Connect with us

Compliance Updates

GSA brings on board a new technical committee devoted to blockchain use

Athira A



Reading Time: 1 minute

While commemorating its 20th anniversary at the ICE Totally Gaming 2018, the Gaming Standards Association (GSA) and the Gaming Standards Association Europe promulgated the birthing of a new Technical Committee devoted to blockchain use. Blockchain technology is poised to revolutionise data sharing and security and holds the potential to provide unparalleled levels of transparency to the regulatory authorities. GSA’s new Blockchain Technical Committee will collaboratively address the technology and advise on possible areas where standards could be fostered.

The GSA President Peter DeRaedt said: “GSA was created to help drive innovation in the gaming industry for the benefit of manufacturers, suppliers, operators and regulators. By creating a new Blockchain Committee, we are once again proving how, by creating a standard way to use technology, GSA is achieving our mission.”

While GSA Europe Managing Director, Mark Pace stated: “Many industries are evaluating how the blockchain technology can enhance data sharing security and increase operational transparency. GSA will launch this new committee and evaluate the creation of a gaming industry standard. This is very timely and may have a significant impact on how companies can achieve GDPR and AML requirements.”

GSA standards are created through a collaboration between volunteer representatives of its members. Over the past 20 years, more than 1,600 volunteers from more than 190 companies have contributed their expertise to create 15 GSA standards in nine committees. GSA’s award-winning standards are in use around the world, driving the industry to innovation and growth.

GSA was born out of a globally recognized need to streamline processes and create standards that would spur growth, innovation and revenue. Gaming manufacturers, suppliers, operators and regulators have benefitted from GSA’s mission to facilitate the identification, definition, development, promotion and implementation of standards to enable interoperability, innovation, education and communication for the benefit of the entire industry.

Athira is a self-described “logophile” – a lover of words. She loves updating her vocabulary and playing around with words, to frame a sensible world of letters. Letters come alive when they become words and when words become sentences. And that’s her job, to put them together in a meaningful way without loosing its essence. She has written content for websites, articles and poems for an international magazine, and press releases as well. She also loves writing on social media. She holds a Masters degree in bio-technology, but she has always been interested in the organic farming of words. Besides writing content for our daily news feed, she is also working as staff writer/editor with Impressions Content Management, based in Kerala, India, which offers writing and editing services to clients around the world.

Continue Reading

Affiliate Industry

Gambling Affiliates’ Guide to GDPR

George Miller



Gambling Affiliates’ Guide to GDPR
Reading Time: 7 minutes

As of the 25th May 2018, the GDPR comes into effect, and its influence will be felt across virtually every industry imaginable where data is being collected and used on individuals located in the EU. Its overall aim is to ensure better protection of consumers’ information, both online and offline, by enforcing regulations on how data is collected, processed and secured.

What is GDPR?

GDPR stands for General Data Protection Regulation. It’s the result of over 6 years of preparation and consultation over data privacy concerns for EU consumers. The way in which data is collected and used today is profoundly different to how it was a decade ago. According to a report published in 2016 by IBM, “90 percent of the world’s data had been created in the last 12 months” and “many data analysts are suggesting the digital

universe will be 40 times bigger by 2020”.


Prior to GDPR, the ‘Data Protection Directive 95/46/EC’ attempted to harmonise the practices of EU member states in terms of their approach to data privacy. Directive 95/46/EC built on the ‘Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ first published in 1980, which was acknowledged by both the European Union and the United States, as a way to protect personal data and individuals’ privacy.


These guidelines still form the basis for the GDPR, but as they and Directive 95/46/EC were merely guidelines and directives, a more stringent and consistent approach was required to “protect the fundamental rights of individuals throughout future waves of innovation”.


The GDPR not only unifies the approach to data privacy across the EU, it also regulates it, meaning it is enforceable by law, and in turn carries penalties of up to 4% of annual turnover, or €20 million, whichever is the greater.


Pinch yourself all you like, this is happening affiliates, and failure to act now is nothing short of corporate suicide..!


The main way in which the GDPR aims to protect data subjects (individuals), is through consent. Data subjects must be made aware of the data being collected on them, why it is being collected, what will be done with it, and how long it will be retained for.

Personal Data

The most important thing for affiliates to realise is what Personal Data includes. It doesn’t stop at names, email addresses and phone numbers; it extends to social media posts, IP addresses, and even information stored in tracking cookies.

The GDPR defines it as..

any information relating to an identified or identifiable natural person


And importantly..

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.


The use of the words ‘directly or indirectly’ is important here. Just because a person’s name and address isn’t stored in a cookie, it doesn’t mean that the information in that cookie can’t be used to identify them. Cookies used by ad networks are able to track an individual from one site to the next, extremely well. In fact, they can potentially track a user across millions of websites.


