UK operator SBG accused of misusing user data

The group Clean Up Gambling recently submitted a detailed report on the processing of user data at Sky Betting and Gaming. It seeks to initiate an investigation by regulators into whether or not user data is used and handled in an improper manner. As noted in our previous article, it gives important insight into where the US may be heading.

While it was hardly covered in the report, we see a similar issue as the US with user data being shared with credit agencies. Also sharing with other entities that could be problematic – especially without adequate user knowledge, appropriate security, minimal required info, and just proper compartmentalization in general.

To be fair though, much of the others in the loop seem fairly innocuous. Especially if most/all user data is anonymized and used legitimately to improve processes. It’s important to maintain a fair and balanced perspective here.

Some of the more intrusive data collection was likely even spurred by many of these Responsible Gambling groups, or at least they contributed to a significant part of the initial support. However their expectations differed in that they (rather naively) thought it would be used solely as a harm-reduction measure. Many of us even warned of the extremely high likelihood of misuse at the time. Not to mention the large increase in friction for the users and increased overhead.

Also if this leads to even more regulations, then it should be seen as a loss by nearly everyone involved. It certainly will not stop some of the most potentially harmful data collection. In fact, these groups have shown time and time again that they have no qualms about placing increasingly larger burdens on over 99% of bettors just for some unproven benefits to the less than 1% with legitimate problems. And the willingness to create an (even more) inefficient industry that actually increases overall harm, adds unnecessary overhead, and hurts the user experience in general.

Over on the operator’s side, having largely black-box systems doesn’t help their case at all. To be fair though, regulators and the advocacy groups have done little to nothing regarding meaningful transparency either. Ideally we need proper transparency implemented from the core outwards.

And in a solid testament to the rapidly increasing consolidation – the group wisely lists out all of the layers of parent companies up to the industry-leading Flutter, and all of the gambling-related companies that they own. This also makes everything less transparent and less secure. Users don’t know where exactly their data is going, where else it is being replicated to, and the specific policies at each of the locations where the data resides.

Another major issue is that users aren’t allowed to opt-out of data collection for what the operator refers to as “personalisation purposes” and is expanded upon in the paragraph quoted below, which is more than a little concerning itself.

“We believe this personalised experience makes betting and gaming better and we want to give you the best customer experience we can. Using your personal data in this way enables us to do that in a way that we believe does not have an impact on your privacy. If you don’t want your data used in this way your option is to not use our services and to close your account.”

Much of the rest of the document seems to be a lot of fluff that won’t hold up to careful scrutiny by impartial experts on the matter. But their summary below is quite strong and covers much of the issues I also had, but on the other hand they offer no clear solutions.

“SBG’s reliance on consent is non-compliant with the requirements of the UK GDPR as such consent is not based on “specific” information such that data subjects can provide “informed” consent. Moreover, data subjects are opted into such processing by default, contrary to the requirements on providing an “unambiguous indication” of individual choices. The result is that data subjects cannot “determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.”

“Data subjects are also prevented from withdrawing their purported consent to the processing. SBG’s attempts to rely on consent for a broad range of processing for the purposes of profiling, marketing and personalisation are incompatible with the standards imposed by the UK GDPR and are invalid.”

As with previous attempted fixes, I fear the solutions to this will create their own set of problems. Perhaps even worse, judging by recent performances by both sides. We need to break this downward spiral as soon as possible.