Don’t gamble with data protection compliance: Lessons learned from Sky Bet’s public reprimand

Sky Betting and Gaming (Sky Bet) was recently issued a reprimand by the ICO for their use of advertising cookies without user consent.

This forms part of a broader project the ICO has undertaken with support from the CMA into “harmful website designs”, but this reprimand represents the first public enforcement action we have seen from either regulator in relation to that project.

The ICO first alerted Sky Bet back in March 2023 that it’s use of advertising cookies was in breach of the UK GDPR. The ICO identified that the advertising cookies Sky Bet was using were being deployed prior to users to the site being given the chance to consent or reject them via Sky Bet’s cookies banner, and as such data was being collected and used by third parties to place ads for Sky Bet on other websites without user consent. Sky Bet quickly took steps to rectify the issue, confirming to the ICO that the issue had been resolved a couple of weeks later; and the ICO verified this through testing on the same day.

Almost a year later in February 2024, the ICO informed Sky Bet that they intended to issue a public reprimand following the initial finding that Sky Bet was in breach of the UK GDPR. The ICO allowed Sky Bet the opportunity to make representations regarding the reprimand, but despite the fact that Sky Bet had rectified the non-compliance to the ICO’s satisfaction once this had been brought to their attention, the ICO ultimately decided to proceed and the reprimand has now been issued.

The ICO’s position is that a reprimand is justifiable in this case due to the potential harmful impact of the breach to individuals with gambling additions and broader society. If an individual struggles with gambling, then seeing ads for Sky Bet on other unrelated websites they visit has the potential to be distressing and harmful to that individual.

But the approach taken by the ICO of issuing this reprimand so long after the breach was not only identified but also rectified is concerning for other businesses. This is a warning that, even if you have received the “all clear” from the ICO, that a reprimand may still be published against you down the line.

Although a reprimand does not come with a financial penalty, there is a clear reputational issue associated with a public admonishment from the regulator. Indeed, for Sky Bet, this story has been published on all major UK news websites.

To an extent, some reprimands are unavoidable, and in this instance the nature of Sky Bet’s business was clearly a factor in deciding to issue the reprimand. However, this underlines the importance of getting compliance right the first time – as this type of breach is easily avoidable if proper time and care is taken to make sure that website cookies and consent management platforms are set up correctly.

At Burness Paull, we help businesses of all shapes and sizes manage their compliance with data protection laws, including setting up compliant cookies consent mechanisms and supporting with relevant policies for this. Please get in touch with our expert team of data protection lawyers to find out more.

Related News, Insights & Events