Cookies without consent: Sky Betting and Gaming sanctioned

Background

Sky Betting and Gaming, operated by Bonne Terre Limited, has been sanctioned by the Information Commissioner’s Office (ICO) for unlawfully processing user data through the use of advertising cookies without obtaining prior consent. Between January and March 2023, the company failed to give users the option to accept or reject these cookies, meaning personal information was collected and shared with advertising companies without user approval. This led to targeted advertising based on data gathered without consent.

The issue first came to light when Clean Up Gambling, a gambling watchdog group, submitted a report in October 2022 accusing Sky Betting and Gaming of deliberately using advertising cookies to target vulnerable gamblers.

Findings

The ICO’s investigation did not find evidence that the misuse of data was deliberate. However, the regulator confirmed that personal data had been processed in violation of several provisions of the UK General Data Protection Regulation (GDPR), specifically Articles 5, 6, and 7, which relate to lawful, transparent, and fair data processing.

Sky Betting and Gaming had relied on consent as the lawful basis for processing personal data. However, by placing tracking cookies without obtaining prior consent, the company failed to meet the legal requirements tied to that lawful basis. In response to the ICO’s findings, Sky Betting and Gaming have since updated their cookie practices, ensuring that users now have a clear option to opt in or out of advertising cookies before any data is shared.

Legal basis – ensuring cookies are used lawfully

Under the GDPR, websites that use cookies, particularly advertising and tracking cookies, must obtain explicit, informed consent from users before processing their personal data. This means that businesses must provide clear options for users to either accept or reject non-essential cookies, and these choices must be easily accessible.

Key GDPR provisions regarding cookie use include:

• Article 5: Data must be processed lawfully, fairly, and transparently
  Article 6: Processing must have a lawful basis, such as user consent.
  Article 7: Consent must be freely given, specific, informed, and unambiguous.
• When companies rely on consent as the legal basis for processing data, they must ensure that the user has actively opted in. Any pre-ticked boxes or automatic acceptance of cookies without user action is considered non-compliant.

Ongoing ICO mission

In 2023, the ICO extended its efforts to improve cookie compliance across the UK. After contacting the top 100 UK websites, the ICO discovered that over 50% of these sites were not compliant with data protection regulations regarding the use of advertising cookies.

The ICO issued warnings to 53 companies, urging them to make necessary changes or face enforcement action. All but one company, Tattle Life, have made or are making the required changes to their cookie practices. Tattle Life is now under formal investigation for non-compliance, as well as for failing to register with the ICO.

The ICO’s audits have highlighted key areas of non-compliance:

• Placing non-essential cookies on a user’s device despite the user withholding consent via the cookie banner.
• Placing non-essential cookies before the user has opted in or out.
• Designing cookie banners that make it easier to accept all cookies but difficult to reject them.

Looking ahead, the ICO plans to continue its investigations into cookie compliance and has announced potential AI solutions to help identify non-compliant websites more quickly

Recommendations for businesses

1) Act Now: Review and update your cookie policies to ensure compliance with GDPR and data protection laws. Make sure you obtain explicit consent from users before processing their data through non-essential cookies.

2) Be Proactive: Don’t wait for the ICO to issue warnings or begin investigations. Ensuring compliance now will protect your business from the risk of enforcement action, including potential fines.

3) Simplify Consent: Ensure your cookie banners make it as easy to reject cookies as to accept them. This transparency will help build user trust and avoid complications with regulators.

Conclusion

Sky Betting and Gaming’s breach of cookie consent laws serves as a warning for businesses operating in the digital space. The ICO’s ongoing investigations into cookie practices across the UK highlight the importance of compliance with data protection laws. As enforcement efforts ramp up, businesses must take immediate action to ensure that their cookie usage aligns with legal requirements, or risk facing significant regulatory penalties.