It’s live! Access exclusive 2026 AI live chat benchmarks & see how your team stacks up.
Unlock the insights
In October 2025, Fast Track, a Malta-based CRM platform serving over 100 iGaming operators worldwide, suffered a cyberattack that exposed player names, addresses, transaction histories, betting patterns, and KYC documents across its client base.
The breach happened just four months after the company renewed its SOC 2 Type 2 accreditation. Three months earlier, Flutter Entertainment confirmed that up to 800,000 Paddy Power and Betfair customers had personal data accessed by unauthorized parties.
These incidents weren’t anomalies. They were symptoms of a structural problem that iGaming operators can no longer afford to treat as someone else’s responsibility.
The online gambling market is projected to reach $153.57 billion by 2030, according to Grand View Research. That growth attracts not only players and investors but also threat actors drawn to one of the most data-dense consumer industries on earth.
The convergence of sensitive personal data, complex multi-jurisdiction regulations, and an expanding attack surface makes iGaming a uniquely challenging environment for data protection.
This guide breaks down the specific data protection challenges operators face, the regulatory frameworks shaping compliance obligations, the cybersecurity threats targeting the sector, and the strategic steps operators can take to protect both players and their business.
When a player signs up for an online casino or sportsbook, they hand over a breadth of personal information that goes far beyond what most consumer-facing services collect:
This data density makes iGaming platforms high-value targets for cybercriminals. Unlike a standard SaaS platform where breach exposure might be limited to email addresses and hashed passwords, an iGaming breach can expose identity documents, financial behavior, and even patterns that reveal potential gambling addiction.
iGaming operates under a regulatory paradox that most industries don’t encounter. On one side, data protection laws like GDPR demand transparency, requiring operators to tell players exactly how their data is processed, stored, and shared.
On the other side, anti-money laundering (AML) regulations prohibit disclosing information about ongoing investigations. An operator conducting an AML review on a player cannot, by law, inform that player about the review, even as GDPR says they must be transparent about data processing activities.
Responsible gambling monitoring creates a similar conflict. Effective detection of problem gambling behavior requires covert observation of player patterns. If operators disclose these monitoring mechanisms to players, problem gamblers can adjust their behavior to avoid detection, rendering the safeguards useless. Yet GDPR’s transparency principles suggest organizations should be open about how they process personal data.
This tension also plays out in data minimization. GDPR requires organizations to collect only the minimum data necessary for a specific purpose. KYC regulations require extensive data collection, including identity documents, proof of address, and source of funds documentation.
Operators must simultaneously minimize data collection and collect everything regulators demand. Navigating this contradiction requires careful legal analysis and well-documented justifications for each data point collected.
Every market where an iGaming operator accepts players comes with its own data protection framework. EU operators must comply with GDPR. Those serving California residents face CCPA requirements. Canadian operations fall under PIPEDA. And each gambling license carries its own data protection stipulations layered on top of national privacy law.
Consider a mid-sized operator licensed in Malta, the UK, and Ontario that serves players across the EU, North America, and parts of Asia. That operator must track and comply with dozens of overlapping and sometimes contradictory regulatory requirements around data storage location, consent mechanisms, retention periods, breach notification timelines, and player rights. A “one-size-fits-all” compliance framework simply doesn’t work in this environment, because the rules themselves conflict across jurisdictions.
Complicating matters further, regulators frequently update rules with limited notice. The European Gaming and Betting Association (EGBA) introduced a Code of Conduct in 2020 that goes beyond baseline GDPR requirements, adding iGaming-specific rules around data portability, transparency, and breach mitigation. EGBA members accounted for 33% of Europe’s total online gambling revenue in 2021, so these standards carry practical weight across the industry.
GDPR remains the most consequential data protection regulation for iGaming operators serving European players. Fines can reach up to €20 million or 4% of global annual turnover, whichever is higher.
Cumulative GDPR fines since the regulation took effect in 2018 have reached approximately €7.1 billion as of early 2026, according to the DLA Piper GDPR Fines and Data Breach Survey. Enforcement shows no signs of slowing: regulators issued roughly €1.2 billion in GDPR fines in 2025 alone, matching the previous year’s total.
For iGaming operators, GDPR enforcement increasingly targets cross-border data transfer practices. The €530 million fine against TikTok in 2025 for transferring EU user data to China and the €290 million fine against Uber in 2024 for improper EU-to-US data transfers signal that regulators are closely scrutinizing international data flows. Operators with global infrastructure that routes EU player data through non-EU servers face material risk under these precedents.
The California Consumer Privacy Act applies to iGaming operators serving California residents, with fines reaching $2,663 per unintentional violation and $7,988 per intentional violation (2025 adjusted amounts). While the per-violation fines appear modest compared to GDPR, they compound quickly across large player bases.
Canada’s Personal Information Protection and Electronic Documents Act carries fines up to CAD $100,000 per violation. Ontario’s regulated iGaming market, which launched in 2022, has added another layer of provincial oversight to federal privacy requirements.
