Ensuring self-excluded customers do not receive marketing materials
The following codes are relevant to this section:
LCCP: Social responsibility code provision 3.5.3
You must take steps to remove the name and details of a self-excluded individual from any marketing databases used by your company or group (or otherwise flag that person as an individual to whom marketing material must not be sent), within two days of receiving the completed self-exclusion notification.
You must take responsibility for any third parties you contract for the provision of any aspect of your business related to the licensed activities. Where you have a relationship with a third party which sends marketing materials to your customers, you must take all reasonable steps to ensure they do not send material to those who have self-excluded.
Affiliates or third parties
Gambling businesses must comply with the relevant requirements set out in LCCP, the Data Protection Act 2018 (opens in new tab) and Privacy and Electronic Communications Regulations (PECR) (opens in new tab) when using affiliates to undertake direct marketing. We, and the ICO, consider that you are primarily responsible for any breaches.
You should address the risks associated with using affiliates to acquire customers on your behalf through direct marketing by email or SMS. Those who have self-excluded are particularly vulnerable due to the risk of problem gambling harm and the sensitivity of their personal data.
You could manage the risk of an affiliate marketing to those who have self-excluded by ensuring that the affiliate removes from its marketing list any individual who has self-excluded. However, you will be held responsible if the affiliate does not process and manage that data appropriately.
Taking action on failures to prevent marketing material being sent to self-excluded customers
It is a breach of the social responsibility code if you are unable to demonstrate that you had taken all reasonable steps to prevent marketing materials from being sent to self-excluded customers.
You should also take the same steps to prevent marketing to customers whose self-exclusion has expired but who are yet to make a positive decision to return to gambling. We will consider such cases in light of the specific circumstances involved but we would be unlikely to accept that you had taken all reasonable steps if there was a single point of failure (such as a mistake by one member of staff or at a single stage of the process) which had led to marketing materials being sent to self-excluded customers.
Social responsibility code provision 1.1.2 (Responsibility for third parties) requires you to take responsibility for third parties with whom you contract for the provision of any aspect of your business related to the licensed activities.
Where you have a relationship with a third party which sends marketing materials to customers, you must take all reasonable steps to ensure that the provisions of social responsibility code provision 3.5.3 are not breached.
Where self-exclusion has expired
You should also take the same steps to prevent marketing to customers whose self-exclusion has expired but who are yet to make a positive decision to return to gambling.
Issues to be aware of and manage to prevent failures from occurring within your business
Operators who have sent marketing material to self-excluded customers in error have reported that this occurred for one or more of the following reasons:
- individual members of staff using manual “work-arounds” of systems designed to ensure that the accounts of self-excluded customers are excluded from e-mail and SMS marketing campaigns
- members of staff not following policies and procedures
- the recycling of old customer lists which had not been updated to remove the contact details of self-excluded customers
- technical vulnerabilities in control systems
- failures to clearly differentiate between those customers who had taken advantage of other gambling control tools (such as time-outs) and those who had self-excluded.
Operators have informed us that following incidents of this kind, they have taken steps to prevent a recurrence including:
- addressing single point of failures (that is, parts of the relevant systems that, if they fail, will stop the entire system from working)
- removing the ability for staff to use manual work-arounds
- introducing additional checks, controls and failsafe mechanisms.
Key events: reporting incidents
The following code is relevant to this section:
You should notify us of any matters which in your view could have a material impact on your business or affect your compliance.
Given the potential impact on vulnerable people, we expect all incidents in which you, or one of your affiliates, send marketing material to self-excluded customers to be reported as a key event.
Such incidents are likely to breach the Privacy and Electronic Communications Regulations (PECR) (opens in a new tab) and should also be reported to the Information Commissioner’s Office (ICO).
The ICO has also produced direct marketing guidance (opens in a new tab). This includes helpful information on PECR and Section 11 of the DPA, as well as practical advice on safeguards such as the maintenance of marketing suppression lists.
Last updated: 13 April 2022
Show updates to this content
No changes to show.