Sky Betting and Gaming – Violation Found (United Kingdom, 2024)

The controller, an online gaming and betting services provider, used third-party tracking technology including cookies to collect personal data for marketing purposes. Following a report by an advocacy organisation alleging that the controller transfers extensive amounts of data to third parties without the data subjects’ consent, the ICO commenced an investigation. It found that when users visited the website they were required to consent to cookies. However, even before consent was given through selection in the cookie banner, cookies were placed on visitors’ devices. The mere visit on the website initiated processing of personal data which was transferred to third parties without the knowledge or consent of the users. The ICO alerted the controller of its non-compliant practices on 2 March 2023 and by the next day, the controller had taken steps to rectify the issue. The rectification of the issue was confirmed by the ICO through the form of technical testing on the 17 March 2023. On the 17 March 2023, the controller had stated that all processing of personal data took place on the legal basis of consent. Therefore, the ICO concluded that from 10 January 2023 until 3 March 2023, the processing took place unlawfully. Certain cookies were deployed without the knowledge or consent of the users before they interacted with the cookie banner. Stating that unlawful disclosure of personal data to third parties is a matter of significant public concern, particularly in a commercial context, the ICO held the processing to be unlawful. The ICO reprimanded the controller under Article 58(2)(b) UK GDPR for violating Articles 5(1)(a), 6(1)(a) and 7(1) UK GDPR.