Not only must you pay attention to any data you are collecting directly from individuals, such as name, phone number, email address; you must also think about what tracking codes and analytics software you have installed on your websites, which are used to build a ‘profile’ of someone, usually for advertising purposes.


Standard analytics code doesn’t track users across websites, so providing you don’t have any advertising features enabled in your Google Analytics (or other) code, then you won’t necessarily need to obtain consent before setting those cookies. Anything more will require clear and concise consent from your visitors though, ensuring the request for consent includes what, why, and how that data is being collected and used.

Informed Choice

The ‘Cookie Law’ introduced in 2011 (yes, it’s been 7 years!) targeted the usage of non-essential cookies i.e. those not entirely necessary for the basic functionality of a website. However, it didn’t offer users much control or choice.


The GDPR aims to change this in that users should be given a choice as to whether or not they agree to non-essential cookies being stored on their computer/browser. Now, accepting that cookies used by standard analytics software aren’t essential, and that they don’t contain ‘personal data’, then where does that leave us? Well, the answer lies in transparency. So long as you are clear in your ‘request for consent’ that the cookies used in your analytics software don’t collect identifiable data, nor are they shared across websites, then you should be fine. Otherwise, if they do (i.e. you have advertising features enabled), you must obtain consent from each and every visitor before setting those cookies.

Newsletter Subscriptions & Accounts

Similarly, if you have a newsletter subscription or account creation feature on your website, then you must obtain consent from users before you can collect their data. Common practice has usually been to present a “Send me occasional news by email” or “I agree to the website T&Cs” checkbox to users. This practice is now imperative, and furthermore, the declaration should be a request for consent, and should point to your Privacy Policy (it can’t be hidden in your T&Cs) which contains the full ‘request for consent’ in a clear and intelligible form, remembering to detail the what, why’s and how’s.


And whatever you do, don’t pre-tick the checkbox, or have any kind of “opt-out” option. Consent must be definitive, and unambiguous, and a timestamp of when that consent was obtained, and what the user was consenting to, must be recorded for audit purposes.


If your current privacy policy doesn’t satisfy the conditions of the GDPR, then you will need to obtain additional consent from your existing users or subscriber base.


In addition, “it must be as easy to withdraw consent as it is to give it”. Users must be offered an option to unsubscribe in all communications, or delete their account on your platform.


Think about what data you’re collecting, and whether you really need to. Obtaining consent to collect that data may present more risks than what it’s worth. Additionally, if you later decide to start collecting more data than is detailed in your original privacy policy (or the terms of your privacy policy change), then you will need to obtain additional consent to the updated privacy policy.

Affiliate Tracking Codes

Affiliate tracking cookies are fundamental to online gambling affiliates. Most affiliates are unlikely to want to offer users the ability to disable their tracking codes, and strictly speaking, as the cookies do not (shouldn’t) contain identifiable data that is shared between websites, then it might not be necessary.


However, affiliates should still be crystal clear about what cookies may be set as a result of clicking links on their site, why they’re being set, and how they’re being used.  It would also be prudent to offer advice about how users can block these kinds of cookies, for those who choose not to have them set.

Data Subject Rights

The GDPR also empowers individuals with control over their data, as well as outlines a number of responsibilities organisations must adhere to in order to fulfil individuals’ rights to access and control the data held on them.


Affiliates must be aware of their responsibilities, and put plans in place to be able to handle those responsibilities:-

Right to Access

Data subjects have the right to know what data is held on them, and how it is being used. They also have the right to request access to that data, which must be delivered to them with 1 month of the the request, in a standard electronic format, free of charge, such that they can transmit that data to another data controller (organisation) should they wish to (Data Portability).

Right To Be Forgotten

Data subjects will also have the right to be forgotten and have any data held on them deleted. Such data will include their personal information, as well as any data which could lead to them being identified, directly or indirectly. If you have implemented any tracking solutions which create a link between the data you hold, and data stored in third party software, then that link will also need to be deleted, and potentially the data stored in the third party software.

Privacy by Design & Security

The GDPR will enforce strict penalties on organisations that have failed to invest appropriate resources into securing their systems, and preventing access of data to unauthorised persons, both online and offline…


“The controller shall..implement appropriate technical and organisational an effective order to meet the requirements of this Regulation and protect the rights of data subjects”.


Affiliates should ensure that any data they collect and process has been secured from the outset. If freelancers, designers or content writers have access to data unnecessarily, then it should be restricted. Similarly, any physical data should be locked safely away to prevent unauthorised access, and any new systems or website features should be designed with data privacy in mind.


