Although they may not fully appreciate it, under British gambling laws, affiliates presently occupy a privileged position.
Despite them providing marketing services designed to drive customer traffic to licensed betting websites, the Gambling Commission does not regard them as falling within the statutory definition of a betting intermediary, ie “a person who provides a service designed to facilitate the making or acceptance of bets between others”. It might otherwise be thought that this definition catches precisely the central activity of an affiliate.
However, the Commission maintains that it has adopted “a common sense approach” to the question of what constitutes “facilitating” the making or accepting of bets between others, so that for example, it does not consider that merely placing advertisements as to where to place bets or providing tips in a newspaper is sufficient to fall within the definition.
As a result, affiliates have escaped the need for licensing as long as their activity does not tip over the line into providing, operating or administering arrangements for gambling by others, which would require a licence.
Similarly, despite gambling software being defined in the Gambling Act 2005 as “computer software for use in connection with remote gambling”, the software typically used by affiliates escapes any licensing requirement. That is because the Commission regards the purpose of gambling software licensing to be ensuring that those manufacturing software that can impact on the fairness of remote gambling do so in a regulated environment. It says that the statutory definition “would not include software developed more generally for associated activities such as performance analytics, affiliate and CRM management”.
Because affiliates are not licensed, the Commission’s Licence Conditions and Codes of Practice do not directly apply to them. The onus under Social Responsibility code provisions 1.1.2 and 1.1.3 of the LCCP to ensure compliance rests instead with the licensed gambling operator:
- whose contractual terms must require the affiliate “to conduct themselves insofar as they carry out activities on behalf of the licensee as if they were bound by the same licence conditions and subject to the same codes of practice as the licensee” and
- “who must take responsibility for third parties with whom they contract for the provision of any aspect of the licensee’s business related to the licensed activities and ensure that the terms on which they contract with their affiliates …. enable them to terminate, subject to compliance with any dispute resolution provisions of such contract, the affiliate’s rights promptly if, in the licensee’s reasonable opinion, the affiliate is in breach of a relevant advertising code of practice”.
So far, so good then for affiliates from a regulatory perspective as long as they:
- comply with the advertising codes of practice and
- take care not to commit a criminal offence by advertising a non-British licensed gambling operator to the British market.
However, last month a potentially severe threat to affiliates arose from a wholly different regulatory direction when, as part of an investigation by the Information Commissioner’s Office into large numbers of spam texts linked to the gambling sector, it wrote to more than 400 companies that it believed were using people’s personal details to promote online gambling websites. The ICO demanded that recipients set out how they use people’s personal details and send marketing texts, including where they got people’s personal information from and how many texts they sent.
Any affiliates who received such a communication should not regard it lightly as they could face a fine of up to £500,000 if they are found to be collecting and using personal data for marketing in a manner which does not comply with the prior consent and privacy requirements within the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
This threat did not come out of the blue. The ICO has previously made it clear that gambling industry marketing is consistently in the top 5 most complained about categories for spam texts.
There appears to be a general feeling that affiliates, very many of whom operate from outside the UK, consider themselves immune from the ICO’s enforcement powers. This has resulted in increasing concerns about affiliate marketing on the part of the ICO where it believes that neither the gambling operator nor its affiliates take any responsibility for complying with the rules.
It may be that many licensed operators believe that they are not responsible for breaches by their affiliates of the prohibition in Regulation 22 of the PECR on transmitting, or instigating the transmission of, unsolicited communications to individuals for the purposes of direct marketing by means of electronic mail (including by SMS), unless the recipient has given valid prior consent to the marketing.
However, pointing its finger firmly at operators, the ICO takes the view that:
- an operator has instigated spam marketing that is unlawfully carried out by its affiliate, even in circumstances where the operator has contractually obliged its affiliate to collect and process personal data for marketing purposes in accordance with the legislative requirements,
- at the time third party data is collected by an affiliate, there is no way that specific details of the operator can be provided by the affiliate in order to allow valid prior consent to be given, and
- although an operator should request a copy of its affiliates’ databases to carry screening for valid consents and any opt-outs (as well as for customer self-exclusions), such information is rarely shared with the consequence that the operator cannot comply with its due diligence obligations under the PECR.
David Clancy, ICO anti-spam investigations manager, has said: “Not knowing the law or trying to pass the buck to another company in the chain is no excuse ….fail to be accountable, and you could be breaking the law, risking ICO enforcement action and the future of your business”.
The above-mentioned action by the ICO has been welcomed by the Gambling Commission, leading to suggestions that the Commission might itself also take enforcement action against operators in such circumstances on the basis that affiliate marketing could be regarded as an “aspect of the their business related to gambling activities” for which the operator is responsible by reason of SR code provision 1.1.2 (as mentioned above).
If all of this was not sufficiently concerning, both operators and affiliates need to bear in mind that even more substantial fines for serious data protection breaches of up to 4% of annual worldwide turnover (subject to a €20 million maximum) are around the corner, with the EU General Data Protection Regulation replacing the Data Protection Act in May 2018 (as reported in my April 2016 article for SBC News at http://www.sbcnews.co.uk/features/comment/2016/04/12/david-clifton-), and the PECR is likely to be made even more robust with even higher levels of protection for consumers expected to result from the current review of the Privacy and Electronic Communications Directive.
The Brexit vote is unlikely to make any difference. Even after the UK exits the EU, its data protection and privacy standards will necessarily have to be equivalent to those within the remaining EU Member States. The ICO has itself said: “with so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens”.
David Clifton – Director – Clifton Davies Consultancy Limited