Luck of the Law: The Role of Data in Shaping Ireland’s Gambling Sector

Laura Murray is a BCL (Clinical) student at the School of Law, UCC. She is currently on placement at RDJ LLP and has previously interned at Deloitte as part of the Regulatory Risk team. In this blog, Laura examines the current regulatory landscape regarding gambling in Ireland, with a focus on how gambling regulators use personal data.

 _________________

A INTRODUCTION

‘Gambling, in simple terms, is participating in games of chance for money.’ In Ireland, gambling has long been embedded in cultural and social traditions, with early forms such as horse and dog races paving the way for modern iterations such as mobile gaming and in-game loot boxes.[1] These advancements have led to an increase in both the variety and the accessibility of ways in which people can gamble. Gambling is no longer confined to physical locations and can be done virtually ‘anywhere, anytime’, leading to exceptional user growth and usage.[2] Globally, the gambling industry has experienced tremendous growth, with revenue projected to reach 876 billion USD by 2026.[3]

While gambling may serve as a harmless recreational activity for some, it can become problematic for others. A critical concern is the potential conflict between industry practices and customer wellbeing, with gambling companies profiting from the exploitation of problem gamblers. This is a concern considering that the majority of gambling revenue is derived from a ‘disproportionately small’ number of participants.[4] The gambler’s risk is significant, with the possibility of losing one’s home, family, and job, while the operator’s risk is ‘limited to almost nil.’[5] This blog will examine the role of data within the Irish gambling industry, exploring the regulatory challenges arising from the General Data Protection Regulation (GDPR),[6] and the new Gambling Regulation Act 2024 (2024 Act).[7] Additionally, this blog considers the broader implications of these developments, including their impact on consumer protection, industry practices, and particularly the significant power imbalance between customers and gambling companies.[8]

B THE VALUE OF DATA

Gambling companies collect an extensive range of data, including personal identifiers, preferences, and engagement statistics, for the purposes of targeted marketing and customer retention strategies. As exemplified by Hummel, ‘value is typically derived from the combination and use of data rather than individual data points’.[9] While these practices have bolstered the industry’s growth, they raise significant concerns about privacy, consent, and ethical usage of personal data.

I Categories of Data Collection

The data collected by gambling companies often includes sensitive and identifiable information such as names, dates of birth, home addresses, email addresses, telephone numbers, and gender. This information is usually gathered during account creation or through loyalty programmes. Beyond personal identifiers, companies track preferences, such as which games players engage with, betting patterns, and typical expenditure levels. Engagement metrics like frequency of play, session duration, and geographical location allow gambling companies to build comprehensive customer profiles.[10] The aim of this data collection is clear: maximise profits through targeted marketing and player retention. By understanding customer preferences and behaviours, gambling companies can develop personalised marketing campaigns, adjust promotional offers, and create products tailored to specific demographics. High-value customers or ‘VIPs’ are often identified for special attention, receiving tailored incentives such as complimentary services or exclusive bonuses.[11] This targeted approach towards high-stakes gamblers, allowing ‘VIPs’ increased benefits and leniency, can have destructive consequences for both the gambling operator and the player. For example in The Star Entertainment Qld Ltd v Yew Choy Wong, litigation arose after a high-roller gambler failed to repay a substantial gambling debt incurred through a casino credit facility.[12]

II Methods of Data Collection

The gambling industry employs a variety of sophisticated tools and methods to gather data, often without the customer’s full awareness.

(a) Cookies and Tracking Technologies

Cookies, which are typically short text files, are inserted into visitors’ computers by websites to enable identification and track users' online activities, including browsing and search history.[13] It is imperative that users are not forced to click ‘Accept cookies’ as a precondition to use a service, as this does not constitute valid consent.[14]

(b) Behavioural Tracking

Gambling platforms analyse how customers interact with their sites, including games played, wager amounts, and time spent. Operators use machine learning, commonly ‘k-means clustering’, to group gamblers with similar betting patterns.[15]

