What Information Does a Casino Track on You? UK Privacy Guide 2026

Last reviewed on 21 April 2026

When you sign up to an online casino in the UK, you’re entering a highly regulated environment where data collection isn’t just about marketing—it’s a legal requirement. Licensed operators must gather extensive information to verify your identity, ensure you gamble safely, and combat financial crime. This guide explains exactly what information UK casinos track on you in 2026, why they need it, who they share it with, and crucially, how you can exercise your privacy rights under UK law.

Mandatory KYC & Identity Verification Data

The first and most fundamental data collection happens during sign-up and verification, known as Know Your Customer (KYC). Under UK Gambling Commission rules, a casino must confirm your identity and age before you can deposit or play for real money. You cannot avoid providing this core information if you wish to gamble legally.

You will be asked to provide:

• Full Name & Date of Birth: To confirm you are over 18.
• Current Residential Address: Often verified with a utility bill or bank statement.
• Email Address & Phone Number: For account communication and security.
• Government-Issued ID: Such as a passport, driving licence, or national identity card number.

Increasingly, operators are also required to conduct affordability checks. This means you may be asked for proof of income or bank statements to verify your source of funds. This is a regulatory measure designed to identify customers at potential risk of harm from gambling beyond their means. For more on the rules governing operators, see our guide to UK gambling laws.

Behavioural & Gameplay Tracking

Once your account is active, the casino monitors your activity in detail. This isn’t about spying; it’s a regulatory requirement to promote safer gambling and ensure game integrity. Operators use sophisticated algorithms to analyse patterns that might indicate problem gambling.

They track:

• All Financial Transactions: Every deposit amount, withdrawal request, method used, and timestamp.
• Gameplay Metrics: Which games you play (like slots, blackjack, or roulette), session length, bet sizes, and win/loss ratios.
• Pace of Play: How quickly you place bets or spin reels.
• Login Patterns: Time of day and frequency of visits.

This data feeds into safer gambling systems. If algorithms detect high-risk behaviour—such as rapid, repeated losses—the operator is obliged to intervene. This could be a pop-up message suggesting a break, an enforced deposit limit, or even a temporary account suspension. Understanding metrics like RTP (Return to Player) and the house edge can help you make informed choices about your play.

Technical & Device Tracking

To secure your account and prevent fraud, casinos collect technical data automatically. This helps them confirm it’s really you logging in and detect suspicious activity, like multiple accounts or access from prohibited jurisdictions.

This technical footprint includes:

• IP Address & Geolocation Data: To ensure you are physically within the UK, a legal requirement for using a UK licence.
• Device Fingerprint: A unique profile of your device, based on its hardware, operating system, browser, and settings.
• Browser Type & Version, Operating System.
• Cookies & Similar Technologies: To manage your session, remember preferences, and for analytical purposes.

For land-based casinos, surveillance is even more direct. They use CCTV, photographs, and audio recordings for security and game integrity. Some venues, like those operated by Genting, also use Live Facial Recognition Technology to identify individuals who have self-excluded or been barred, a measure taken to comply with their licence conditions.

What Data is Shared with the UK Gambling Commission?

The UK Gambling Commission (UKGC) is the regulator, and operators have a duty to report certain information. This sharing is not continuous monitoring of all players but is triggered by specific events. The Commission processes this data under its legal obligations.

Key sharing instances include:

• Suspicious Activity Reports (SARs): Filed if the operator suspects money laundering or terrorist financing.
• Player Protection Flags: When a customer shows significant signs of gambling harm, or breaches affordability protocols.
• Self-Exclusion Breaches: If a player registered with GAMSTOP attempts to open an account or gamble.
• Investigation Data: If the UKGC is investigating an operator or specific incident, relevant customer data may be requested.

GAMSTOP & Self-Exclusion Data

When you sign up for the national GAMSTOP self-exclusion scheme, you provide personal details (name, date of birth, address, etc.). This data is then shared with all UK-licensed gambling operators who are legally required to enforce your exclusion.

Operators must perform regular checks against the GAMSTOP database and other self-exclusion lists. If your details match, they must refuse your account registration or restrict access to an existing one. This data sharing is a critical component of the UK’s player protection framework. For more tools to manage your play, explore our resource on responsible gaming tools.

Your GDPR & UK GDPR Rights

You retain significant control over your data under the UK General Data Protection Regulation (UK GDPR). Casinos must clearly explain these rights in their privacy policies.

