Action taken against Sky Betting and Gaming

19 September 2024
(PRESS RELEASE) -- The U.K.’s Information Commissioner’s Office (ICO) issued a reprimand to Bonne Terre Limited, trading as Sky Betting and Gaming, for unlawfully processing people’s data through advertising cookies without their consent.
From 10 January to 3 March 2023, Sky Betting and Gaming was processing people’s personal information and sharing it with advertising technology companies as soon as they accessed the SkyBet website - before they had the option to accept or reject advertising cookies. This meant their personal information could be used to target them with personalized adverts without their prior consent or knowledge.
The ICO investigated whether Sky Betting and Gaming was deliberately misusing people’s personal information to target vulnerable gamblers, following a complaint from Clean Up Gambling. While no evidence of deliberate misuse was found, the regulator concluded that Sky Betting and Gaming was processing personal data through the use of certain cookies in a way that was not lawful, transparent or fair.
As a result of our investigation, Sky Betting and Gaming made changes in March 2023 to ensure that people could reject advertising cookies before their personal information was shared for these purposes.
The enforcement action comes as the ICO is working to crack down on websites that do not offer people a fair and informed choice over whether they want their personal information to be used for targeted advertising.
Last year, the ICO reviewed the U.K.’s top 100 websites and discovered issues with how more than half of these websites were using advertising cookies. The ICO wrote to these 53 to warn that they faced enforcement action if they did not make changes to advertising cookies to comply with data protection law. There has been a positive response to this call to action, with 52 of the websites making changes to how advertising cookies are used.
Out of the 53 websites contacted, only gossip website Tattle Life has not engaged with us and will now be investigated for its use of cookies and apparent failure to register with the regulator.
Stephen Bonner, Deputy Commissioner, said:
“We’ve all seen adverts online that seem designed specifically for us, such as an ad for trainers after signing up to a gym online. Some people may be happy to consent to receive these, but others may not be comfortable receiving similar adverts, especially when it comes to sensitive aspects of our digital activity. For example, if you are visiting a gambling website or looking up concerning health symptoms, you may want to prevent this personal information being shared with advertisers.
“I’m pleased to see changes being made as a result of our intervention, with 99 of the top 100 websites either already offering a meaningful choice over advertising cookies or making improvements to gain people’s consent. For example, some have now included a ‘reject all’ button and others have made their ‘accept all’ and ‘reject all' options equally prominent, meaning it is just as easy to reject cookies as it is to accept them. These changes mean that people have more agency over how their personal information is used online. Others have started to introduce alternative methods to obtain consent, such as ‘consent or pay’ - a business model the ICO is currently reviewing.
“Our enforcement action against Sky Betting and Gaming is a warning that there will be consequences if organizations breach the law, and people are denied the choice over targeted advertising. We are preparing to scrutinize the next 100 most frequented websites, so I urge all organizations to assess their cookie banners now to make sure consent can be freely given before a letter arrives from the regulator.”
As part of our strategy to ensure people’s rights are upheld by the online advertising industry, the ICO audited a number of data management platforms to understand how the wider industry handles people’s personal information. Some of these platforms are now under investigation for potentially failing to comply with data protection law.