(c) Third-party Data

Operators purchase supplemental data from external providers. This may include demographic information, income estimates, or family status, to enhance their profiles of users.[16] Additionally, operators may transfer data to third parties. This may be for a variety of purposes including marketing or customer profiling. Operators still ‘bear the burden’ of ensuring all data is processed appropriately.[17]

(d) Geolocation Data:

GPS (Global Positioning System) and IP (Internet Protocol) tracking allow operators to monitor the physical locations of players in order to enforce regional restrictions or refine marketing strategies. GPS monitoring, which is ‘permanent and systematic’ constitutes an encroachment on the private life of an individual,[18] as set out in Gramaxo.[19] Additionally, there are concerns that the combination of geolocation data with other information could potentially reveal sensitive details about an individual’s lifestyle, as outlined in the Data Protection Act 2018.[20]

(e) Biometric Data

Facial recognition and fingerprinting technologies, often presented as security measures, are increasingly used to enhance player profiling. There are legal and ethical concerns regarding this type of data, described by Norris as a ‘tortious invasion of privacy.’[21] Under GDPR, biometric data is classified as special category data, requiring strict safeguards.[22] 

III Transparency, Consent, and GDPR Compliance?

A major issue with these practices, outlined above, is whether players fully understand how their data is being collected, used, and shared. Under GDPR, companies must ensure that data processing is lawful, fair, and transparent.[23] GDPR also mandates that consent must be freely given, specific, informed, and unambiguous.[24] Pre-checked boxes and lengthy, complex terms and conditions do not meet the requirements for valid consent under GDPR. Consent must be given through a ‘clear, affirmative action’.[25] Despite GDPR’s straightforward mandates, many gambling operators fail to meet these standards. Gambling companies are required to provide clear and concise information regarding the usage of personal data which should be set out in the ‘ordinary language’ and avoid legal jargon.[26] Players often encounter lengthy privacy policies, making it difficult for them to comprehend the extent of data collection or its intended use. Controllers provide ‘the insufficiently informed data subject with information they neither read, nor understand’.[27] GDPR provides users with the right to access, correct, delete, and object to the processing of their data. However, the gambling industry’s practices often obscure these rights, leaving customers unaware or unable to exercise them effectively, creating an asymmetrical relationship where companies benefit at the expense of consumer rights.[28]

IV Ethical Implications of Data Usage

The use of data analytics and personalisation in gambling raises several ethical concerns, particularly regarding the exploitation of vulnerable individuals. ‘Dataveillance’, which is where data collection and analysis allows gambling companies to monitor, predict, and influence customer behaviour, can lead to manipulative practices targeting at-risk gamblers.[29] By identifying patterns indicative of problem gambling, companies can target these individuals with promotions and incentives, worsening their gambling problems. Furthermore, manipulative game design, utilising real-time data, allows operators to influence player behaviour.[30]

Practices such as disregarding self-exclusion requests exacerbate the imbalance of power between gambling companies and vulnerable individuals.[31] The collection of data from minors introduces further ethical concerns. Critically, in the context of online social casino games and loot boxes, which mimic gambling mechanics, are often aimed at younger audiences who may not recognise that they are being ‘targeted’, ‘recorded’, and ‘nudged’.[32] The use of data analytics for personalisation and targeting means that game operators can tailor the game experience and messaging to be especially resonant with young players. These platforms can serve as a ’training ground’ for youth, normalising gambling behaviour and leading to real-money gambling. Research indicates that youth who make in-game micro-transactions are more likely to transition to real-money gambling.[33]

V Data Breaches and Improper Data Use

Data breaches and the improper use or collection of data are considerable concerns within the gambling industry. Security risks are a concern due to the vast amounts of sensitive data, such as personal identifiers, payment information, and behavioural data, stored by gambling companies. These systems are prime targets for malicious actors.[34] Security vulnerabilities in data storage and management can lead to breaches where this sensitive information is exploited for identity theft and financial fraud. Human errors are also a factor in data breaches, as ‘sending an email to the wrong recipient’ can cause a data breach to occur.[35] The data breach of Paddy Power in 2010, which compromised the personal details of 650,000 customers, included stolen account information such as customer names, dates of birth, e-mail addresses and phone numbers, illustrating the serious implications of data breaches.[36] Under GDPR an individual can claim compensation for material or non-material damages caused by a breach,[37] the ‘non-material’ aspect was confirmed in the case of Kaminski.[38] Additionally, within Ireland, the right to privacy has constitutional protection[39] and awards of damages continue to be made in cases for breach of privacy as a constitutional right,[40] as the Irish courts aim to vindicate constitutional guarantees ‘insofar as possible'.[41] Moreover, many customers are unaware of how extensively their data is being gathered, processed, and shared. As indicated above, valid consent must be freely given, specific, informed, and unambiguous. These requirements are often not met, leaving users vulnerable to exploitation and data misuse.