Thought should also be given to data that can be encrypted – it may no longer be acceptable to only encrypt passwords.

Breach Notification

Organisations will be required to notify their appropriate Data Protection Authority within 72 hours of a data breach, where that breach is likely to “result in a risk for the rights and freedoms of individuals”. The gambling industry carries many negative connotations – most individuals probably wouldn’t want their identity associated with a gambling-related website, and so any data breach in this industry is likely to fall into the above category.

Data Protection Officers

Organisations who deal with large scale data processing or ‘special’ categories of data will be required to appoint a Data Protection Officer. Whilst this might not apply to most affiliates, they must understand their responsibilities as data controllers (and/or processors) to ensure the safety and security of data they hold, and ensure it isn’t shared or otherwise fall into the wrong hands. They should keep appropriate internal records, and ensure that their records are auditable.


This article contains general information for affiliates to make their own informed decisions about the upcoming GDPR. You must not rely on the information in this article as an alternative to professional legal advice.  The article has been contributed by Pavlos Sideris of Cashbacker – the leading gambling cashback community.

Continue Reading

Compliance Updates

Belgium Threatens Criminal Prosecution Over Loot Boxes

George Miller



Belgian gambling commission-loot boxes
Reading Time: 4 minutes

Belgian Gaming Commission lays groundwork for prosecution as Belgian justice minister meets with stakeholders to find an alternative


The Belgian Gaming Commission (BGC) has suggested that criminal prosecution should be undertaken against Electronic Arts, Valve, and Activision Blizzard over loot boxes in their respective games.

With the release of its research report on loot boxes,the BGC has clearly defined the parameters of what does and does not constitute gambling, and the ways in which FIFA 18, Counter-Strike: Global Offensive, and Overwatch each contravene the legislation.

The report lays out recommendations of what steps should be taken next to handle the issue.

Although the BGC has suggested criminal prosecution first and foremost, it will not proceed until Belgian minister of justice Koen Geens has met with industry stakeholders to begin a dialogue on the issue.

Speaking with, BGC director Peter Naessens said: “We are going to take all preparatory measures for the drafting of police reports, but it’s not going to be tomorrow. There is a certain amount of time for the minister of justice, but it’s not unlimited.”  – Peter Naessens, Belgian Gaming Commission director

Other recommendations from the BGC include developing specific permits for video games that feature loot boxes, and marking them accordingly. This is coupled with the suggestion of age verification in stores when purchasing codes or gift cards, and a principal ban on minors being able to purchase games featuring the mechanic.

Regarding distributors and operators, the BGC recommended that a clear indication of winning odds be provided and that its technical assessment team be granted complete control over the random number generators used for loot boxes.

Additional provisions over player data and payments were recommended, along with the introduction of a user spending limit.

License holders such as FIFA and Disney were also pulled up by the BGC, which suggested such companies pay closer attention to the sort of mechanics appearing in their games.

Unlike the Netherlands’ recent decision regarding loot boxes, the Belgian ruling does not consider the option to sell or trade the contents of loot boxes as an important factor when determining whether or not the mechanic might constitute gambling.

The BGC defines gambling as any game whereby a wager can lead to loss or win for at least one of the players, and where chance may even have a secondary role in the course of the game, the winner, or size of the winnings.

While its definition may appear less applicable to loot boxes than the Netherlands Gaming Authority, the BGC clearly defined the many ways in which the offending games are in breach of the legislation.

Taking Overwatch as an example: using real money, players can purchase loot boxes containing random collectable items, which constitutes a wager. The chance of a win or a loss concerns the wager itself versus the value of the items in the box. Despite being entirely aesthetic and not tradeable outside of the game, the items have player-ascribed value that is altered by artificial scarcity, limited edition items, and the four categories of rarity.

As Blizzard does not allow players to purchase credits directly, they are encouraged to purchase loot boxes containing in-game currency in order to obtain items faster than they would by just playing the game.

“The chance of losing your wager (the cost of the loot box) is, of course, ever-present now that testimonies and research have shown that players have a substantial chance of obtaining an object or item that they already own,” the report reads.

“Both in the purchase of loot boxes and in the entire operation of the game, all of this can lead to pure manipulation of individuals or groups of players” – Research Report on Loot Boxes, Belgian Gaming Commission

The BGC calculated that, should a player wish to collect every item, they would have to open somewhere between 1,300 and 1,600 loot boxes.

Considering the aspect of chance, things become a little murkier, though the BGC is operating on the understanding that players believe the content is determined by chance, even if there were no odds communicated directly.

