Is Your Casino Using AI to Profile You? Your Rights Under GDPR

Table of Contents

Online casinos often use sophisticated AI to analyse your betting behaviour, build player profiles and send tailored offers. In one recent case, Sky Betting & Gaming was found to be collecting around 500 data points per user, tracking things like your favourite games or typical play times. While personalised bonuses may sound helpful, they rely on profiling your personal data. Under the UK’s GDPR rules, you have rights over how this data is collected and used. This blog explains how casino AI profiling works and what GDPR protections you have. If you feel your data has been misused, specialist data protection solicitors or gambling lawyers can advise on taking action.

How Casinos Use AI Profiling

AI profiling means casinos use algorithms to analyse your behaviour and predict your preferences. In legal terms, profiling is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects” (like your spending habits, time of play, or preferences). For example, a casino might notice you always play slots late at night or frequently bet on roulette, and flag you as a “high‑value” or potentially at-risk player. They then use this profile for targeted marketing – sending you special offers when you are most likely to gamble more.

In practice, casinos often mix first-party data (your account info and play history) with third-party data (from ad partners and analytics firms). Evidence in the Sky Betting & Gaming case showed that besides their own data, casinos may buy “data points” from companies like Signal or Iovation to enrich profiles. These hundreds of data points are then fed into machine-learning models to predict what games or bets will entice you. The result can be a flood of personalised emails, pop-up offers or ads. For most players, this passes unnoticed, but if you’ve ever felt bombarded with casino ads about your favourite games at exactly the wrong time, profiling might be why.

  • Common uses of profiling in casinos:
    • Personalised promotions (bonuses targeted to your play style).
    • Dynamic risk scoring (detecting problem gambling patterns).
    • Segmentation (grouping “high value” vs casual players).

If this level of data processing feels intrusive, you’re not alone. Good news: GDPR requires transparency and control. You have legal rights to know what data is held and how it’s used.

Your Rights Under GDPR

The General Data Protection Regulation (GDPR) – retained in UK law – gives data subjects (that’s you, the player) powerful rights over personal data. When a casino processes your data (even through AI), it must respect these rights. Key rights include:

  • Right of Access: You can request copies of the personal data a casino holds about you. This includes any profile or score they’ve built. A Data Subject Access Request (DSAR) forces the casino to disclose what it knows.

  • Right to Rectification: If your data is incorrect (e.g. your stated age or play preferences), you can ask the casino to correct it.

  • Right to Erasure (“Right to be Forgotten”): You can demand deletion of personal data that is no longer necessary. For example, if you close your account or want to remove profiling data, you can ask them to erase it under GDPR.

  • Right to Withdraw Consent: If the casino is relying on your consent to process data (for marketing or AI profiling), you can withdraw that consent at any time. Once withdrawn, they must stop using your data for that purpose.

  • Right to Object: You have a specific right to object to profiling or automated decision-making in certain cases. This means you can ask the casino to stop automated profiling that affects you.

  • Automated Decision-Making: GDPR Article 22 gives you the right not to be subject to a decision based solely on automated processing (like AI) that has legal or similarly significant effects on you. If an AI model is effectively deciding something important (e.g. imposing new betting limits or blocking games automatically without human review), you can challenge that. Casinos must provide the right to human intervention if such decisions are made.

  • Data Portability: In some cases, you can ask for your data in a portable format to transfer elsewhere.

By law, casinos must tell you about these rights in clear privacy notices. They must also have a lawful basis for processing (such as consent or legitimate interests). Importantly, the purpose of processing must be clear and justified. If the casino says “for safer gambling” but then uses the same data for aggressive marketing, that may breach the purpose limitation and consent rules. In fact, the Sky Betting case found that having data for safer gambling did not automatically justify using it for marketing.

The Data Minimisation Principle

GDPR includes a data minimisation principle: casinos should only collect personal data that is necessary, relevant, and limited to the purposes they have specified. In simple terms, a casino should identify the minimum amount of data it needs to provide services or meet its legal obligations, and hold no more than that.

“So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.”

This means an online casino needs basic details for your account, for fraud prevention, and to ensure game fairness – but should not hoard excessive personal data “just in case.” For example, collecting detailed data about your non-gambling interests or social media activity, if unrelated to providing the service, could violate data minimisation. Likewise, keeping old data about you after you’ve left the site is discouraged.

If you suspect a casino is storing too much data (for example, tracking your every click or buying extra data points from ad networks), that may breach GDPR. Under your right, you could request that they delete unnecessary data. The ICO advises reviewing what data is still needed and deleting old data. In practice, you can highlight data minimisation in your GDPR request: ask the casino why it needs each piece of your information. If they have none of no satisfactory answer, you can insist it be removed.

Curious about what happens to your personal details after you click “accept”? Our companion guide, Can Online Casinos Sell Your Data? What Players Need to Know About Privacy Laws 2025 explores the new rules on data-sharing and how they affect UK players.

Landmark Case: Sky Betting & Gaming

A recent High Court case illustrates these issues in practice. A man who had lost thousands of pounds on gambling discovered, through GDPR data access requests, that Sky Betting & Gaming (SBG) had been extensively profiling and targeting him while he tried to recover from addiction. SBG was using hundreds of data points (from both its own platform and third parties) to build a detailed profile of the player. It then bombarded him with tailored marketing offers – exactly the opposite of “safer gambling.”

The court emphasised that consent in gambling must meet a high standard. Gamblers are considered vulnerable, so the consent must be “freely given, specific, informed and unambiguous”. In this case, the player’s ability to give free and informed consent was compromised by his addiction. The court found he “did not properly consent” to being profiled and marketed to, because his problem gambling affected his judgment. In other words, ticking a box on a website or clicking “accept” on cookies does not override your fundamental rights if you weren’t in a position to consent.

