Betting on privacy: Sky's cookie consent reprimand

United Kingdom

On 2 September 2024, the UK Information Commissioner’s Office (“ICO”) issued a reprimand to Bonne Terre Limited (trading as Sky Betting and Gaming) (“SkyBet”) for unlawfully processing personal data through advertising cookies without consent. The ICO found that SkyBet was sharing its users’ personal data with adtech companies as soon as they accessed the SkyBet website, before they had the option to accept or reject advertising cookies, which meant that their personal data could be used to target them with personalised ads without their knowledge or prior consent. The ICO’s investigation followed a complaint from Clean Up Gambling which alleged SkyBet was deliberately misusing personal information to target vulnerable gamblers. However, the ICO found no evidence of deliberate misuse. The ICO’s action against SkyBet is part of a wider crack down by the ICO to ensure that websites offer users a fair and informed choice over whether their personal information is used for targeted advertising and that the processing of personal data using cookies (particularly by those involved in adtech) is done lawfully, fairly and transparently.

Background

The ICO’s investigation into SkyBet was initiated in response to a report published by Clean Up Gambling, a non-profit campaign group, in January 2022. The report alleged that SkyBet transferred substantial amounts of personal data to third party advertisers without obtaining consent from data subjects.

The ICO’s investigation revealed that certain cookies, including “non-essential” tracking and advertising cookies, were being deployed to users’ devices before they had given their consent preference using the consent management platform (“CMP”). For example, the ICO discovered that MediaMath, a demand side platform which buys ad space based on behavioural data, had been contracted by SkyBet and was using a pixel embedded within SkyBet to drop 40 third-party marketing cookies onto a visitor’s device before they had set their consent preferences within the CMP. This meant that the personal data of visitors was being processed without their consent, or another lawful basis. As a result, data subjects’ personal data was made available to and processed by adtech companies without consent, in breach of the requirement under the UK GDPR for the processing of personal data to be lawful and fair.

The Reprimand

In February 2024, the ICO issued a Notice of Intent to issue a Reprimand to SkyBet and, having considered SkyBet’s written representations, have decided that SkyBet had processed personal data in breach of various Articles of the UK GDPR, being: Articles 5(1)(a) (to process personal data lawfully, fairly and transparently); 6(1)(a) (to process personal data with a legal basis); and 7(1)(a) (demonstrating the consent of data subjects where relying on consent as a lawful basis).

The ICO’s Reprimand recommends that in order to ensure future compliance with the above Articles, SkyBet should continue to review and monitor its processes to ensure that all non-essential cookies and tags are only deployed on its domains after having received valid individual consent.

The ICO has warned that a continued failure of SkyBet to comply with its obligations could result in further regulatory action by the ICO.

As a result of the investigation, SkyBet made changes in March 2023 to ensure that people could reject advertising cookies before their personal information was shared for these purposes.

Implications for the AdTech Industry

This ICO action serves as a reminder to companies, particularly those that are in adtech or make use of adtech, of the importance of ensuring that processing through the use of cookies is conducted in compliance with data protection laws. The ICO has conducted its own research and is aware of public concern about the unlawful disclosure of personal data to third parties[1]. It has also previously addressed the need for giving effective choice to data subjects when encountering adtech[2], whilst being concerned with the exploitation of vulnerable data subjects (in this case, those suffering with gambling addictions) not being granted control over their exposure to targeted advertising. All of these were considered by the ICO when determining the potential harms caused by SkyBet’s contraventions. We expect that adtech practices and potential harms will be an area that continues to receive scrutiny from the ICO.

Co-authored by Florentina Terholli, trainee solicitor at CMS
 

[1] ICO Public Awareness Survey

[2] Update report into adtech and real time bidding (ico.org.uk)