It’s common sense that if you want to protect your money, the gambling industry probably isn’t a safe place for it. It turns out that online gambling platforms are often equally bad at protecting your personal data.
While the gambling industry in Europe and the UK is required to comply with the GDPR and UK GDPR, it’s not hard to find myriad issues with questionable data collection practices, vague privacy policies, fly-by-night unlicensed platforms scamming players, slow or questionable responses to data requests, and more.
In 2022, Usercentrics looked at five categories of apps available in EU app stores, and the gambling category had the worst GDPR compliance record. At the time, 100 percent of the gambling apps reviewed were noncompliant.
It looks like the landscape is not much different across the Channel. We look at the state of data privacy for online gambling in the UK, including what the most common and egregious privacy violations are, what’s being done about it, and what you can do to protect yourself and your personal data.
How big an industry is online gambling globally?
Where online gambling is legal, it’s booming. Though let’s face it: it’s booming where it’s not legal, too. Revenue estimates can vary widely, but record year over year growth has become the norm. The proliferation of mobile-friendly gambling platforms has significantly contributed to fueling industry growth.
In the first quarter of 2025, online gaming revenue in the US was USD 6.19 billion. The highest projections have Americans spending over USD 100 billion gambling online by the end of 2025. Much of that is on sports betting.
In Europe in 2024, revenues from online gambling reached a new record of EUR 47.9 billion. Like the US, year-over-year growth has consistently hit double digits. In the UK, iGaming revenue is about GBP 21.32 billion and is projected to rise almost 12 percent to about GBP 23.87 billion in 2025.
Italy has Europe’s largest gambling market, but it is largely land-based. The UK is Europe’s largest online gambling market.
A breakdown of Gross Gambling Yield (GGY) for online gambling in the UK between April 2023 and March 2024:
- Online casino games generated GBP 4.4 billion in Gross Gambling Yield (GGY)
- GBP 3.6 billion was generated from slots games
- Remote betting generated GBP 2.4 billion
- Football betting generated GBP 1.1 billion
- Horse betting generated GBP 771.1 million
- Remote bingo generated GBP 167.1 million
Gambling has always been big business and online gambling is a huge and rapidly growing business that isn’t going anywhere. It’s safe to say that regulations and policies that could slow that record growth will be an uphill battle to implement and enforce.
Personal data in the UK gambling industry
The gambling industry has access to some fairly sensitive data from players, including identity and financial information. But gambling companies are not all equally covered by, compliant with, or subject to enforcement of regulations to the same degree as the financial sector.
Internationally, finance is strongly regulated at multiple levels of government and by industry-specific laws. There are also high expectations from consumers for security and privacy in their financial matters.
Less so with online gambling. Many apps are not vetted by players or app stores, and players don’t fully understand what personal data online gambling companies collect, what they use that data for, or who can end up with access to it.
Players are also bombarded with ads and incentives — frequently from illegally shared personal contact information — to get them to try yet another new site or game.
Relatedly, in a growing number of cases, there is the issue that players experiencing gambling addiction may not care about data privacy or protection, as long as they can place that next bet. This makes them even more vulnerable to bad actors.
What personal data is collected by UK online gambling platforms?
Online gambling companies commonly collect more personal data from players than they actually need. There are certain legal requirements that require some sensitive data, like confirming that players are at least 18 years of age, and to comply with laws meant to curtail criminal activities, like money laundering.
But in addition to identity and financial data, online gambling platforms often collect information about players’ location, and track everything about their activities on the platforms, including when and how often bets are placed. This can result in rich behavioral profiles that reveal far more than players might realize or want.
What rights do UK gamblers have online and how is their personal data protected?
Like its EU counterpart, the UK GDPR requires a legal basis for data processing, and one of the options is prior user consent. Online gamblers in the UK are also protected by the Data Protection Act, and the Gambling Commission oversees the industry, along with the Information Commission’s Office (ICO), which oversees regulatory compliance.
Players have the right to access the data that companies have about them, make requests to port it elsewhere, have it corrected or erased, or to require that data collection and processing be stopped.
Gambling operators are legally required to be transparent about data processing. UK law — and pretty much every data privacy law globally — requires them to clearly and accessibly provide information about what data they collect, what it’s used for, who may have access to it, and to stop collecting it and delete it if requested (with exceptions.)
Additionally, operators must provide information about players’ rights regarding their personal data and how to exercise them. This doesn’t always happen in practice. Anecdotally, players posting in various online forums have complained their requests to gambling sites for copies of their data have been ignored.
The ICO reprimanded Sky Betting and Gaming (SkyBet), one of the top five online gambling sites in the UK, for illegal advertising cookie use without consent in September 2024.
