- Work last year found that Bailiwick regulated gambling companies used practices that lured data from users
- The data collected can be extensive and experts have raised concerns about how gamblers are targetted
- Office of Data Protection's informal invention have now led to improvements across the industry, its annual report says.
Bailiwick gambling firms have pledged to make improvements after an informal intervention by the Data Protection Authority discovered privacy issues with their websites which could lead to users inadvertently giving up personal information then used to keep them betting.
Early last year, the ODPA swept through 19 websites of companies regulated by the Alderney Gambling Control Commission to identify features that would steer users to giving up as much of their personal information as possible.
This trove of data on customers' behaviour can then be used to send things like personalised notifications and emails to encourage further betting, something experts have warned can lead to problematic gambling.
The ODPA’s work was part of a global effort by data protection authorities focussing on Deceptive Design Patterns, also know as dark patterns.
In its latest update on the project released in its annual report, the ODPA said that all the firms involved have now agreed to act.
“Dark patterns are frequently exploited to lure in either new users or keep the attention and data of existing users,” it said in its annual report released in July.
“These features encourage users to provide more personal information than they need or make finding the most privacy-friendly settings difficult.”
What were the dark patterns?
The ODPA swept 19 websites and identified privacy issues in all cases. Specific trends included:
• Difficulty in closing accounts that had been opened.
• Extremely complex language and readability scores for privacy related information and over 70% of policies came out at over 3,000 words. Policies ideally are kept clear and concise with accessible language.
• Approximately 50% of websites required additional steps if a user wanted to select the most privacy-protective option.
• Approximately 30% of cases highlighted that the user was required to visit a third-party site to amend privacy related settings.
• Approximately 40% of cases showed that where a user was unable to find the privacy settings, they were required to provide personal information or to register/log-in to the account to make further privacy choices.
• In approximately 40% of cases, the sweeper could not find privacy-related information on the website.
“Every website swept had examples of dark patterns and so each company was approached and asked to make improvements.
“Every company committed to making changes, making it clearer how data was to be used and easier for people to be in control of their own information.
“This was a huge success having elevated privacy practices across an industry in a matter of months, versus the cost and time it would have taken to address such concerns individually through multiple investigations.”
ODPA chairman Richard Thomas said: “The swift improvements agreed with gambling companies based in Alderney provided an excellent example of the results which informality and international co-operation can achieve.”
The work was undertaken as part of the Global Privacy Environment Network Sweep, which involved participants from 26 privacy enforcement authorities from around the world.
Nearly all of the 1,000 websites and apps looked at employed one or more deceptive design patterns.
Indications of dark patterns:
Complex and confusing language: is the language required to make decisions about the users' personal information inaccessible to general audiences?
Interface interference: is the interface of a website or app designed to steer the user to accept the least privacy protective option?
Nagging: does the website or app repeatedly prompt the user to select or reconfigure their privacy settings in a manner that is less privacy protective?
Obstruction: does the website or app create obstacles to prevent or dissuade the user from getting information about the privacy practices or making privacy-protection decisions?
Forced action: does the website or app force or trick users into thinking it is necessary to provide their (or others') personal information to use the service?
A brief example of how a gambling website might gather and use your details
We’ve all been there.
You visit a website for the first time and a pop up appears about cookies.
Often Accept All is coloured to encourage you to absentmindedly click it. Or if you do move to make a different choice, the buttons are subsequently arranged in an order to trick you into accept all.
Sometimes it’s an absolute minefield to try and turn off cookie collection, and all the time the site encourages you, talking about optimising your experience.
Websites can store or retrieve information from your browser, normally from cookies.
They can be useful, like filling in addresses or emails, but they are also used by the firm behind the site to target things like advertising at someone based on their use.
Some people might find that helpful, but imagine you were someone trying to give up gambling but every time you used the internet you were targeted by betting offers?
The Privacy Policy of one Alderney licensed gambling site examined by The Quarry this week came in at 2,500 words and showed just how many routes there are for a company to sweep up data.
Filling in forms, interacting with a website, taking part in prize draws or surveys, emails, phone calls, interacting with them on social media means they can collect your public profile.
Some of the data is used for legal compliance, like credit and money laundering checks.
Some is used to allow you to access the site and your account.
Some is used to target adverts at you when you are on other websites.
Cookies are another form of data collection.
Some are only temporary and do not allow the company to collect any personal data or private information from a user’s divide.
Others are persistent. They remain until a user deletes them.
Personalisation cookies allow the website to remember choices you make, in this instance your preference for a type of odds or the currency you want to use.
Non-essential cookies allow a company to follow how you use their site and then target marketing messages, for example free bets or 0% commission products.
The privacy policy on this site ended with: “We strongly recommend that you permit the use of cookies; if you choose to disable cookies by modifying the settings in your browser then you may find that certain sections of the Website do not work as they should, and we do not accept any liability to you for any losses you incur as a result of this.”
It is harder to get your data deleted than it is to give it up. One simple button click does the latter, but you have to contact the company and ask for you data to be removed for the former.
Go further...
The Take Time to Think: Safer Gambling campaign has information on identifying and getting help with problem gambling.
For more background and evidence on the public health consequences of gambling, see this report from The Lancet Public Health Commission.
For more on the ODPA and its annual report.
For more on AGCC.
Comments ()