Affiliate marketing is an important part of the online gambling industry. Gaming operators offer big incentives, by way of a percentage of income or commission, to attract and retain successful affiliates – who in turn direct players to gambling websites.

So it will come as a shock to both parties that the Information Commissioner’s Office (ICO) has announced an investigation into the use of affiliate marketing by hundreds of companies in the online gambling sector.

In a recent announcement the ICO identifies ‘affiliate marketing’ as an area of particular concern because gambling operators and affiliate marketers each fail to take responsibility and try to ‘pass the buck’ when a complaint is made.

Responsibility for unlawful communications

Direct marketing (whether by organisations or affiliates) in the UK is strictly regulated and the ICO takes a very dim view of spam communications. Therefore gambling businesses which hope to shift the blame for marketing activities by using third party affiliates will find themselves disappointed. The law applies not only to the person making the communication, but also the person instigating it.

Having a contract in place – which requires an affiliate to comply with the law and not send unsolicited messages – will not, in itself, be enough to abdicate a gambling operator from responsibility. Instead, the operator needs to monitor the affiliate and ensure it complies with its legal obligations.

However, an operator which has acted properly may be able to rely on the defence that it took “such care as in all the circumstances was reasonably required to comply”, even if the affiliate has carried out marketing in an unlawful manner.

Increased fines and stricter obligations on the horizon

The penalties for breaching data protection and privacy laws can be significant. At the moment the ICO can impose fines of up to £500,000 for non-compliance with data protection or privacy law. This is in addition to the reputational damage – which accompanies a penalty notice from the ICO.

In May 2018 the General Data Protection Regulation (GDPR) will enter into force. This will increase the potential fine the ICO can impose for breaching data protection law by around 3300%, to a maximum of €20m or 2% of worldwide group turnover (whichever is higher).

The GDPR is not specifically targeting direct marketing (which has its own regulatory regime), but unauthorised use of personal data for marketing communications will breach the new regulation. Furthermore, gambling operators and their affiliates can expect the regulatory landscape to get rockier still, as privacy and communications (including direct marketing) looks to be next on the EU’s reform agenda.

Practical steps to reduce the risks posed by direct marketing

There are some simple steps gambling operators can take to reduce the risk posed by affiliate marketing and increase the chance of the reasonable care defence succeeding.

  • Contracts – agreements with affiliate markets must include detailed data protection and privacy provisions. Operators should require that affiliates comply with marketing policies/procedures and seek indemnities in case of a breach of contract.
  • Policies operators should implement a detailed policy which sets out the steps affiliates must take in order to comply with data protection and privacy laws. This should address issues such as:
    • Having a legal basis for communications (i.e. consent or an existing relationship).
    • Screening contacts against preference lists such as the TPS.
    • Providing unsubscribe/opt-out options.
    • Ensuring the identity of the sender is not concealed (e.g. this message is sent by
      [Marketing Co Ltd], an affiliate of [Gambling Operator Ltd]).
  • Hold affiliates accountable operators must monitor the activities of affiliates and ensure their compliance with legal and contractual obligations. Unlawful activity should be dealt with swiftly.
  • Privacy notices – customers who are subsequently directed to the operator’s website should, when they arrive, be provided with an appropriate privacy notices which reflect the ICO’s latest guidance.

No change with Brexit

Finally, those organisations hoping Brexit might offer some protection from EU data protection and privacy laws are likely to be disappointed. The UK Government has confirmed the GDPR will be implemented regardless of Brexit, and it is reasonable to expect that privacy reforms will also take effect in the UK.

As a result, organisations should be acting now to improve their compliance position before the new law (and increased fines) take effect.


If you would like to discuss any of these points in more detail, please feel free to contact:

Oliver Neil

Oliver is a specialist commercial and information technology lawyer who advises clients on a wide range of contractual agreements and complex regulatory issues. He has particular expertise in data protection, e-privacy and information security law.

T: 01865 781 219