The EU Privacy Regulation will oblige gaming affiliates to comply with stringent requirements in the processing of personal data of players.

I have already discussed in several blog posts about the EU General Data Protection Regulation (GDPR) and how this is going to represent a ground breaking change in the approach to privacy compliance. And this change in the approach will impact also gaming affiliates, and consequently operators in their selection.

Why gaming affiliates will be obliged to take privacy seriously

The new approach to privacy compliance is due not only to potential sanctions that will be increased to 4% of the global turnover and can be issued both against operators and affiliates, but also because the potential loss of players’ data (the so called “data breach”) might lead to major liabilities and damages, including reputational damages, for both operators and affiliates.

Indeed, in case of data breach, affiliates will be obliged to notify it to the operator “without undue delay after becoming aware of a personal data breach“. This seems a quite flexible wording, but since operators are obliged to notify data breaches to the competent privacy authority “not later than 72 hours after having become aware of it“, if an affiliate is not able to identify and does not notify a data breach to the operator within less than 72 hours from its occurrence, this might be considered per se the evidence of a lack of compliance with privacy regulations.

Also, in some cases, notifications of data breaches shall be performed to the benefit of players as well which will further increase the potential damages (including reputational damages) for both affiliates and its operators. This is also because in case of claims from authorities and players, affiliates will have to prove to have performed what is required under privacy laws to comply with data protection regulations, as the burden of proof will be on them of showing privacy compliance according to the so called principle of accountability.

The main principles on the matter above can be summarised as follows

  1. players can file direct claims for breach of their privacy rights against both operators and their gaming affiliates if the breach is the result of the conduct of affiliates;
  2. gaming affiliates’ liability arises only if they did not comply with the obligations imposed specifically on data processors by the EU General Data Protection Regulation or did not act within the scope of the lawful instructions of the operator;
  3. the burden of proof of showing privacy law compliance is on the gaming affiliate which shall prove that it was not liable;
  4. in case of more than one operator or affiliate, each of them is liable for the refund of the whole damages;
  5. gaming affiliates are liable for the misconducts of their sub-affiliates appointed by them i.e. of the network of affiliates reporting to a “master” affiliate.

Why operators will start scrutinising the privacy compliance of their gaming affiliates

Up until now, my personal experience has been that there was a tendency to draft data processing agreements with a standard format which was used for any type of supplier, including gaming affiliates that were often not even appointed as data processors, regardless of the categories of data and modalities of data processing activity that it was meant to perform.

The scenario completely changes with the EU Privacy Regulation that will oblige operators to renegotiate all the data processing agreements. Indeed, the GDPR provides for a detailed list of instructions that have to be contained in the agreement.

How long is the line of processing?

Gaming affiliates shall be instructed to “not engage another processor [i.e. another sub-affiliate] without prior specific or general written authorisation of the controller [i.e. of the operator]“. This is a principle which is “in theory” already in place, but there are affiliates where the “line of data processing” is made of 5+ entities which were sometimes almost totally ignored by the operator that had not even been notified of their identity. The EU Data Protection Regulation introduces more flexibility in appointing sub-affiliates, but such flexibility still requires that operators are able to have at any time a full picture of the data processing activities performed on their behalf.

Is data kept secure and operators have full control of data breaches?

Gaming affiliates need to be required to comply with the same “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” that are imposed on the instructing party (i.e. the operator). But how is this complied with by gaming affiliates or their sub-affiliates that are sometimes very small organizations? Will this oblige operators to more carefully select their gaming affiliates?

The review of the level of conformity with privacy laws of gaming affiliates which is something that is either not performed at all or carried out only in relation to very large affiliates will become an obligation to be periodically (e.g annually) performed. If an affiliate is not able to ensure privacy compliance, operators will be obliged to either terminate the relationship with it or take the risk of potential liabilities.

How are audits performed?

The GDPR requires that gaming affiliates commit to make available to the controller all information necessary to demonstrate compliance with its privacy obligations and allow for and contribute to audits, including inspections, conducted by the operator or another auditor mandated by the operator.

This obligation is reinforced by the need for gaming affiliates to keep a “record of all categories of processing activities carried out on behalf of a controller“. Therefore, a gaming affiliate that might process personal data on behalf of several operators, such affiliate shall keep a separate record of the categories of processing activities carried out by each of his operators.

How shall gaming affiliates be selected by operators?

Because of the scenario above, the selection of gaming affiliates might require a much more detailed due diligence on them. Data protection authorities have not yet accredited certification entities which might certify the level of privacy compliance of their clients, but this is likely to become in the long term a “must-have” or at least will represent a competitive advantage.

Regardless of the presence of any sort of certification, it is recommendable that – at least prior to the effective data of the EU General Data Protection Regulation – operators

  1. map all their gaming affiliates and their sub-affiliates that shall be disclosed;
  2. oblige those entities to provide the registry of data processing activities required by the GDPR, outlining – among others – all the data processing activities performed on behalf of the operator and the measures put in place to protect personal data;
  3. exclude those gaming affiliates that are too small or reluctant/unable to comply with the GDPR privacy obligations, requiring in any case affiliates to have a very limited line of sub-affiliates;
  4. perform – even remotely through webinars with multiple questions – a training to gaming affiliates on the measures required by the GDPR and repeat such training at least every other year;
  5. enter into a new data processing agreement with each gaming affiliate meeting the requirements of the GDPR;
  6. perform periodic random audits and have in place technical measures aimed at identifying potential illegal access or processing of personal data processed on their behalf; and
  7. require each gaming affiliate to send at the end of each year the updated version of the registry of point 2 above together with a filled in checklist showing their the full compliance with the GDPR and the lack of any data breach or lack of compliance to report.

I can expect that there will be a transitional period of adjustment, but the first sanctions and the potential negative publicity might be a relevant driver for the change in the approach to privacy compliance.