The National Gaming Authority and the French data protection authority clarify how operators must handle players' personal information, with a special focus on customers, promotions, prevention of excessive gambling, and anti-money laundering.
The Autorité Nationale des Jeux (ANJ) has developed, in collaboration with the CNIL, a specific guide on the processing of personal data in the gambling and betting sector in France. The document seeks to clarify the application of the GDPR in a highly regulated activity, where operators handle an increasing volume of player data and must reconcile compliance, user protection, security, prevention of excessive gambling, and anti-money laundering obligations.
The guide does not create new obligations, but rather offers practical recommendations to help operators comply with rules already in force since 2018. The document starts from a key premise for the sector: gambling and betting are neither an ordinary trade nor an ordinary service, which means that data processing must be analyzed within a specific framework of responsibility, supervision, and protection.
The text is aimed at operators legally authorized in France, including exclusive rights holders like FDJ and PMU, online operators authorized by the ANJ in sports betting, horse race betting, and poker, as well as casinos and gaming clubs. It is also relevant for suppliers involved in processing player data, such as marketing companies, payment providers, technology hosts, or identity verification services.
Three major focal points for the sector
The guide structures its analysis around three areas that are particularly sensitive for operators: customer management and commercial prospecting, the prevention of excessive or pathological gambling, and the fight against money laundering and terrorist financing.
Regarding customer management, the document recalls that opening and operating player accounts requires processing data related to identity, address, payment account, transaction history, balances, promotions, financial movements, and data necessary for gaming traceability. The ANJ and the CNIL insist that every processing activity must have a clear purpose, an appropriate legal basis, and a justified retention period.
The guide also warns about the need for special caution in commercial prospecting. The sector can use recruitment and loyalty tools, but must do so taking into account the particular nature of gambling and the associated risks. One of the most relevant ideas for operators is that data used to prevent or detect risky behaviors cannot be reused to send commercial offers.
Risk data cannot become commercial data
One of the most important points of the document is the separation of purposes. The ANJ and the CNIL underline that an operator cannot reuse a surveillance file of players with excessive or pathological gambling practices to propose commercial offers to them. Instead, it can use that information to limit or suppress the delivery of promotional communications, because in that case, the purpose remains prevention.
For professionals in the sector, this precision is highly relevant. It reinforces the idea that GDPR compliance cannot be separated from responsible gambling policy. Segmentation, CRM, loyalty programs, VIP profiles, and promotional campaigns must be designed from the beginning with data protection and risk prevention criteria.
DPO, processing registry, and privacy by design
The document reminds operators that they must integrate data protection from the conception of games, platforms, and processes. Among the first compliance measures are the designation of a DPO, data and processing mapping, clear information for players, and the implementation of appropriate security measures.
The guide notes that, in principle, the designation of a DPO is imposed on gambling operators due to the regular and systematic monitoring of individuals on a large scale or the processing of sensitive data. Even in small establishments where large-scale processing does not occur, the designation is expressly recommended.
It is also recommended to centralize the personal data policy in a clear, visible, and understandable document, separated from gaming regulations and general terms of use. In the case of land-based operators, the CNIL recommends that information be adapted to the physical environment through information panels or sheets accessible at the point of sale.
Impact assessments for prevention and laundering
The guide pays special attention to data protection impact assessments (DPIAs). The ANJ and the CNIL recall that these assessments are mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals.
In practice, the document indicates that gambling operators must conduct a DPIA for processing aimed at identifying players with excessive or pathological gambling habits and for processing linked to the fight against money laundering and terrorist financing.
This point directly affects critical business areas: early detection models, cross-referencing indicators, behavioral profiling, financial analysis, activity limitations, player exclusion, and internal control systems.
Security, restricted access, and traceability
The guide insists on the need to protect data through technical and organizational measures proportionate to the risk. Recommendations include employee training, strict access controls, nominative accounts, robust authentication, data encryption, access logging, backups, security audits, updates, and incident response plans.
In terms of preventing excessive gambling, the document points out that only the providers involved in that specific purpose may receive the corresponding data. The CNIL rules out its transmission to commercial partners for prospecting, as it is incompatible with the purpose of prevention.
The guide also recalls that operators must retain the data necessary to demonstrate compliance with their obligations. In account-based gaming, a retention period of six years from the closure of the player's account is foreseen. For operators with exclusive rights in a physical network, casinos, and gaming clubs, the CNIL also recommends retention for six years from data collection.
Laundering: proportionality, but without excuses
In the area of anti-money laundering and terrorist financing, the guide recalls that gambling operators are subject to these obligations and must apply a logic of risk analysis and proportionality.
The document stresses that operators must ensure their processing is proportionate to each player's specific risk, taking into account the intrusive nature that certain information requests can have. However, the ANJ and the CNIL are clear: the GDPR cannot be invoked to justify a failure to comply with obligations regarding money laundering and terrorist financing.
In these processing operations, players' rights face specific limits. For example, access to certain processing linked exclusively to the anti-money laundering fight is exercised through an indirect procedure before the CNIL, and the player cannot directly or indirectly access a suspicious activity report.
A guide with operational impact for online and retail
For the sector, the guide serves as a particularly useful compliance reference because it connects three planes that are increasingly intertwined: data, responsible gambling, and regulatory control.
The document forces a close look at how player registration processes, identity verification, CRM, promotions, loyalty, segmentation, risk detection, fraud prevention, anti-money laundering, information archiving, and relationships with technological suppliers are designed.
In a market where data is already a core piece of operations, the ANJ and the CNIL send a clear message: data protection is not an isolated legal formality, but a structural part of a gambling operator's governance.
SEE GUIDE
18+ | Juegoseguro.es – Jugarbien.es