“Both in the purchase of loot boxes and in the entire operation of the game, all of this can lead to pure manipulation of individuals or groups of players,” the report reads. “The line between encouragement and manipulation is sometimes difficult to differentiate in an online environment where one party (game manufacturer/game platform) records almost everything and the consumer who plays the game rather passively from this perspective.”

Blizzard did not respond to the commission’s requests for more information.

Many within the games industry have criticised the assumption that loot boxes which do not contain items of monetary value outside of the game constitute gambling, drawing comparisons to collectible card games such as Pokémon or Magic the Gathering.

“It might be considered as gambling, but in our legislation there is an exception for it,” Naessens told “So Pokémon cards, if they are going to introduce a wheel of fortune, roulette, or a blackjack game in order to determine the contents, it will also be problematic and we will examine it as well.

“But in our legislation, card or party games are exempt from gambling [legislation]. If Pokémon cards were to introduce the gambling element to their game, it would be very problematic as well.”

Essentially, the BGC argues that players are “lured into betting money through loot boxes with a range of techniques”.

When making the decision, the BGC considered aspects such as social behaviour monitoring, as demonstrated with the “exploratory” patent filed recently by Activision which is designed to encourage microtransaction spending through player monitoring.

“If [Pokémon card] are going to introduce a wheel of fortune, roulette, or a blackjack game in order to determine the contents, it will also be problematic and we will examine it as well.” – Peter Naessens, Belgian Gaming Commission director

Other considerations include the “fusion of fiction and reality”, highlighting the use of the footballer Cristiano Ronaldo to advertise the most expensive loot boxes in EA Sports’ FIFA and “whitewashing the behaviour of the super-rich in the football world or the possibility of match-fixing”.

Tying into this point is the use of limited edition items to drive loot box sales, and the use of game-specific currencies that are “psychologically very sophisticated” and fully disconnect the value of real money from the value of in-game currency.

Game operators failing to enforce a spending limit, combined with readily giving away free loot boxes in order to attract players was also considered a dangerous aspect of the mechanic.

Despite a recent assertion from Electronic Arts CEO Andrew Wilson that FIFA 18 loot boxes do not constitute gambling, the clock is ticking and the publishing giant, along with Valve and Activision Blizzard, will invariably have to make changes or forgo the Belgian market entirely.

Although progress will be slow, momentum is gathering as gambling legislators from around the world turn their gaze towards the issue of loot boxes. According to Naessens, BGC has been in contact with officals in Spain, Germany, Finland, America, and Asia.



Continue Reading

Compliance Updates

Malta passes new gaming act

Niji Ng




Malta passes new gaming act
Reading Time: 2 minutes

The Maltese Parliament has given its nod for the third and final reading of the new Malta Gaming Act.

The Act will provide more powers to Malta Gambling Authority (MGA) as the supervisor of all gaming activity in the country. It will monitor compliance and perform enforcement functions to better achieve regulatory objectives and in line with concurrent developments in anti-money laundering and combating the funding of terrorism.

The new Act will segment the role of a Key Official within a licensed entity into various key functions for direct scrutiny and targeted supervision controls.

In addition, the player protection framework will be supported by the formalisation of the MGA’s Player Support Unit which will act as a mediator between aggrieved players and operators.

More effective processes for criminal and administrative justice, consumer protection standards, responsible gambling measures, identification of suspicious sports betting transactions and objective-orientated standards to encourage innovation and development are all covered in the Act.

“The legislation is currently undergoing the Technical Regulation Information System process (TRIS) in line with European Union Directive 2015/1535, whereby the EU Commission and Member States may issue their opinions thereon,” the MGA said.

“In the absence of issues emerging from this process, it shall come into force on 1 July 2018 for remote gaming operators and, following a transitory period, on 1 January 2019 for land-based operators.”

The Parliamentary Secretary for Financial Services, Digital Economy & Innovation, Hon. Silvio Schembri said: “I would like to thank the MGA for moving the regulatory agenda for gaming services forward, as well as for identifying areas for further and continuous improvement.”

“The MGA will periodically review the regulatory performance of the sector and the framework itself and will advise Government on the attainment of its objectives mainly focusing on consumer protection and integrity.”

The MGA’s Chief Executive Officer, Heathcliff Farrugia added: “This is a very important milestone for the MGA. The new law establishes very robust compliance and enforcement powers and structures, and lays the necessary foundation to continue to strengthen player protection.”


Continue Reading

Subscribe to our News via Email

Enter your email address to subscribe to our news and receive notifications of new posts by email.

Latest by author

Top read articles

We are constantly showing banners about important news regarding events and product launches. Please turn AdBlock off in order to see these areas.