VI Loot Boxes – Hidden Gambling?

The normalisation of gambling among minors through mechanisms such as loot boxes is a growing concern. Loot boxes are in-game purchases offering randomised rewards, which have been criticised for their similarity to traditional gambling. Research has noted that young players, who are particularly susceptible to risk-taking behaviours, are drawn to the excitement of gambling mechanisms.[42] Additionally, the blending of social mechanics such as leaderboards and chat features with gambling mechanics has created an appealing unregulated gaming platform, desirable for young audiences.[43] The lack of regulation surrounding loot boxes in many jurisdictions allows these platforms to operate without the same consumer safeguards as traditional gambling products. The EU has begun addressing these concerns. In 2023, the European Parliament voted to regulate video game loot boxes, and GDPR includes some protections for children’s data, particularly regarding marketing and profiling.[44] The European Council has suggested drafting a sector-specific code addressing children’s data, in accordance with GDPR Article 40.[45] However, the practical implementation of these regulations can be challenging, and there is a need for more specific guidance on how to apply these rules to the unique characteristics of video games and loot boxes. On a positive note, some jurisdictions, such as The Netherlands and Belgium have implemented local laws to address the risks associated with loot boxes, such as prohibiting their sale to minors or designating loot boxes as gambling. In Ireland, specific loot box regulation is in discussion but remains absent, despite growing concerns over their impact on minors.[46]

C ENFORCEMENT AND OVERSIGHT OF DATA

I Old Laws, New Challenges

Ireland’s gambling legislation has its roots in historical acts, most notably the Betting Act of 1931,[47] the Totalisator Act 1929,[48] and the Gaming and Lotteries Act 1956.[49] While these acts were effective for their time, they are considered outdated and inadequate for regulating the complexities of our modern gambling landscape. The Gaming and Lotteries (Amendment) Act 2019,[50] which came into effect in December 2020, sought to update the regulation of gaming machines and lotteries. However, this reform has been criticised for its narrow scope, particularly its failure to address the regulation of online gambling.[51] The slow pace of legislative change is especially concerning given the rapid pace of technological innovation and the increasing dominance of online platforms.[52] As Nicoll and Akcayir stress, an understanding of the historical context is crucial for understanding the current regulatory issues.[53]

II General Data Protection Regulation (GDPR) - A Blind Spot?

The General Data Protection Regulation (GDPR), enacted by the European Union (EU), sets stringent rules on data protection and privacy, with broad implications for the gambling industry. The GDPR mandates the protection of personal data, which includes any identifiable information, meaning not anonymous or encrypted.[54] Special categories of personal data, such as ‘the processing of genetic and/or biometric data where the purpose is to uniquely identify the data subject,’ which includes facial recognition and fingerprinting technologies increasingly used in the gambling industry, are also protected under the regulation.[55] Gambling companies are obligated to comply with GDPR requirements, which include obtaining explicit consent, ensuring transparency, and ensuring data security. While GDPR offers essential protections, its implementation within the gambling sector poses challenges. Companies are required to maintain comprehensive records of all data processing activities and conduct ‘detailed personal data inventory’ to avoid breaches.[56] Nevertheless, the dynamic nature of the gambling industry complicates these processes, requiring constant vigilance and adaptation. There remains a concern among gambling operators that discussion of personal data may ‘frighten’ consumers and prefer the belief that ‘for the average consumer, ignorance is bliss’.[57] Despite the broad protection offered by GDPR, there remain significant gaps within the gambling sector. A central issue in the current regulatory landscape is the lack of specific data privacy provisions tailored to the gambling industry, creating ambiguity in how data protection regulations should be enforced. Additionally, balancing the rights of the players with the operator’s obligations under other laws, such as tax and gambling regulations, creates confusion and inconsistencies.[58] Furthermore, handling special categories of data, such as biometric information, and obtaining valid consent from vulnerable players remain significant concerns. Selin argues that the shift from self-regulation to more robust, external regulation is urgently needed in this area.[59] Moreover, the lack of enforcement capabilities within Ireland’s gambling regulatory framework fails to create effective regulation and,[60] as discussed, the outdated nature of Ireland’s gambling regulation creates barriers to successfully enforce modern data protection measures. Even the implementation of the Digital Services Act has had an indirect, rather than direct approach on gambling operators.[61] While the gambling industry provides significant revenue and employment opportunities, consumer protection must take precedence. As emphasised by Orford, there must be a ‘critical examination’ of the relationships between regulators and operators.[62]

