French gambling regulator issues updated GDPR guide for operators

The National Gaming Authority of France (ANJ) has developed new guidelines in terms of data protection applicable to gambling operators and outlining how the principles of GDPR apply to player data.

This guidance, consisting of 59 pages and drafted in cooperation with the National Commission for Information Technology and Civil Liberties, is intended for all legal gambling operators in France.

This includes online betting, horse racing, poker operators, Française des Jeux (FDJ), PMU, casinos and gaming clubs.

Presented as guidelines rather than instructions, the document claims to outline the obligations that have been valid since GDPR became operational in 2018.

The paper takes into account the fact that gambling operators work with an extremely large amount of data that can be regarded as sensitive information.

Gambling operators use personal identification data, contact information, payment-related data, gambling history, transaction history, information on promotional offers provided by the operator, and even signs of gambling responsibly.

One of the key messages of the updated guidance relates to accountability.

According to its authors, gambling operators need to appoint a data protection officer, draw up a map of their data processing operations, develop privacy policies, register procedures, and conduct impact assessments when appropriate.

The document gives detailed treatment to commercial marketing. For customers, consent is treated as the legal basis for gambling-related commercial prospecting, whatever the channel.

That includes email, SMS, telephone, post and automated calling. Operators must obtain consent separately from general account terms.

They also need consent before sending player data to commercial partners for marketing, and those partners must be identified clearly.

Cookies, profiling and AML rules add further compliance layers

The guide also addresses cookies and similar tracking technologies. It says consent is normally required before storing or reading information on a user’s device.

Exceptions to that include strictly necessary tools, authentication trackers and certain audience measurement tools limited to anonymous statistics. Cookie refusal must be as easy as acceptance.

Responsible gambling receives a substantial section. The guide says identifying a player as excessive or pathological can amount to processing health data, because the classification may reveal a behavioural addiction.

Operators may use algorithmic tools to assess risk, but any restrictive action affecting the player’s access must involve human review.

The document also says operators must explain profiling clearly, including risk classifications, criteria used and possible consequences for players.

For anti-money laundering and terrorist financing, the guide says data processing generally rests on legal obligation.

Operators may collect identity documents, payment information, transaction history and, where alerts justify it, evidence on the origin of funds. The CNIL says such requests must not be systematic or indiscriminate.

Bank statements and card copies are not considered justified for this purpose.

Retention rules vary by purpose. Player account data covered by French gambling rules is generally kept for six years after account closure. Certain anti-money laundering records are kept for five years.

Lastly, the guide also states that players’ access rights are restricted for AML processing, while rights to erasure, objection and portability do not apply where processing is required by law.

https://next.io/news/regulation/french-gambling-regulator-issues-updated-gdpr-guide/