The relationship between data, advertising and gambling companies
There are increasing concerns that gambling companies are engaging in serious
data breaches, resulting in devastating consequences for those suffering with
gambling addictions. This comes as a recent investigation published in The Guardian
revealed that over 50 UK gambling companies covertly sent users’ personal data to
Meta (owner of Facebook and Instagram) without obtaining their formal consent.
This practice prompts serious concerns under the UK General Data Protection
Regulation (“GDPR”) and Data Protection Act 2018 (“DPA”) in relation to consent,
transparency, profiling and accountability, as well as the ethical responsibilities and
regulatory requirements of gambling companies and regulatory bodies.
Unlawful data sharing
In 2025, an investigation revealed that 52 out of 150 UK gambling websites
automatically shared personal user data with Meta via tracking tools, without user
consent. This data includes tracking user page views, button clicks as well as
behavioural patterns. The data is then exploited by Meta to build advertising profiles
and serve targeted gambling advertisements on its platforms.
Tracking users’ data to sell to third parties potentially breaches UK data protection
laws, and the consequences can be devastating; consider, for example, the targeting
of gambling adverts to someone suffering with a gambling addiction. The Office for
Health Improvement & Disparities’ update in 2023 revealed that the estimated
annual health costs associated with those struggling with gambling issues is
between £600 million and £1.3 billion.
Legal breaches under GDPR and DPA
Mass data collection, conducted without informed consent, is not only unethical, it is
also unlawful. The UK Gambling Commission (a public body responsible for
enforcing the Gambling Act 2005) makes clear that operators must not only comply
with GDPR and DPR, but also clearly document and explain how and why personal
data is processed. Other examples of breaches include:
- Article 4(11) GDPR: consent must be “freely given, specific, informed and
unambiguous”. Pre-ticked boxes or automatic tracking before consent will not
suffice. - Article 5(1)(b) GDPR: personal data must be collected for legitimate
purposes. Profiling gamblers without consent violates this principle. - Section 170(4) DPA: it is a criminal offence to sell or disclose personal data
obtained without consent.
Importantly, consent is not valid when individuals, such as those suffering from
gambling addiction, are unable to freely and meaningfully choose. In the case of
RTM v. (1) Bonne Terre Limited (2) Hestview Limited [2025], the court found the
Defendants liable for breaches of data protection law by sending targeted
advertisements to the Claimant. In this case, the Claimant had given his consent but
because he suffered from a gambling addiction, his consent was rendered void.
Legal action
The Information Commissioner’s Office (“ICO”) has the power to issue fines up to
£17.5 million or 4% of global turnover, depending on the severity of the breach. In
addition, individual victims may make claims under GDPR and DPA. This may
involve making a claim damages or applying for a compliance order to force a
defendant to undertake certain actions, such as deletion of user data. Further, where
a victim has suffered harm, for example where an addict suffers a relapse, there may
be a claim in personal injury, although this may be slightly harder to prove due to the
need to establish a duty of care between the gambling operator and user.
Where large numbers of individuals are affected, group litigation can be a more
efficient way to hold a defendant to account, as it allows courts to address
widespread harm in a unified and streamlined way. It can also makes legal action
more accessible to victims. This approach has already been used in similar data
privacy lawsuits in the Netherlands and is increasingly seen as a powerful
mechanism in the UK too.
As part of its manifesto in 2024, the Labour Party promised to address gambling
issues by curbing gambling advertising in sports, introducing a new Gambling Act
which appropriately addresses gambling in a digital age, as well as introducing a levy
to fund research into gambling issues. As of yet, only the latter promise has been passed. It remains to be seen whether a new Act will be implemented. In line with
the 2023 White Paper, such an Act would likely place greater responsibilities on
online gambling companies, including in respect of advertisements, and grant
greater protections for its users.
Contact us
At Taylor Hampton, we have extensive experience representing clients in data
protection breaches, as well as the expertise to represent numerous victims in group
litigation cases. We can help you understand your causes action, whether your aim
is to make a claim for damages or to push for regulatory reform. If you are concerned
about how your personal data is used, contact us here for a free consultation.