The latest news from the Casino world!
The latest news from the Casino world!
Gambling club anj facebook

GDPR and Gambling: the ANJ and the CNIL call time on the free-for-all regarding player data

29 May 2026 • Reading time: 3 minutes

The ANJ and the CNIL have published an ultra-strict GDPR guide that radically transforms the management of player data, with a direct impact on the Belgian market.

The National Gaming Authority (ANJ), in close collaboration with the CNIL, has just published its official practical guide dedicated to the processing of players’ personal data. Whilst the text states that it does not create new laws, it sets out an extremely strict framework for interpreting the GDPR as applied to online betting, casinos and gaming clubs.

For operators, database management can no longer be treated as a mere technical matter. They must strictly comply with the official guide or face heavy penalties (up to €20 million or 4% of global turnover).

Affiliate marketing and precision targeting

The sales and advertising aspect is undoubtedly the one that will require the most operational changes. Gone are the days of automatically adding new registrants to newsletter or promotional SMS lists.

The guidelines firmly reiterate that explicit consent (opt-in) is the only valid legal basis for any commercial marketing.

This consent must be:

  • Separate: Acceptance of the terms and conditions of use (T&Cs) or the game rules does not constitute marketing consent. 
  • Active: Pre-ticked boxes at registration are now strictly prohibited. 
  • Transparent regarding affiliation: If the operator wishes to sell or pass on its player data to commercial partners, it must display a comprehensive, clickable list of these partners before the player ticks the box. 

The timeline is becoming stricter this summer. From 11 August 2026, French law will require mandatory consumer consent for all telephone marketing. Gaming operators will have to comply without exception. 

Profiling of ‘excessive gambling’ 

This is the CNIL’s strongest stance in this document. The cross-referencing of behavioural data (frequency of deposits, betting peaks, behaviour in the face of losses, distress expressed to customer service) aimed at identifying an excessive or pathological gambler is now officially classified as the processing of health data

This legal shift places these files within the category of “sensitive data” under Article 9 of the GDPR. The technical requirements for platforms are skyrocketing:

  • requirement to carry out a data protection impact assessment (DPIA)
  • enhanced encryption
  • strict logging of staff access
  • requirement for dual human verification (an algorithm cannot block a player on its own without an advisor analysing the profile).

The guide also establishes absolute data isolation. It is strictly forbidden to use the excessive gambling detection file to target or, conversely, exclude a player from a standard marketing campaign.

Belgium: clear convergence, sanctions already very real

For operators in the Belgian market, the guidelines in this French-specific guide ring a very familiar bell. The Belgian Gaming Commission (GC) already applies a similar philosophy, notably through the Itsme ecosystem and the EPIS self-exclusion system.

However, Belgium sometimes goes even further in its restrictions than its neighbours, notably with a total ban on bonuses and an automatic limit on deposits of €200 per week.

Regarding the GDPR, the Data Protection Authority (APD) in Belgium is just as uncompromising as the CNIL on the unauthorised profiling of punters.

Anti-money laundering and data retention: the six-year conundrum

Finally, the document clears up the uncertainty surrounding the retention of identity documents and proof of assets, which are sometimes requested during anti-money laundering (AML) checks.

The GDPR is linked here to the Monetary and Financial Code: identity data, transaction details and gaming history must be retained in an interim archive for a strict period of six years from the date the player’s account is permanently closed. Once this statutory period has elapsed, the data must be deleted or fully anonymised.

Player data is valuable, but its management must serve solely the purposes of security, public protection and compliance, never the commercial exploitation of vulnerable profiles.

 | 

Passionate about the world of gambling, Julien is a recognized expert in online casinos and sports betting. For several years, he has been analyzing industry trends, decoding operator strategies, and guiding players in their pursuit of responsible entertainment and potential winnings.

With a clear and precise writing style, he is committed to delivering reliable, up-to-date, and accessible content. His goal: to provide readers with high-quality information that is both educational and engaging, offering deeper insight into a constantly evolving industry.

Recommended

Monte Carlo reveals the other side of the game

Paris welcomes its largest gaming club

2025 report from the Gaming Mediator 

Home Casinos Betting Promos