Poker Sites Keeping GDPR Cards Close to their Chests

GDPR - General Data Protection RegulationThe General Data Protection Regulation (GDPR) comes into force on 25th May and will make significant changes to how online poker sites collect and process players´ data. With less than two weeks to go, few poker sites appear willing to share how the changes will be implemented and what affect they will have on players.

The EU´s General Data Protection Regulation (GDPR) is the most comprehensive data protection regulation anywhere in the world. Any business that collects, processes, shares or stores the personal information of EU “data subjects” is required to comply with GDPR, or face financial penalties of up to €20 million or 4% of their gross turnover – whichever is the larger.

With regard to the online poker industry, the introduction of GDPR has massive implications for how data is collected and processed. Not only do players have the right to know what personal information is collected and how it is processed, they also have the right to object to “profiling” – which could affect how some online poker sites structure their personalised promotions.

Which Online Poker Sites are Subject to GDPR?

Practically all of them. GDPR does not only apply to business located in the EU. It applies to any business anywhere in the world that collects, processes, shares or stores the personal information of EU “data subjects” – EU “data subjects” being individuals located in the EU (plus three other non-EU countries in the European Economic Area) at the time the data were collected.

As the criteria for what is considered personal information includes items such as IP addresses, this means that if you – as a GDPR-covered individual – visit a US-facing online poker site (regulated or unregulated), and the poker site places a cookie on your computer, the same rules will apply as if you were to visit the websites of PokerStars, Party Poker or 888Poker.

Without getting into the EU-US Privacy Shield Protocol and EU Adequacy Agreements (which may affect the future EU operations of PokerStars, Party Poker and 888Poker post-Brexit), if a poker site outside the EU is unable to comply with GDPR, it should geo-block EU IP addresses (as Bovada, Ignition and Bodog have already done for certain countries) to prevent players visiting their websites and using their software.

PokerStars, Party Poker, 888 Poker and Brexit

When the UK leaves the European Union in March 2019, Brexit will have no immediate impact on players being able to access Party Poker or 888Poker (and other Gibraltar-based online poker sites such as Bet365 and William Hill). This is because GDPR is being integrated into the UK´s domestic laws, and – as Gibraltar is a British Overseas Territory – the same rules will apply there.

If the UK subsequently introduces a new data protection law (a new law has been proposed, but not yet got through the committee stage), it will have to meet the equivalent data security and privacy standards of GDPR in order for the UK (and by default, Gibraltar) to qualify for an EU Adequacy Agreement. The situation regarding PokerStars is a little more complicated.

PokerStars (via the Stars Group) has a presence in Gibraltar to support its European operations, but the majority of the company´s data is maintained on servers in the Isle of Man. The Isle of Man is not a member of the EU. It is a self-governing British Crown Dependency rather than a British Overseas Territory so operates under a different set of rules. There is an EU Adequacy Agreement in place with the Isle of Man ahead of 25th May, but one major security breach could jeopardise the Agreement.

How Does GDPR Affect Poker Players?

Improving the customer experience is not a lawful purpose

In the run-up to May 25th, players should be inundated with emails asking them to review and agree to revised privacy agreements and terms of service. One of the biggest changes players will notice relates to providing consent for their data to be processed, alongside a description of what data are being processed and why. There has to be a lawful purpose for each reason (account functionality, payment processing, etc.).

With regard to profiling, the Remote Gambling Association has published guidelines (PDF) that stipulate where profiling is conducted for the purpose of personalised promotions, poker sites have to provide meaningful information about the logic used in the profiling process, the significance of profiling and the envisaged consequences. Players have the right to withhold their consent for having their online action profiled, although it is not known what the consequences of this will be (i.e. ineligibility for promotions).

Although obtaining informed consent and providing information about profiling are the two biggest changes poker players will notice, there are also several other “Rights of Individuals” introduced by GDPR. These include:

  • The Right to be Informed. This pretty much covers everything from why your data is being collected to who it is being shared with. For example, if Bet365 Poker is sharing your data with the iPoker Network or a third party payment processor, you should be informed of this.
  • The Right of Access. If you wish, you can request a poker site sends you a report containing all the data they hold about you. The poker site has to respond within thirty days and cannot charge you a fee for this service.
  • The Right of Rectification. Once you have exercised your Right of Access, you have the right to change any incorrect information the poker site holds about you. If you have not provided the data directly to the poker site, you have the right to request the source of the data.
  • The Right of Erasure. If you no longer wish to play at the poker site, you have the “Right to be Forgotten”. You may find some poker sites are unable to delete your data immediately because of regulatory compliance, but they should give you a “retention date” after which your right will be exercised.
  • The Right of Portability. This gives you the right to request a copy of all your data in machine-readable format so it can be provided to another poker site. The only circumstances we could think of in which you might want to exercise this right is if you wanted to negotiate a better VIP status with a new poker site.

