Affiliate marketing is an important part of the online gambling industry. Gaming operators offer big incentives, by way of a percentage of income or commission, to attract and retain successful affiliates – who in turn direct players to gambling websites.
So it will come as a shock to both parties that the Information Commissioner’s Office (ICO) has announced an investigation into the use of affiliate marketing by hundreds of companies in the online gambling sector.
In a recent announcement the ICO identifies ‘affiliate marketing’ as an area of particular concern because gambling operators and affiliate marketers each fail to take responsibility and try to ‘pass the buck’ when a complaint is made.
Responsibility for unlawful communications
Direct marketing (whether by organisations or affiliates) in the UK is strictly regulated and the ICO takes a very dim view of spam communications. Therefore gambling businesses which hope to shift the blame for marketing activities by using third party affiliates will find themselves disappointed. The law applies not only to the person making the communication, but also the person instigating it.
Having a contract in place – which requires an affiliate to comply with the law and not send unsolicited messages – will not, in itself, be enough to abdicate a gambling operator from responsibility. Instead, the operator needs to monitor the affiliate and ensure it complies with its legal obligations.
However, an operator which has acted properly may be able to rely on the defence that it took “such care as in all the circumstances was reasonably required to comply”, even if the affiliate has carried out marketing in an unlawful manner.
Increased fines and stricter obligations on the horizon
The penalties for breaching data protection and privacy laws can be significant. At the moment the ICO can impose fines of up to £500,000 for non-compliance with data protection or privacy law. This is in addition to the reputational damage – which accompanies a penalty notice from the ICO.
In May 2018 the General Data Protection Regulation (GDPR) will enter into force. This will increase the potential fine the ICO can impose for breaching data protection law by around 3300%, to a maximum of €20m or 2% of worldwide group turnover (whichever is higher).
The GDPR is not specifically targeting direct marketing (which has its own regulatory regime), but unauthorised use of personal data for marketing communications will breach the new regulation. Furthermore, gambling operators and their affiliates can expect the regulatory landscape to get rockier still, as privacy and communications (including direct marketing) looks to be next on the EU’s reform agenda.
Practical steps to reduce the risks posed by direct marketing
There are some simple steps gambling operators can take to reduce the risk posed by affiliate marketing and increase the chance of the reasonable care defence succeeding.
- Contracts – agreements with affiliate markets must include detailed data protection and privacy provisions. Operators should require that affiliates comply with marketing policies/procedures and seek indemnities in case of a breach of contract.
- Policies – operators should implement a detailed policy which sets out the steps affiliates must take in order to comply with data protection and privacy laws. This should address issues such as:
- Having a legal basis for communications (i.e. consent or an existing relationship).
- Screening contacts against preference lists such as the TPS.
- Providing unsubscribe/opt-out options.
- Ensuring the identity of the sender is not concealed (e.g. this message is sent by
The content of this page is a summary of the law in force at the present time and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.