The ruling also made clear that casinos cannot easily switch to another lawful basis (like legitimate interests) to justify profiling for marketing. Even though SBG had tried to rely on “legitimate interests,” the court suggested that in the gambling sector, where aggressive marketing can harm vulnerable people, controllers cannot just ignore consent rules.

Key takeaways from the case:

  • Enhanced Consent Requirements: Gambling companies must be especially careful that any consent to data processing (like profiling for offers) is truly voluntary and informed.
  • Right to Know: The player only discovered the profiling because he exercised his GDPR access right. This shows the power of requesting your data.
  • Purpose Caution: Data collected for safe-gambling reasons cannot be repurposed for marketing without new consent.
  • Risk of Profiling: The court found it “obvious” that marketing targeted at problem gamblers carries legal risk.
  • No Easy Loopholes: Casinos shouldn’t assume profiling is allowed under legitimate interests without careful justification.

This case is a reminder that if AI profiling or automated marketing hurts you, the law may already be on your side. It underlines why knowing your GDPR rights is crucial.

What to Do If You Suspect Unfair Profiling

If you’re worried that a casino is using AI to profile you inappropriately, here are steps you can take:

  1. Check the Privacy Notice: Look at the casino’s privacy policy. It should explain what data is collected and why. See if it mentions profiling, automated decision-making or targeted ads. If it’s unclear or missing, that’s a red flag.
  2. Use Privacy Settings: Many sites have cookie banners or settings where you can reject non-essential cookies. Exercise these controls. For example, reject advertising cookies if possible.
  3. Submit a Data Subject Access Request (DSAR): Under GDPR, you can ask the casino for a copy of all personal data they hold on you (including any scores or profiles). This will show what they’ve tracked. The Sky Betting claimant did exactly this and uncovered hundreds of data points on himself.
  4. Exercise Your Rights: If you find data you didn’t expect, you can ask for it to be corrected or deleted. Cite your rights to erasure and minimisation. If you gave consent to processing, you can withdraw it in writing. Also, explicitly object to profiling if you feel it’s harmful or unfair.
  5. Request Explanation: If there has been an automated decision (like being temporarily blocked or given a restrictive offer), ask for a human explanation. By law, the casino must describe the logic behind automated decisions if they significantly affect you.
  6. Complain to the ICO: If the casino doesn’t comply, you can complain to the UK Information Commissioner’s Office. The ICO has enforced GDPR in gambling before. For example, in 2024, it reprimanded Sky Betting & Gaming for using advertising cookies to process people’s data “without their consent”. The ICO treats improper data use in gambling very seriously.
  7. Seek Legal Advice: Consider contacting a gambling solicitor or gaming lawyer. They can advise whether the casino’s practices breach UK gambling law or consumer protection laws. If you’ve suffered losses because of profiling (e.g. deeper gambling problems), you might have a legal claim. Many firms, including ours, offer no-win no no-fee gambling solicitors arrangements for eligible cases.

Following these steps can help you regain control. Remember, under GDPR, the burden is on the casino to justify its data practices, not on you to prove wrongdoing.

Enforcement and Complaints

The UK’s Gambling Commission and industry bodies like the Betting and Gaming Council (BGC) expect casinos to follow both gambling regulations and data protection laws. Licensed operators commit to responsible gaming and must respect player privacy. If a casino operates outside these rules (for example, an illegal gambling site without a UK licence), it likely ignores GDPR too, meaning you have even fewer protections. Stick to regulated sites to ensure legal oversight of your data rights.

Enforcement is real: the ICO and courts have acted against gambling companies. As noted, the ICO publicly warned SBG in 2024 for using cookies without consent. The High Court case we discussed was also a warning shot. Regulators are collaborating with groups like Clean Up Gambling to monitor data abuse.

If you believe a casino has violated your rights, you can:

  • Lodge a Complaint with the Gambling Commission: They handle licensing issues.
  • File a GDPR Complaint with the ICO: The ICO can investigate data protection breaches. Use their online forms or helpline.
  • Use Dispute Resolution: Some casinos participate in alternative dispute resolution (ADR) for player complaints.
  • Legal Action: As a last resort, a court claim might be possible. Our gambling solicitors have experience in both data protection law and gaming law.

How Player Protection Legal Can Help

At Player Protection Legal, we specialise in gaming law and data protection. Our team of gambling solicitors and data protection solicitors advises casino players on issues like unfair practices, site misconduct, and privacy breaches. We can:

  • Review your case and explain your GDPR rights and gambling law options.
  • Help you make GDPR requests (access, erasure, etc.) and formal complaints.
  • Advise on safe gambling and compliance with Betting and Gaming Council commitments.
  • Represent you against unlicensed or illegal gambling operators.
  • Assist with betting disputes, payout refusals, or game fairness issues under UK law.
  • Help manage any debt consequences. For example, if profiling led to problem gambling, our CCJ solicitors can advise on County Court Judgments or debt issues. We offer services like CCJ removal for qualified clients.
  • Operate on a no win, no fee basis in many gambling cases, making it easier for you to seek justice without upfront costs.

Our gambling lawyers in the UK understand both sides – we protect players’ rights and know the regulatory landscape. We can negotiate with casinos, alert regulators, or take legal action if needed. You don’t have to face aggressive profiling or any other unfair casino practice alone.

Summary: Casinos use AI profiling to maximise revenue, but under GDPR you have rights to limit and challenge this data use. Remember that the data minimisation principle means they should only hold what’s necessary, and you can request deletion of unnecessary data. If you suspect abuse, use your access and objection rights, complain to the ICO, and get legal advice. Our gambling solicitors are here to support you, ensuring that your personal data is respected and that casinos play by the rules.