October 14, 2024
Law360
In September, the Information Commissioner's Office (ICO) issued a formal reprimand to Bonne Terre Ltd., trading as Sky Betting and Gaming, for unlawfully processing people's data through advertising cookies without their consent in breach of the U.K. General Data Protection Regulation.
The reprimand followed an investigation into Bonne Terre's personal data processing practices concerning the use of certain cookies that were set on the browsers for individuals when they accessed its SkyBet website from Jan. 10 2023, to March 3, 2023.
This reprimand issued by the ICO emphasizes the need for companies to obtain clear and informed consent from users before deploying cookies on their websites. It serves as a significant reminder for companies to ensure their cookie policies are transparent and compliant as regulatory enforcement around data privacy in the digital sphere continues to intensify.
Bonne Terre is a company operating under Flutter Entertainment PLC, providing various online betting and gaming products, including services provided through the domain name SkyBet.com.
In January 2022, Clean Up Gambling, a U.K. advocacy organization, published a report alleging that SkyBet was transferring extensive amounts of personal data to third parties without informed user consent. Following these allegations, in October 2022, the ICO launched an investigation into whether Bonne Terre was processing personal data in compliance with the Data Protection Act 2018 and the U.K. GDPR.
The investigation found that when users would first visit SkyBet, they would encounter SkyBet's consent management platform pop-up, which informed users that, "If you accept 'all cookies' you are agreeing to the storing of cookies on your device to enhance site navigation, assist with our marketing efforts, and analysis of product usage."
Users had the option to accept all cookies, which Bonne Terre treated as consent to the collection of users' personal data by third-party vendors.
MediaMath, a demand-side platform contracted by Bonne Terre, used a pixel embedded within SkyBet to facilitate the setting of approximately 40 third-party marketing cookies upon a visitor's immediate arrival to the website.
Therefore, cookies were placed on users' devices before the users set their preferences within the consent management platform, and therefore before users were able to give informed consent. This violated key provisions of the U.K. GDPR regarding lawful data processing and transparency in obtaining consent.
In particular, the ICO found Bonne Terre in breach of the following U.K. GDPR provisions:
In making the decision to issue a reprimand, the ICO considered the circumstances as a whole. Relevant factors included the following:
While Bonne Terre took a number of mitigating steps, the ICO stressed that the unlawful disclosure of personal data to third parties is a matter of significant public concern, particularly where it occurs in a commercial context.
The ICO emphasized in particular the importance of lawful and fair processing of personal data in the gambling sector, which frequently has a customer base that includes vulnerable users. In light of the circumstances, the ICO issued a reprimand, rather than a monetary penalty, as an effective, proportionate and dissuasive measure.
The ICO advised Bonne Terre to continually monitor and review its cookie management practices to ensure that nonessential cookies are only deployed after valid user consent has been obtained. If Bonne Terre fails to comply with these recommendations in the future, the ICO warned that it could escalate the matter and consider further formal regulatory action.
The ICO's decision to issue Bonne Terre with a reprimand provides a number of key learnings for data processing in the commercial context.
This decision underscores the importance of obtaining clear informed consent before deploying tracking technologies such as cookies. Companies must ensure users are fully informed of how their data will be collected and used, including who is collecting the data and what data is being collected.
Consent must be freely given, specific, informed and unambiguous in order to comply with the UK GDPR. The use of "preticked boxes" or activating cookies before consent is clearly obtained can constitute noncompliance.
The ICO reaffirmed that companies using third-party tracking technologies are considered data controllers, meaning they are responsible for ensuring compliance with data protection laws, even if third-party vendors are involved. This means rigorous measures must be implemented to control and monitor how and when user data is collected and shared.
In sectors dealing with sensitive activities like gambling, companies must implement robust protections for vulnerable users. This includes limiting the scope of targeted marketing to users who may be vulnerable, such as those with gambling addictions or financial insecurities. The case against Bonne Terre stressed the need for profiling measures to ensure vulnerable individuals are excluded from potentially harmful targeting.
This case brings attention to the reputational risks involved in noncompliance. Surveys cited in the reprimand show a high level of public concern about the use of personal data in online advertising. Companies must work toward building consumer trust by ensuring transparent and lawful data practices, while avoiding aggressive or manipulative tracking methods.
The ICO's decision stressed the importance of ongoing monitoring of cookie deployment and data collection processes. Companies should regularly review their consent mechanisms, tracking technologies and data-sharing practices to ensure they remain compliant with data privacy regulations.
The ICO's reprimand of Bonne Terre highlights the ongoing regulatory focus on the use of cookies for tracking and targeted advertising, together with the need for transparency and lawful consent mechanisms, particularly when sensitive personal data is involved.
This case serves as a reminder to all online service providers of the critical importance of adhering to data protection laws and ensuring that users have control over their personal data.
The ICO's stance in the reprimand also reflects broader concerns in the U.K. about data privacy, as evidenced by public surveys cited in the decision showing that a significant majority of individuals are concerned about how their personal data is used, especially for commercial purposes. Ultimately, this decision demonstrates the importance of fairer, more transparent data practices in the digital sphere.
Originally printed in Law360 on October 14, 2024. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s client.
Webinar
Early Motions in Trade Secret Litigation – Offensive and Defensive Insights
July 15, 2026
Webinar
Federal Circuit IP Blog
July 8, 2026
At the PTAB Blog
June 30, 2026
Articles
How Low Can You Go? Courts Lower Marking Defense Burden, Raising Patent Damages Risks
June 29, 2026
Federal Circuit IP Blog
June 26, 2026
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.