Revealed: gambling firms secretly shared users’ data with Facebook without permission | Gambling

Gambling companies are covertly tracking visitors to their websites and sending their data to Facebook’s parent company without consent in an apparent breach of data protection laws.

The information is then being used by Facebook’s owner, Meta, to profile people as gamblers and flood them with ads for casinos and betting sites, the Observer can reveal. A hidden tracking tool embedded in dozens of UK gambling websites has been extracting visitors’ data – including details of the webpages they view and the buttons they click – and sharing it with the social media company.

By law, data should only be used and shared for marketing purposes, with explicit permission obtained from users on the websites in which the tools are embedded. But testing by the Observer of 150 gambling sites – including virtual casinos, sports betting sites and online bingo – found widespread breaches of the rules.

This weekend, Iain Duncan Smith, the Conservative chair of the all-party parliamentary group on gambling reform, called for an “immediate intervention”. He said: “The use of tools such as Meta Pixel without explicit consent seems wholly in breach of the law and should be immediately stopped. The gambling industry’s marketing practices are now out of control, and our regulatory structure and codes of practice are repeatedly shown to be inadequate. This cannot go on.”

Wolfie Christl, a data privacy expert who has investigated the ad tech industry, said: “Sharing data with Meta is highly problematic, even with consent, but doing so without explicit informed consent shows a blatant disregard for the law.

“Meta is complicit and must be held accountable. It benefits from facilitating problematic and unlawful data practices for its clients and systematically looks the other way, using its terms and conditions as a shield rather than seriously enforcing them.”

Of 150 websites tested by the Observer, 52 shared data automatically via the Meta Pixel tracking tool without explicit consent, according to analysis of network traffic. The sites found to have transmitted data to Facebook without permission included Hollywoodbets, Sporting Index, Bwin, Lottoland, 10Bet and Bet442.

The data transfer happened automatically on loading the webpage, before the person clicked to agree or decline marketing. At no point during the testing did the reporter agree to the use of their data for marketing.

In the days afterwards, they were bombarded with Facebook ads for gambling websites, indicating that they had been profiled by Meta as someone interested in gambling as a result of the unlawful data sharing.

In a single browsing session, they were shown gambling ads from 49 brands – not just websites that had shared their data unlawfully, but others too. This included betting companies that were unaware of the unlawful data sharing and whose own use of Meta Pixel was within the rules – among them, Ladbrokes, Sky Bet, BetVictor, Tombola and Bet365 – as well as dozens of smaller brands.

The offers included free bets, a “new players offer” with a 200% bonus and a “gold blitz” with the chance to “win up to 5,000 times your bet”.

Details of the data sharing and profiling come amid calls for a wider investigation into targeting of gamblers. In September, the Information Commissioner’s Office (ICO) issued a reprimand to Bonne Terre Ltd, trading as Sky Betting & Gaming, for unlawfully processing people’s data through advertising cookies without their consent. The brand said at the time it regretted a “technical error”, which had been rectified.

As the Observer reported last week, in a separate case, Sky Betting & Gaming collected hundreds of thousands of pieces of data about a problem gambler who was sent more than 1,300 marketing emails. The high court found the data use unlawful, ruling that the compulsive nature of the man’s gambling meant his ability to give consent was impaired. The company said it had made significant changes since the claimant’s experience in 2017-19 but “fundamentally disagrees” with the ruling and is considering an appeal.

The Gambling Commission has announced measures to prohibit cross-selling, where companies target existing customers with ads for other parts of their business. But there is nothing to prevent brands relying on profiling by third parties such as Meta to try to recruit new customers.

Meta did not comment on the Observer’s findings but pointed to its terms and conditions, which stipulate that companies should obtain consent before sending it data. “We educate advertisers on properly setting up business tools,” a spokesperson said.

The Liberal Democrat peer Don Foster, chair of Peers for Gambling Reform, said: “It is critical that gambling companies and online platforms act lawfully, and it is concerning to see evidence of continued unlawful practices.” Prof Heather Wardle, a gambling research specialist at Glasgow University, said: “This kind of untamed marketing is hugely risky. If you are already experiencing difficulties from gambling, it is likely to make you gamble more.”

The Observer has previously reported on the misuse of Meta Pixel in other sectors, including by NHS trusts that were inadvertently sharing sensitive health data. The ICO said last year that it was conducting a “wide-ranging review” of tracking pixels, which must be used “fairly, lawfully and transparently”, and that it would “not hesitate” to take enforcement action if needed, which can include fines of up to £500,000. “Too often, there is a lack of accountability for how these tools collect and use people’s personal information, with poor transparency and deceptive design,” a spokesperson said.

After being contacted by the Observer, several gambling operators updated their websites to prevent automatic data sharing – or removed the Meta Pixel tool altogether.

One betting brand, Bwin, a previous sponsor of Real Madrid and the Uefa Europa League, shared data on people visiting a promotional page for a £20 free bet. The data sharing happened automatically on loading the website, without the person being asked for consent.

A Bwin spokesperson said: “Due to an internal error, the promotional page was not fully aligned with other group sites. We are deeply committed to ensuring that personal data is handled appropriately and have taken immediate action to rectify the issue.”

Twenty-six websites operating under the licence of gambling group AG Communications appeared to be sharing data with Meta automatically and without explicit consent, including Bet442, King Casino, 666 Casino and 24Spin. A representative said it took compliance with its obligations extremely seriously.

Another company, Hollywoodbets, which sponsors Premier League club Brentford, showed website visitors a consent banner telling them that it shared data with its “social media, advertising and analytics partners” – and giving them the option to “allow all”.

But the Observer’s testing found that even if the person did not click accept, data was shared with Meta, including details of which pages they viewed and the buttons they clicked.

The person was subsequently shown Facebook ads for Hollywoodbets, and Meta’s activity logs showed that data had been received from the website. A representative of Hollywoodbets said it complied with all regulatory requirements but declined to comment further.

Lottoland, which says it has 20 million customers, declined to comment. Its website includes a banner that appears to give people the option to “accept all” or “reject nonessential” tracking. But the Observer’s testing found that it sent data to Meta before the website visitor had indicated their choice.

Sporting Index and 10Bet did not respond to comment requests.

The Betting and Gaming Council, which represents the industry, said: “Advertising must comply with strict guidelines, and safer gambling messaging is regularly and prominently displayed. The previous government stated that research did not establish a causal link between exposure to advertising and the development of problem gambling.”

The Gambling Commission, which regulates betting companies, said: “Operators may only collect and use data to attract custom in ways that are lawful and in compliance with data protection legislation, and their focus should be on preventing gambling harm. Questions around data protection are a matter for the ICO.”

Flutter, which owns several brands that served ads on Facebook but did not share data with Meta unlawfully, said it had “acted appropriately and gained consent at all times”.

Bet365 declined to comment but is understood to deny setting up marketing campaigns that specifically target users of other gambling websites. The other advertisers did not comment.