What are Poker Sites Doing about GDPR?

Practically all online poker sites affected by the General Data Protection Regulation appear to be keeping their GDPR cards close to their chests – or they are doing nothing at all. At the beginning of May we wrote to the customer service departments of seven online poker sites plus Hold´em Manager (software apps that collect and process data are subject to GDPR as well).

With the introduction of GDPR at the time just four weeks away, we felt the sites would have a point of contact in place to address GDPR-related enquiries. However, despite the requirement that businesses processing a significant amount of data appoint a Data Protection Office, only one of our emails was redirected to a security or privacy officer. Other than that we heard nothing at all.

So, a week later, we made a more concerted effort. We sent more emails, used live chat and the DM facility of the 2+2 poker forum. PokerStars was the first to get back to us – advising us to write to the press office. We got the following response:

We welcome the harmonisation of data protection regulation across the EU that gives clear, consistent application for all to follow. Equally, it provides our customers with greater transparency and agency when it comes to how their data is stored, used and processed by data controllers. It is vitally important to have fair and consistent regulation which serves the needs of all stakeholders and that must include a strong commitment to consumer protection. This is at the forefront of everything that we do and The Stars Group has, of course, taken all steps necessary to comply with the forthcoming GDPR requirements in accordance with its obligations.

In addition, PokerStars has now published a page on its website with an FAQ about GDPR and the implications for players. The FAQ doesn´t mention the Rights of Individuals, what happens if you opt out of personalised promotions, or how to contact their Data Protection Officer. We imagine you have to go through Stars Support, but we didn´t want to waste their time asking. With regard to other online poker sites, the Party Poker rep on live chat told us somebody would be in touch. A follow-up email later and we got this response:

As we have taken great measures to ensure players’ privacy security and minimal obtain of personal data; we have been implementing the technology advancements and the best practices in the area by the time of their introduction; and we have strictly followed the national regulations as regards to data protection both on their own and in the scope of Directive 95/46/EC, all of the above much before the introduction of GDPR, there won’t stand the need of making any fundamental changes in order to be fully GDPR compliant on our side.

We have always taken great lengths to ensure full compliance with all regulatory requirements on the markets we operate. This aside, we have already taken the necessary measures to ensure full GDPR compliance by the time the regulation is enforced, and namely, May the 25th. Any amendments to our Privacy Policy and Terms of Service will be dully communicated with our players accordingly. Unfortunately, we won’t be able to disclose any further information to you at the time.

We were particularly surprised not to hear anything from 888Poker´s Data Protection Officer as the company´s “Annual Audited Financial Results 2017” states (abridged for brevity):

888 processes a large quantity of personal customer data, including sensitive data such as name, address, age, bank details and gaming / betting history. Such data could be wrongfully accessed or used by employees, customers, suppliers or third parties, or lost, disclosed or improperly processed in breach of data protection regulations. The Company could be subject to private litigation and loss of customer goodwill and confidence.

888 is undergoing a robust and risk-oriented GDPR-preparation project, pursuant to a designated GDPR Gap Analysis. 888 has commenced a process of mapping the personal data life-cycle within the organisation, including how personal data of EU customers and EU employees is collected, stored, secured and shared with third parties. In addition, 888 has appointed a designated internal Data Protection Officer and is preparing policies and procedures on relevant matters.

At least 888Poker has got a Data Protection Office who, if he or she is reading this, might like to reply to Incident: 180501-004721 forwarded to you on May 1st by your Member Support Team. Whether any other poker sites have a Data Protection Officer remains a mystery – as does how they are preparing for the introduction of the General Data Protection Regulation on May 25th. Interestingly, it is a condition of GDPR-compliance that covered entities demonstrate their compliance. With this in mind, we shall monitor our email inbox carefully over the next couple of weeks.