III International Approaches to Regulation

Ireland could benefit from looking at the regulatory frameworks of other jurisdictions to inform its own approach. Finland, having one of the highest per capita gambling rates, operates a monopolistic gambling regime, where the state controls all gambling activities. ‘Channelling’ is a key policy, in which the aim is directing gambling towards the state-owned operator and away from unlicensed or harmful alternatives.[63] This centralised model contrasts with liberalised approaches seen in countries like the Netherlands, a ‘neo-liberal risk regulation regime’, which allows private companies to operate within a regulated framework.[64] Each of these models has distinct implications for both consumer protection and growth of the gambling industry in a digital space, as highlighted by Kingma.[65]

D THE FUTURE OF IRELAND’S GAMBLING INDUSTRY

The Gambling Regulation Act 2024 aims to modernise Ireland’s gambling laws, replacing outdated legislation to address the issues posed by the rapid growth of the industry. The 2024 Act is designed to create a comprehensive regulatory framework for all forms of gambling, bringing ‘legal certainty to the area’, with emphasis on consumer protection, safeguarding vulnerable individuals, and mitigating harm caused by problem gambling.[66]

I Features of the Gambling Regulation Act 2024

A cornerstone of the legislation is the establishment of Gambling Regulation Authority (GRA), an independent body tasked with licensing and regulating all aspects of gambling in Ireland, such as betting, gaming, and the sale of gambling-related products and services.[67] The 2024 Act establishes a social impact fund to finance research into, raise awareness of, and eliminate or reduce compulsive and excessive gambling.[68] Additionally, the 2024 Act introduces a National Gambling Exclusion Register and requires license holders to adhere to strict measures aimed at protecting participants, including prohibitions on inducements and restrictions on gambling advertisement, especially those targeting minors.[69] The Act also enables the GRA to conduct research into gambling, collect data and analyse data related to gambling operators.[70]

II Failures of the Gambling Regulation Act 2024

While the above provisions are commendable, the legislation falls short in addressing critical issues related to data protection and the use of personal information within the gambling industry. The 2024 Act does not include explicit measures to govern the collection, processing, or sharing of personal data for activities such as targeted advertising, data analytics, or player profiling. This omission leaves a significant gap in the regulatory framework, particularly egregious given the gambling industry’s reliance on data to optimise user engagement and maximise profits.[71] Despite requiring compliance with GDPR, the 2024 Act does not establish industry-specific guidelines or enforcement mechanisms to ensure responsible data usage, undermining the principles of data minimisation and purpose limitation enshrined in the GDPR.[72] Nicoll suggests it is likely the industry will attempt to ‘water down’ regulations through ‘aggressive’ lobbying efforts.[73]

