How Will the GDPR Impact the Gambling Industry?
Much like the USA’s separation of federal and state powers regarding gambling regulation, the European Union, too, leaves iGaming policy making in the hands of its member states. Each country is free to legalize or ban online gaming as they see fit, and to impose whatever types of regulations they wish upon operators; however, recent regulations passed unanimously by all of the European Economic Area Member States regulatory agencies will undoubtedly have a major impact on how the industry is run. As CGI vice president Andrew Rogoyski told the Independent recently:
“In world where information is the most valuable currency, maintaining customer trust will be key to ensuring business success. Businesses which can’t get data protection right will quickly undermine customers’ trust and lose to the competition.”
About the Legislation
The legislation in question is the European General Data Protection Regulation (GDPR), which passed in April of this year following four years of intense negotiations. The new set of rules does not deal with online gaming directly, however, but rather the purpose of the legislation is to provide universal guidelines for protecting the personal information of Europeans who conduct use and conduct business using the Internet. In 2018, the European General Data Protection Regulation will go into effect and replace the current, now greatly outdated set of guidelines known as the Data Protection Directive.
With the European GDPR affecting all websites that are used by people who reside in European Economic Area member states, the legislation will naturally impact the online gaming industry. Specifically, the European GDPR will:
– Require online gaming sites to let users know that their personal information is being collected by the site and why this is being done.
– Mandate that online gaming sites only retain user information for a certain period of time.
– Make it necessary for online gaming sites to clearly identify who they are and who runs them.
– Put in force rules that will require online gaming websites to let customers know what risks and consequences may be associated with the data collection that they do.
– Create a mandatory opt-out system that all online gaming websites will have to make available for users, so that they can have their data removed from the site
– Institute a 72-hour maximum window of time for iGaming operators to let users know that a data breach has occurred
Consequences of the GDPR
Online gaming operators will find noncompliance with the GDPR to be costly. Fines are steep, and the maximum penalty for repeated noncompliance is a fine of €20 million, or 4 per cent of the total net revenues from the previous year. Elaborating further, Mr Rogoyski said:
“Now the starting gun has fired, companies have two years to get their handling of personal data into order or they face the possibility of punitive fines and public humiliation. We’re already receiving requests from clients to undertake work to assess the impact of the [GDPR] on them.”
Some of the rules that the European GDPR will put in place are already in effect under the Data Protection Directive, or are required by the regulations set by European Economic Area Member States’ gambling regulators, but most operators will find themselves having to make changes to their policies, procedures and technology in order to comply with the law.
One such change will be the need to appoint specially qualified personnel to cope with the new demands, in particular a technically proficient Data Protection Officer versed in data protection law. Needless to say, many international operators will find the new demands a major challenge to their present organizational structure, and as Mark Thompson from KPMG explains:
“For non-EU businesses that trade in the EU, this agreement will require some to re-think some of the activities they carry out in the EU. This makes it much harder to operate certain “global” services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market.”
There is some worry that smaller online iGaming operators may also find it too costly to comply with the new regulations and end up shuttering their operations as a result. Larger companies may decide that the cost of doing business in Europe is just too high and end up exiting the European market. Still, representatives of the European Economic Area Member States believe that the changes are necessary to ensure that consumers are safe when they use the Internet.