TLDR
- France’s ANJ and CNIL released an updated GDPR guide for gambling operators covering casinos, online betting, and exclusive rights holders like FDJ and PMU.
- The guide clarifies that all data processing, even paper records, falls under GDPR and that sensitive data like health info needs extra safeguards.
- Operators cannot reuse data collected for responsible gambling purposes for marketing or other unrelated activities.
- Practical compliance steps include appointing a Data Protection Officer, mapping data flows, and publishing transparent privacy policies.
- A major section addresses how GDPR intersects with anti-money laundering and counter-terrorism financing obligations, requiring mandatory impact assessments.
France’s gambling regulator, the Autorité Nationale des Jeux (ANJ), has published an updated guide to help gambling operators comply with the General Data Protection Regulation (GDPR). The document was developed in partnership with the CNIL, France’s data protection authority.
The guide is aimed at casinos, online betting platforms, and exclusive rights holders such as FDJ and PMU. It is not a set of binding rules but rather a practical reference for aligning data practices with existing law.
What the Updated GDPR Guide Covers
The document opens with a breakdown of GDPR fundamentals. It defines what counts as personal data and explains that even basic actions like consulting a file or keeping paper records qualify as data processing under the regulation.
Sensitive data categories receive special attention. Health information and biometric identifiers require additional safeguards. Operators may only collect this type of data when justified by public interest, such as efforts to prevent pathological gambling.
One key point is that data collected for one purpose cannot be repurposed for another. The ANJ specifically states that files tracking players with excessive gambling habits cannot be reused for marketing offers.
The guide identifies operators as the “responsible party” for data processing. Service providers such as payment firms and IT hosts are classified as subcontractors with their own separate obligations.
Contracts between operators and service providers must clearly define responsibilities. This includes security measures, breach notification procedures, and data handling standards.
On the compliance side, the guide recommends several practical steps. Operators should appoint a Data Protection Officer (DPO) and map all data flows within their organizations.
Publishing a transparent privacy policy is also emphasized. Players should be able to understand how their data is collected, stored, and used.
Internal procedures for handling consent, security incidents, and player rights requests are recommended. The guide notes that operators must be prepared to respond when players exercise their GDPR rights.
Anti-Money Laundering Meets Data Protection
A large portion of the guide deals with the intersection of GDPR and anti-money laundering (AML) and counter-terrorism financing (CTF) rules. This is a particularly complex area for gambling operators.
Monitoring suspicious activity, identifying unusual payment patterns, and flagging high-risk customers all involve processing personal data at scale. The guide states that these processes must remain lawful, transparent, and secure.
Impact assessments are mandatory when data is used to detect or prevent money laundering. The ANJ and CNIL explain that the risks to individual rights in these cases are high enough to require formal evaluation.
Operators must document how they collect, store, and share information with authorities. Strong safeguards against misuse of this data are expected.
Contracts with third-party service providers in the AML chain must also meet GDPR standards. This applies to payment processors, IT hosts, and identity verification firms.
The guide also touches on the broader legal environment of French gambling. Operators must balance their commercial activities with state policy goals including preventing excessive play, protecting minors, and fighting fraud.
The updated guide was released on May 27, 2026, and is available as a reference document for all licensed gambling operators in France.