Iain Duncan Smith, chair of the UK’s parliamentary group on gambling reform, called the gambling industry’s marketing practices “out of control”, and noted that the UK’s regulatory structure and codes of practice had been “repeatedly shown to be inadequate.”
That said, the ruling against SkyBet has also been called precedent-setting, and part of an ICO crackdown that includes the review of cookie compliance on the UK’s top 1,000 websites.
Data privacy noncompliance issues in the UK gambling sector
A variety of issues with data privacy have been reported with UK online gambling platforms. We look at three of the biggest issues and what they mean for players and their data.
Vague privacy policies
It’s common for privacy policies published by UK gambling platforms to be fairly generic. Players also may have no way of knowing if such policies are up to date. Data privacy laws have been evolving fairly quickly, and technologies in use on websites and apps evolve even more quickly.
Are players always getting the most up to date details on how their personal data is being collected, how it’s used, or which third parties it’s shared with?
If that’s the case, then one of the other fundamental requirements of the UK GDPR — and, again, pretty much every other data privacy law around the world — is not being met. That being valid consent.
Under the UK GDPR, valid consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
However, if data subjects (players) are not provided with comprehensive and up to date information about access to and use of their personal data in order to make consent decisions, consent cannot legally be considered valid.
Slow responses to data access requests
Even if players don’t know all about the collection and use of their data on gambling platforms, they should be able to find out by exercising their legal rights and making a request for that information. At least, that’s the idea.
In practice… good luck. Under the UK GDPR, any company to which a data subject submits a data access request has up to one calendar month to reply to the request.
But there are reports of sluggish response times to players’ requests, as well as denials of requests. Is it possible that some requests just get ignored entirely, or that data is incomplete upon arrival? Anecdotal player reports on sites like Reddit suggest that happens as well.
It’s troubling enough if players can’t get information about their personal data held by online gambling platforms, but even more problematic if requests to stop processing personal data and to delete it are being ignored.
Even if a gambling platform complies with a user request, say to delete personal data it has on a player, that doesn’t necessarily mean full compliance. There could be dozens or hundreds of third-party vendors and other companies connected to a gambling platform that have that personal data.
While the controller (the gambling platform) has legal responsibility for the processing operations of processors (third-party vendors), it’s possible that the personal data in the possession of those companies does not get deleted and continues to be used and sold.
The only way a player might know that’s happening is if they receive personalized ads or messages from companies they’ve never heard of. And the odds of them getting off those lists or getting those companies to delete their data oftentimes aren’t great.
Other legal issues with online gambling platforms in the UK
If online gambling platforms are making it difficult for players to know about use of their personal data, it’s not surprising that they also make it difficult for players to leave.
Players have reported issues trying to leave platforms and have their data and accounts deleted. There are also unlicensed and illegal operators that have little incentive to comply with any regulatory requirements — beyond not angering players and drawing attention to already-illegal operations.
In March 2025, The Guardian reported that Visa and Mastercard had been processing payments for illegal gambling sites, which had been accused of scamming players in the UK out of thousands of pounds.
The companies had pledged to prevent their networks being used for those purposes, but according to the article, an investigation has found that they are failing to do so.
Additionally, a player that has a dispute with an unlicensed platform has little recourse. Such companies can simply vanish, taking players’ money and data with them and making investigations difficult and requiring extensive resources that may not be available.
Transparency failures extend beyond privacy policies as well, even on licensed platforms. Players can receive bonus offers that are carefully worded and misleading to the average person, which can end up costing them more money and delivering zero dividends.
Data breaches have also been reported, which can put players and their data at even greater risk and leave them with even less information about where their sensitive information has ended up and how it’s being used.
UK-based International Game Technology, which makes slot machines and other gambling technology, took its systems offline temporarily after a cyberattack in November 2024. The company has operations in 100 countries.
Protecting data privacy when gambling online in the UK
Many players’ ability to seek recourse for data privacy violations, misleading operations, or other issues is severely limited, especially if they don’t have the resources to engage specialized legal representation. Law enforcement agencies also may not have investigators with specialized expertise needed to work on such cases, either.
Some law firms are stepping in and offering assistance, but they can’t represent every player that might have or will be victimized. And, as noted earlier, even finding the responsible parties could be extremely difficult.
Online gambling in the UK isn’t entirely lawless, but there are significant issues with data privacy and protection and players’ rights. The amount of money at stake means that gambling companies have huge incentives to keep the bets and personal data flowing, which may put them at odds with legal requirements.
For the foreseeable future, players should limit their online gambling to platforms they know are licensed, and should read information on privacy and data use carefully. Take note of whether you’re given consent choices about access to your data, including what data and what uses. Do a quick search to see if any data breaches or other regulatory violations have been reported.
Ultimately, though, the only way for players and their data privacy to win in online gambling in the UK may just be not to play the game.