You got mail: Unpicking Sky Vegas' egregious messaging error

November 2021’s Safer Gambling Week was hailed a “huge success” by the Betting & Gaming Council (BGC), with the campaign generating nearly 25 million impressions across Facebook, Twitter and Instagram, a 19% increase on 2020. Yet this year’s initiative didn’t get off to the best of starts after one of the BGC’s members, Flutter-owned Sky Vegas, mistakenly sent promotional emails to customers who had already opted out of receiving marketing materials, and others who had previously self-excluded, not just from Sky Vegas but from all UK-licensed gambling sites via the GAMSTOP self-exclusion register.

The mistake, which allegedly involved up to 120,000 people being contacted on multiple occasions and offered 100 free spins, was all hugely embarrassing for the FTSE 100 giant and forced bosses to hold their hands up and apologise over the matter.

Conor Grant, CEO for Flutter’s UK and Ireland division, stated: “I would like to sincerely apologise to all those who have been affected by the recent issue at Sky Vegas, whereby a number of people were mistakenly sent promotional communications. We are conducting a full investigation into what went wrong, in particular so we can ensure it doesn’t happen again.”

The likely cause?

A former marketing manager at a multi-brand online gaming operator, who agreed to speak to EGR Intel on the condition of anonymity, says it appears to have simply been an unfortunate case of human error. “The communications calendar is usually planned weeks in advance but the data to be run is left to the last minute to ensure it is up to date,” he explains.

“This is to allow both recently closed or self-excluded customers and those who have asked for no promotional communication to be excluded. The database is then sent to the email service provider (ESP) to be distributed.

“As an extra safety measure, the majority of ESPs that I have worked with provide a ‘blacklist’ feature. This will be updated regularly – sometimes hourly – with email addresses of players who should not be contacted under any circumstances.

“This acts as a suppression list at a system level and should block emails going to a self-excluded player even if they were inadvertently included in a campaign. It appears that, on this occasion, the reactivation email was not cleaned of the necessary information and sent to at least some account holders who were self-excluded.”

Our source pointed out that social media accounts suggested some recipients had self-excluded not just with Sky Vegas but through GAMSTOP, which, once registered, prevents the individual from using all websites and apps run by companies licensed in the UK for a period of their choosing.

By contacting self-excluded customers, there has obviously been a serious marketing breach of the UKGC’s social responsibility code. A spokesperson for the UK Gambling Commission (UKGC) advised: “We’ve been made aware by members of the public that Sky Bet have sent promotional emails to self-excluded customers. We do not expect this of our operators and we will be looking into how this has happened.”

Meanwhile, a spokesperson for Flutter confirmed to EGR Intel, when asked for an update on the investigation, that no self-excluded customer would have been able to re-open an account, nor access the promotion that was mistakenly sent out. However, this isn’t the first time something like this has happened in the industry, albeit not to the same extent.

Earlier this year, an online gaming operator sent out postal mail to its database, including self-excluded and non-promotional customers. It was a much smaller campaign and resulted in only a handful of complaints, but it shows the Sky Vegas error was not unique.

It was not the first time it had happened at Sky Betting & Gaming (SBG) either. In March 2018, the UKGC ordered SBG to pay a £1m penalty for “social responsibility failures”, including for sending email, SMS or push notifications to around 50,000 self-excluded customers. It would be a surprise if this previous failing were ignored if the UKGC considers further sanctions are deemed necessary for the recent SBG misdemeanour.

As a result, London-based law firm PGMBM is supporting legal action against SBG for customers affected by the breach. PGMBM has asked those customers to visit www.skybetclaimlawyers.com as it explores the possibility of bringing legal proceedings against the operator for “mishandling data”.

Specialist data breach lawyer and PGMBM legal director Tony Winterburn has called on SBG to reveal how many people were sent the emails and explain how this was allowed to happen. He said: “This mistake could cost people their recovery from gambling. These emails have already caused harm and distress to those who opted out of receiving gambling promotions for very good reason.”

Viewing platform

As the sector reviews its procedures to ensure nothing like this happens elsewhere, could the idea of the single customer view (SCV) help?

Well, in February 2020, the UKGC challenged the online gambling industry to explore the possibility of an SCV – a complex project aimed at sharing data which already exists around individual player behaviours, with a view to help prevent and reduce gambling harm.

There is much work to be done before the SCV comes into fruition, not least in establishing whether there is a lawful basis under Article 6 of the UK General Data Protection Regulation that allows for the sharing of behavioural or affordability data between online gambling operators via SCV, including the examination of existing legal gateways.

The UKGC recently gave an update on the project and reported that in November 2020 it had entered into the Regulatory Sandbox – a service developed by the Information Commissioner’s Office (ICO) to support organisations that are creating products and services which use personal data in innovative and safe ways for the benefit of the public.

The publication of the ICO’s report in October 2021 provides an important and helpful steer on how an SCV could be delivered in accordance with data protection law. However, there are still plenty of issues and complexities that need to be addressed as part of a pilot phase of work.

A CCO at a major online gaming operator, who wishes to remain anonymous, comments: “The implementation of an SCV for online gaming is going to be difficult for a 20-year-old industry. It would be a much easier process in a new jurisdiction, such as Germany, where they have a €1,000 per month deposit limit across all sites monitored by a central authority using a ‘limit control file’ which operators must connect and subscribe to.”

The CCO continues: “The industry needs to share information for an SCV to work but it is a very challenging and complex issue. The UKGC wants the industry to sort it out themselves, but a concern would be that only the big companies would have the technology or wherewithal to implement an SCV. It might be difficult to get the smaller companies on board. In my experience, someone who wants to have a bet will find a way.”

Coming back to the Sky Vegas situation, the UKGC needs a constructive relationship with the industry; but could the regulator have expected the partners in Safer Gambling Week to have suspended promotional emails for the period? Is it something they could push for in 2021?

In June 2020, BGC members – who account for about 50% of all gambling advertising in the UK – announced that, going forward, at least 20% of all advertising of its members on TV and radio will be safer gambling adverts.

This does not go far enough for the anti-gambling brigade, but it is symbolic of an industry that wants, and needs, to keep its players safe from problem gambling. It’s an industry that continues to develop the tools available to prevent gambling harm, although there are challenges ahead before an SCV might be implemented.

The Sky Vegas email gaff should not have happened, but no self-excluded customer would have been able to re-open their account. We all make mistakes, and human error can never be fully eradicated, not in any industry.