Your key rights include:

Right	What it Means	Important Casino Caveat
Right of Access	You can request a copy of all personal data the casino holds on you.	They must provide it, usually within one month.
Right to Rectification	You can ask for incorrect data (e.g., wrong address) to be corrected.	They must comply promptly.
Right to Erasure (‘Right to be Forgotten’)	You can request your data be deleted.	This is often refused. Casinos are legally obliged to retain KYC and financial data for at least five years after account closure for anti-money laundering purposes.
Right to Restrict Processing	You can ask them to temporarily halt using your data.	May apply during a dispute about accuracy.
Right to Object	You can object to processing based on legitimate interests.	You can object to direct marketing absolutely, and it must stop.
Right to Data Portability	You can ask for your data in a structured, machine-readable format.	Applies mainly to data you provided by consent or for a contract.

Marketing Consent & How to Stop Contact

UK casinos often operate under “soft opt-in” rules for marketing. This means if you are an existing customer, they can send you promotional emails or SMS messages about similar services without explicit prior consent, provided they gave you a clear chance to opt-out when they collected your details.

You have the absolute right to stop marketing communications at any time. Every marketing email should have an ‘unsubscribe’ link. You can also contact customer support directly to opt out of all marketing. Withdrawing consent does not affect the legality of processing that happened before you withdrew it. For more on managing your play, check our casino tips which include advice on setting budgets.

Data Breaches: What You Should Know

While robust security is a licence condition, no system is entirely immune. A data breach could involve the accidental or unlawful loss, alteration, or disclosure of customer data. UK-licensed operators have a legal duty to report serious breaches to the Information Commissioner’s Office (ICO) and, where there is a high risk to individuals, to inform those affected directly.

If you suspect your data from a gambling site has been compromised, you should:

1. Change your password immediately and on any other sites where you use similar credentials.
2. Monitor your bank statements for unusual activity.
3. Follow any specific guidance provided by the operator.
4. You can report concerns to the ICO or seek advice from GamCare if the breach causes you distress.

How to Exercise Your Data Rights

To make a data subject access request (DSAR) or exercise any other right, follow these steps:

1. Find the Privacy Policy: Locate the ‘Data Protection Officer’ or ‘Privacy’ contact details in the casino’s privacy policy (usually in the website footer).
2. Submit in Writing: Contact them via email or a dedicated form, stating clearly what right you wish to exercise (e.g., “I wish to make a subject access request”).
3. Provide Proof of Identity: They will ask you to verify your identity to prevent disclosure to fraudsters. This is a security necessity.
4. Wait for Response: They have one calendar month to respond. For complex requests, this can be extended by two further months.

If you are unhappy with their response, you can complain directly to the operator. If unresolved, you can escalate the matter to the UK Gambling Commission (for licence breaches) or the Information Commissioner’s Office (ICO) (for data protection failures).

Frequently Asked Questions (FAQ)

Can I use a UK casino anonymously?
No. Anonymous gambling is illegal under UK licensing. Full KYC verification is a mandatory legal requirement to prevent underage gambling, fraud, and money laundering. You must prove who you are and where you live.

If I close my account, does the casino delete all my data?
Not immediately, and often not for years. Regulatory ‘data retention’ rules force them to keep your identity and transaction records for at least five years after the business relationship ends for anti-money laundering purposes. After that, they should delete it unless other laws require them to keep it longer.

Why do casinos need to know my income or see my bank statements?
This is part of enhanced affordability checks introduced by the regulator. The goal is to identify customers who might be gambling at levels that risk financial harm. It is a contentious but legally mandated form of financial vulnerability assessment for higher levels of spend. You can learn more about managing your bankroll in our online poker guide and baccarat guide.

Can I object to facial recognition in land-based casinos?
You can object, but as this processing is typically justified under a ‘legal obligation’ (to enforce exclusions), the operator’s likely response will be that your only option is to not enter the premises. Their privacy policy should explain this. If concerned, speak to the casino’s data protection officer.

Do casinos sell my data to third parties?
Licensed UK casinos do not sell your personal data in the way a list broker might. However, they do share data with essential service providers (payment processors, IT security firms, KYC verification agencies) under strict contracts. They also share data with regulators as required by law. You should review their privacy policy for specifics.

Where can I get help if I’m worried about my gambling data or habits?
If tracking your own activity causes concern, it may be a sign to pause. Use operator tools like deposit limits and reality checks. For free, confidential support, contact BeGambleAware or GamCare. For a broader view of regulated sites, you can read about the best casinos that prioritise player safety and transparency.