The Information Commissioner's Office (ICO) has recently issued a reprimand to Bonne Terre Limited (trading as Sky Betting and Gaming) for its failure to comply with the UK General Data Protection Regulation (UK GDPR) when processing personal data. The sanction relates to Sky Betting and Gaming's use of cookies for advertising purposes and should serve as a wake-up call for other organisations to review their cookie practices and ensure that they are compliant.
What happened
In January 2022, a report was published by Clean Up Gambling which alleged "widespread illegality in how data is obtained and used for profiling" in the online gambling industry. This report formed the basis of Clean Up Gambling's eventual complaint to the ICO, which claimed that Sky Betting and Gaming (amongst others) was processing and sharing personal information with third parties without consent.
The ICO carried out an investigation into the practices of Sky Betting and Gaming to determine if there was deliberate misuse of personal information for the purposes of targeting vulnerable gamblers. Although there was no evidence of deliberate misuse of personal information, the ICO did discover that between 10 January and 3 March 2023, Sky Betting and Gaming had shared the personal data of those who visited the Sky Betting website with advertising technology companies before the visitors to the website were given the option to accept or reject advertising cookies - and without their knowledge. Specifically, the ICO identified that a platform employed by Sky Betting and Gaming and provided by MediaMath used a pixel embedded within the SkyBet website to help set approximately 40 third party marketing cookies on visitors’ devices before they were able to set their cookie preferences. The ICO found this practice to be a breach of UK GDPR requirements relating to the lawful, transparent, and fair use of personal data and the obtaining of consent.
Following the investigation, Sky Betting and Gaming made the necessary changes to their practices in order that visitors to its website could reject these cookies before their personal information was processed and shared. Nevertheless, having regard to the seriousness of the infringements, the ICO proceeded to issue a reprimand to Sky Betting and Gaming.
Best Practices
The ICO's reprimand should act as an important reminder to organisations that use cookies. Consent must be obtained before non-essential cookies are set and personal information shared with third parties.
This reprimand follows a wider campaign by the ICO to clamp down on unfair and unlawful use of personal information linked to the use of advertising cookies. In 2023 the ICO reviewed the UK's top 100 most visited websites and contacted 53 of them to advise that they were facing potential enforcement action for breaching data protection law if they did not change how they used advertising cookies. Since being notified of these potential breaches, all but one of the websites have amended their practices. New practices that have been introduced include introducing a ‘reject all’ button or making the ‘accept all’ and ‘reject all' options equally prominent, meaning it is as easy to reject cookies as to accept them. The ICO also noted that some of the organisations affected have introduced a ‘consent or pay’ model. As regards whether this business model is acceptable, the ICO has only gone so far as to say that it is currently reviewing the model.
The ICO is about to start reviewing the next 100 most frequently visited websites in the UK, working their way down the list to ensure cookie practices are up to scratch. Therefore, if you think your organisation may be on that list, you should review your website for cookie compliance.
The ICO has also committed to publishing updated guidance for consultation on the use of cookies and similar tracking technologies and its position on the ‘consent or pay’ business model.
Takeaways for Organisations
There are two key takeaways for organisations:
- Obtain consent before non-essential cookies are set and personal information shared with third parties
- Consent should be obtained fairly and transparently.
The ICO have made it clear that they are looking to crack down on organisations which do not offer website visitors a "fair and informed choice" as to whether they consent to targeted advertising. As the Deputy Commissioner states, "there will be consequences" for organisations that breach the rules.
How can we help?
If you wish to discuss website cookie compliance, please contact David Gourlay or another member of our Data Protection & Cyber Security Team.
This article was written by George Munro, a Trainee Solicitor within the IPTC Team.