Beyond national privacy laws, each gambling license carries its own data protection conditions. The UK Gambling Commission, Malta Gaming Authority, and provincial regulators in Canadian markets all attach specific requirements to their licenses around data handling, retention, and breach reporting. Losing compliance with these conditions doesn’t just trigger fines; it can cost operators their license to operate in a jurisdiction entirely.
The financial consequences of non-compliance extend well beyond regulatory fines. MGM Resorts’ 2023 ransomware attack cost the company approximately $100 million in operational losses and led to a $45 million class action settlement covering both the 2023 and a previous 2019 breach.
Caesars Entertainment reportedly paid $15 million in ransom during a simultaneous attack. These figures illustrate that the total cost of a data protection failure includes operational disruption, legal liability, remediation expenses, and long-term reputational damage.
Account takeover attacks, in which criminals gain access to player accounts to drain funds or exploit features, represent a persistent threat. Multi-accounting (sometimes called “gnoming”) involves a single user controlling multiple accounts to exploit bonuses or circumvent responsible gambling limits.
Research from CrossClassify indicates that approximately 40% of account takeovers in iGaming are linked to bot usage, underscoring how automated tools amplify the scale and speed of these attacks.
Collusive betting, where players conspire to manipulate outcomes in peer-to-peer games, and bot-driven automated play threaten both platform integrity and player trust. These fraud types are particularly difficult to detect because they mimic legitimate player behavior and require sophisticated behavioral analytics to identify.
Bonus abuse, where fraudsters create fake accounts to repeatedly exploit sign-up offers, costs the industry dearly. CrossClassify also estimates that 51% of iGaming operators cite fraud as a top business threat, with an estimated $14.2 billion in annual losses attributed to bonus abuse and multi-accounting combined.
The Fast Track breach highlighted a critical vulnerability that extends across the iGaming ecosystem. Every vendor that touches player data, including game providers, payment processors, CRM platforms, analytics tools, and communication platforms, represents a potential breach vector.
An operator may maintain rigorous internal security, but a compromise at any vendor in the chain can expose player data just as thoroughly as a direct attack, making it vitally important for operators to choose vendors that specialize in the gaming space.
Traditional player acquisition in iGaming has relied heavily on programmatic advertising powered by third-party cookies. As browsers phase out cookie support, operators must fundamentally rethink how they identify, target, and retarget potential players.
The shift pushes operators toward first-party data strategies, collecting information directly from players with explicit consent rather than relying on cross-site tracking. This aligns with GDPR’s data minimization principle but also concentrates more sensitive data on operator platforms, which increases the stakes if a breach occurs.
Contextual targeting, where ads are served based on the content of the page rather than individual user profiles, is emerging as a privacy-first alternative. Privacy-enhancing technologies (PETs) such as differential privacy and homomorphic encryption allow operators to derive marketing insights from data without exposing individual player information.
For operators, the cookie-less transition isn’t just a marketing challenge. It’s a data protection opportunity. Organizations that build consent-first data collection practices now will be better positioned for both regulatory compliance and player trust in a market where data handling is increasingly visible to consumers.
Data protection in iGaming cannot live solely within the IT or legal department. It requires an organizational culture where every employee who handles player data understands their responsibilities. Gambling authorities across Europe are increasingly engaging with national cybersecurity centers and data protection bodies, raising the compliance baseline across the industry.
Constant employee training is foundational. The MGM breach started with a social engineering phone call that tricked a help desk employee into providing login credentials. No amount of encryption or firewall investment protects against an untrained workforce. Training must cover phishing recognition, data handling procedures, incident reporting protocols, and the specific regulatory obligations that apply to each team’s function.
Data Protection Officers play a critical role in iGaming organizations, acting as the interface between operational teams, executive leadership, and regulatory bodies. For operators serving EU players, appointing a DPO isn’t optional; it’s a GDPR requirement for organizations conducting large-scale processing of personal data.
With regulations changing across dozens of jurisdictions, manual compliance tracking is impractical for any operator serving multiple markets. RegTech solutions that automatically monitor legislative changes, flag compliance gaps, and maintain audit trails reduce both the workload and the risk of missing a critical update. AI and machine learning tools can power fraud detection through device fingerprinting, behavioral monitoring, and anomaly detection, identifying suspicious activity in real time.
Player support interactions routinely involve sensitive data exchanges: identity verification for KYC, payment dispute resolution, and responsible gambling disclosures. Each of these conversations represents a potential exposure point if the communication channel itself isn’t protected.
Operators need communication platforms that are purpose-built for regulated environments. That means PCI DSS-compliant messaging for payment-related conversations, encrypted channels for identity verification, and complete audit trails that satisfy regulatory requirements.
Vendors like Comm100 highlight the essential role of customer support in player protection, providing secure, omnichannel communication tools specifically designed for industries with strict compliance requirements, offering capabilities such as on-premises deployment for operators who need full control over where player data is stored, and AI-powered automation that maintains compliance guardrails while handling common player queries.