E CONCLUSION

The ethical tightrope surrounding data usage in the gambling industry necessitates reform. Current legislation is lacking in its ability to fully address concerns related to how personal data is collected, analysed, and used by gambling companies to manipulate player behaviour and maximise profits. While existing protections, such as restrictions on advertising and inducements, are important, they remain insufficient in mitigating risks associated with data exploitation. The key to achieving balance between economic interests and consumer protection lies in the continuous oversight of industry practices and the flexibility to adapt regulations as the sector innovates. It is imperative to ensure that digital platforms respect fundamental rights and freedoms, rather than compromising them for the pursuit of profit.[74] Ireland’s approach to regulating data usage in the gambling sector is influenced by the GDPR, with the Gambling Regulation Act 2024 providing a framework for how this regulation will be specifically enforced. However, the absence of tailored data privacy provisions for the gambling industry reflects a broader issue of prioritising economic gains over the fundamental rights of Irish citizens. Without effective regulations, data processors can ‘claim human experience as raw material free for the taking’.[75]

[1] Crystal Fulton, ‘Playing Social Roulette: The Impact of Gambling on Individuals and Society in Ireland’ (Research Repository UCD, June 2015).

[2] Janne Nikkinen, Virve Marionneau and Michael Egerer, ‘The Global Gambling Industry Structures, Tactics, and Networks of Impact’ (Springer Gable Wiesbaden, 2022) 153.

[3] Niccolò Aimo, Matteo Bassoli, and Virve Marionneau, ‘A Scoping Review of Gambling Policy Research in Europe’ (2024) 33 International Journal of Social Welfare 3 659–674.

[4] Xiao Ma, Seung Hyun Kim, Sung S Kim, ‘Online Gambling Behaviour: The Impacts of Cumulative Outcomes, Recent Outcomes, and Prior Use’ (2014) 25 Information Systems Research 3 511-527.

[5] Nikkinen (n 2) 63.

[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1 (GDPR).

[7] Gambling Regulation Act, 2024.

[8] Meglena Kuneva, ‘Roundtable on Online Data Collection, Targeting and Profiling’ (Brussels, 31 March 2009).

[9] Patrik Hummel, Matthias Braun, and Peter Dabrock, ‘Own Data? Ethical Reflections on Data Ownership’ (2021) 34 Philos Technol 545–572.

[10] Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the concept of personal data’ (20 June 2007) < https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf>  (date accessed: 23 November 2024).

[11] European Gaming and Betting Association, ‘Code of Conduct on Data Protection in Online Gambling’ (June 2020) 44 < https://www.egba.eu/uploads/2020/06/200211-Code-of-Conduct-on-Data-Protection.pdf > 25 November 2024 (EGBA).

[12] The Star Entertainment Group Ltd. v Yew Choy Wong [2021] QSC 67.

[13] Denis Kelleher, Privacy and Data Protection Law in Ireland, 2nd ed. (2nd edn, Bloomsbury Professional 2015) 21.74.

[14] Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects 15.

[15] Simo Dragicevic, George Tsogas and Aleksandar Kudic, ‘Analysis of Casino Online Gambling Data in Relation to Behavioural Risk Markers for High-Risk Gambling and Player Protection’ (2011) 11 International Gambling Studies 377-391.

[16] Zaniah Jordan, ‘The Effect of the European Union (EU) General Data Protection Regulation (GDPR) on the Gaming Industry’ (2020) 10 UNLV Gaming Law Journal 2 259-282.

[17] ibid.

[18] European Court of Human Rights, ’Guide on Article 8 of the European Convention on Human Rights Right to Respect for Private and Family Life, Home and Correspondence < https://ks.echr.coe.int/documents/d/echr-ks/guide_art_8_eng> date accessed 15 March 2026.

[19] Judgment of 13 December 2022, Florindo de Almeida Vasconcelos Gramaxo v Portugal, (application no 26968/16).

[20] Data Protection Act 2018, s.69 (2018 Act).

[21] Stacy Norris, ‘…And the Eye in the Sky is Watching Us All - The Privacy Concerns of Emerging Technological Advances in Casino Player Tracking’ (2019) 9 UNLV Gaming Law Journal 2.

[22] GDPR (n 6) Article 9.

[23] GDPR (n 6) Article 5.

[24] GDPR (n 6) Article 7.

[25] Data Protection Commission, ‘Guidance Note: Legal Bases for Processing Personal Data’ (December 2019) 7

[26] 2018 Act (n 20) s 138.

