protection Regulation (GDPR) is changing the online casino industry, and what it means for players and their personal data.

GDPR protecting online casino players

The General Data Protection Regulation - GDPR - finally became law on the 25th of May 2018.

Put simply, the GDPR provides individuals within the European Union clear rights as to the consenting and usage of their personal data by third party organisations.

For the online casino industry, which is a very data-rich market, this is a major change - and a very positive one for players. Let us continue by reviewing the most pertinent rule enforcements.

What is deemed personal data?

From a player's perspective, it's largely about their rights regarding their own "personal data". This, in itself, stretches beyond what you might first imagine. There is the obvious information such as:

  • Name and age
  • Home address
  • Mobile number
  • Email address
  • Banking details

Then, there's another level of personal data that the casino operators may have collected (largely) in the background. This includes:

  • Gaming preferences.
  • Complete activity history on the platform (money in/out, games played, time of day, and so on).
  • Possibly an assessment of a customer's financial status gained from the KYC procedure the casino carries out.

The GDPR, which effectively replaced the outdated Data Protection Directive 95/46/EC, sets out clear guidelines on obtaining the full consent from the player for processing their personal data. Previously, this was wrapped up in the pages of terms and conditions the casino operator displayed on its website. Furthermore, it was often written in legalese making it difficult to understand clearly what the meaning was.

Now, in accordance with GDPR, the operator must highlight to the data subject (the player) what data will be processed and for what purpose, and make a clear, easily-understandable request for consent.

For instance, this could be done by way of adding a "check box" on the registration form when signing up.
Additionally, players now have the right to withdraw this consent at any time. These enforcements are the primary safeguards the GDPR offers players. Everything must be transparent so the subject has the power to decide.

A player's right to access their data

Something else of great importance within the GDPR is that at any time a player can request a copy of their personal data file held by the casino operator. This entitles them to see the following information:

  • Purpose of the data processed.
  • Categories of data collected.
  • Full identity of all recipients that may see the data.
  • Length of time the data is stored for.
  • Sources for data that was not directly given by the subject.
  • The data protection laws for non EU countries if the data is handled outside of this region.

Furthermore, as a player, or former player, you are entitled to request that the casino operator destroys any data that it holds in relation to you. This is classed as your "right to be forgotten". Simply because in the past, you have given consent, it does not mean the operator has the right to continue using your information way into the future.

A right to data portability

Many players probably do not know this, but the GDPR allows data to be made portable. Therefore, a player can request that their data be transferred to another data controller (in this case, another operator).

This actually opens up a whole range of possibilities for both players and operators. It has the potential to remove the necessity of completing an operator's procedure each time you join a casino. The cost savings for the new casino would be massive, and of course, a certain percentage will be used to offer more attractive bonuses and promotions to the players.

In turn, this will push existing casinos to up their game by way of improved loyalty schemes and rewards programs to keep their players satisfied. It will be interesting to see the approaches used, but we do know it should add player-benefit to the industry.


In light of data scandals involving high-powered companies such as Facebook, the GDPR really puts the casino player in full control. Ultimately, you own your data, so you maintain the right as to when and how it is used. These safeguards will protect players from being unknowingly targeted by third parties, and also ensure that any data collected is used in an appropriate manner.

What is important is that player's know their rights. When clicking to agree to data being used, do you read the small print?

This is something you should start to do (if not doing so already). Look at what you are consenting to, and question anything you need to clarify.

Last update: 30-09-2019
Regulations and Laws