On-premises deployment addresses one of the most pressing challenges in cross-border data protection. When GDPR restricts the transfer of EU player data to non-EU servers, and a licensing authority requires data to remain within its jurisdiction, cloud-only solutions can create compliance conflicts. On-premises options give operators the ability to meet data residency requirements without sacrificing the functionality of modern communication platforms.
What separates a contained incident from a catastrophic one is often the quality of the incident response plan. Operators need documented, tested, and regularly rehearsed response protocols that cover breach detection, containment, regulatory notification (within the timelines mandated by each relevant jurisdiction), player communication, and post-incident forensics.
Operators must extend their data protection strategy across their entire vendor ecosystem in 2026 and beyond. This means conducting security assessments of every vendor that touches player data, establishing contractual obligations around data handling and breach notification, and maintaining ongoing monitoring of vendor compliance.
As operators deploy AI for fraud detection, player segmentation, VIP identification, and responsible gambling monitoring, GDPR Article 22 creates specific obligations. Players have rights related to automated decision-making, including the right to meaningful information about the logic involved, the right to human review of significant decisions, and the right to contest those decisions.
Operators using AI to flag players as potential problem gamblers or to restrict account access must ensure their systems meet transparency, explainability, and human oversight requirements.
GDPR gives players the right to access their data, request its deletion, and port it to another service. These rights create operational challenges specific to iGaming. A player exercising the right to erasure may conflict with AML requirements that mandate retention of transaction records for years.
Operators must build processes that honor player rights where legally possible while documenting the regulatory basis for any refusal. Getting these wrong risks enforcement from data protection authorities; getting it right builds the kind of transparency that earns player trust.
The iGaming operators who treat data protection as a cost center will continue to face reactive, expensive consequences when breaches occur and regulations tighten. The operators who treat it as a strategic investment will build something far more valuable: player trust.
In a market where players have more choices than ever, the ability to demonstrate robust, transparent data protection practices becomes a genuine differentiator. Players are increasingly aware of data risks and increasingly willing to choose operators they trust with their personal information. Regulatory compliance isn’t just about avoiding fines; it’s about earning and maintaining the license to operate in the markets that matter most.
The path forward requires a combination of organizational culture, regulatory awareness, technology investment, and vendor accountability. No single tool or certification provides complete protection.
But operators who approach data protection holistically, embedding it into every layer of their operations from employee training to vendor contracts to the communication platforms their support teams use daily, will be the ones best positioned to grow sustainably in a market projected to nearly double in size by 2030.
Keep your data secure with Comm100. Request a tailored demo today.
Contact sales
The most significant risks include the sheer volume and sensitivity of data collected during player onboarding, the growing sophistication of cyberattacks targeting both operators and their third-party vendors, the complexity of complying with overlapping and sometimes contradictory regulations across multiple jurisdictions, and the unique tension between privacy laws (like GDPR) and oversight requirements (like AML and KYC). The Fast Track CRM breach in October 2025 illustrated how a single vendor compromise can expose player data across multiple operators.
GDPR applies to any iGaming operator that processes personal data of EU residents, regardless of where the operator is headquartered. It requires lawful bases for data processing, transparency about how data is used, data minimization, purpose limitation, and robust security measures. Operators must also facilitate data subject rights including access, rectification, erasure, and portability. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover, and cumulative GDPR fines have reached approximately €7.1 billion since the regulation took effect.
GDPR requires transparency about data processing, while AML regulations prohibit disclosing ongoing investigations to subjects. GDPR mandates data minimization, while KYC regulations require extensive data collection. GDPR grants data erasure rights, while AML laws mandate retention of transaction records for specified periods. Operators must navigate these contradictions by documenting the legal basis for each processing activity and maintaining clear policies about which obligation takes precedence in specific scenarios.
Support interactions often involve sensitive data exchanges including identity verification, payment disputes, and responsible gambling disclosures. Operators should use communication platforms with PCI DSS compliance for payment-related conversations, end-to-end encryption for identity data, complete audit trails for regulatory accountability, and on-premises deployment options where data residency requirements demand it. Every interaction channel, whether live chat, email, messaging, or social, should maintain the same security standards.
Penalties vary by jurisdiction: GDPR fines can reach €20 million or 4% of global turnover; CCPA fines are $2,663 per unintentional violation and $7,988 per intentional violation; PIPEDA fines reach CAD $100,000. Beyond regulatory fines, operators face operational losses (MGM’s $100 million in 2023), class action settlements (MGM’s $45 million settlement), licensing consequences, and lasting reputational damage that drives player churn.
By clicking "Subscribe", you agree to our Privacy Policy.
Gaming operators evaluating AI chatbots face an overwhelming market. Hundreds of platforms claim to automate customer support, but most were built for e-commerce, + Read More about the best ai chatbots for gaming
When a Canadian organization shops for customer support software, the decision isn’t purely about features and pricing. It’s also about where customer data + Read More about the best canadian customer support software companies in 2026
A new series of industry research from SBC Media and Comm100 surveyed sportsbook and iGaming operators worldwide about their customer support operations. The + Read More about the state of customer support in igaming: what three industry surveys reveal about ai, retention, and responsible gambling