[27] Julian Schneider, ‘The Origins and Future of International Data Privacy Law’, (2024) 47 UC Law SF International Law Review 1.

[28] ibid.

[29] Jennifer Reynolds, ‘Gambling on Big Data: Designing Risk in Social Casino Games’ (2019) 10 European Journal of Risk Regulation 1 116-131.

[30] Dragicevic (n 15).

[31] Mark D Griffiths, ‘The Use of Online Methodologies in Data Collection for Gambling and Gaming Addictions’ (2010) 8 Int J Ment Health Addiction 20.

[32] Reynolds (n 29).

[33] ibid.

[34] Jordan (n 16).

[35] Data Protection Commission Guidance Note (n 25) 2.

[36] John Mulligan, ‘Massive Data Breach at Paddy Power Bookmakers’ (The Independent, July 2014) <https://www.independent.ie/irish-news/massive-data-breach-at-paddy-power-bookmakers/30474614.html>  date accessed, 30 November 2024.

[37] GDPR (n 6) Article 82.

[38] Kaminski v Ballymaguire Food Limited [2023] IECC 5.

[39] 1937 Constitution, Article 40.3.

[40] Herrity v Associated Newspapers Ltd [2008] IEHC 249.

[41] Róisín Á Costello, Privacy Law in Ireland (Bloomsbury Professional, 2023) at 5.75.

[42] Nikkinen (n 2) 48.

[43] Griffiths (n 31) 43.

[44] GDPR (n 6)  Recital 38.

[45] GDPR (n 6) Article 40.

[46] Sean Murray, ‘Ireland ‘Far Behind the Curve’ on Gambling Laws as Warning Sounded on Insidious Loot Boxes in Video Games’ (The Journal, November 2020) <https://www.thejournal.ie/video-games-loot-boxes-5249761-Nov2020/>  accessed 1 December 2023. As of March 2026, loot boxes are not specifically regulated under Irish gambling laws.

[47] Betting Act, 1931.

[48] Totalisator Act, 1929.

[49] Gaming and Lotteries Act, 1956.

[50] Gaming and Lotteries (Amendment) Act, 2019.

[51] Deirdre Mongan and others, ‘Gambling in the Republic of Ireland: Results from the 2019–20 National Drug and Alcohol Survey’ (Health Research Board, Dublin, February 2022) 2.

[52] ibid.

[53] Fiona Nicoll and Murat Akcayir, ‘Editorial’ (2020) 1 Critical Gambling Studies 1.

[54] GDPR (n 6) Article 4(1).

[55] GDPR (n 6) Article 9.

[56] GDPR (n 6) Article 30.

[57] Jordan (n 16) 28.

[58] EGBA (n 11) 21.

[59] Jani Selin, Eija Pietilä, and Minna Kesänen, ‘Barriers and Facilitators for the Implementation of the Integrated Public Policy for Alcohol, Drug, Tobacco, and Gambling Prevention: A Qualitative Study’ (2020) 27 Drugs: Education, Prevention & Policy 2 136–144.

[60] Fulton (n 1) 56.

[61] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act).

[62] Jim Orford, ‘Gambling in Britain: The Application of Restraint Erosion Theory’ (2012) 107 Addiction 12 2082 2086.

[63] Jani Selin, ‘From Self-Regulation to Regulation – An Analysis of Gambling Policy Reform in Finland’ (2016) 24 Addiction Research & Theory 3 199–208.

[64] Sytze F Kingma, ‘The Liberalization and (Re)Regulation of Dutch Gambling Markets: National Consequences of the Changing European Context” (2008) 2 Regulation & Governance 4 445–458.

[65] ibid.

[66] Fulton (n 1) 14.

[67] The Gambling Regulation Act 2024, s 70.

[68] The Gambling Regulation Act 2024, s 50.

[69] The Gambling Regulation Act 2024, s 13.

[70] The Gambling Regulation Act 2024, s 65.

[71] Jordan (n 16).

[72] GDPR (n 6) Article 5.

[73] Nicoll (n 53).

[74] Nikkinen (n 2) 209.

[75] Hummel (n 9) 561.