No Consent, No Limits? How the UK’s New Data Use and Access Act(“DUAA”) Could Let Gambling Firms Target Problem Gamblers

The New Data (Use and Access) Act (‘DUAA’), which received Royal Assent in June, amends the UK GDPR, Data Protection Act 2018, and PECR. One of the key changes is the easing of the restrictions on using automated decision-making and profiling that significantly impact individuals, such as exploitative targeted ads delivered to vulnerable individuals.

Does this mean gambling companies could now push exploitative ads at problem gamblers, all under the guise of ‘legitimate interests,’ without needing their consent?

Targeted Ads and the Exploitation of Problem Gamblers

Problem gamblers (people battling with gambling addiction) are among the most vulnerable people in society. Unfortunately, modern advertising tools used by gambling companies, particularly targeted advertising powered by profiling, exacerbate this vulnerability.

This form of profiling relies on collecting vast amounts of data about how an individual engages with gambling services: How often they use them, how much they spend, what time of day they tend to gamble, and even behavioural cues such as rage-clicking or session duration.

Companies often supplement this with third-party data, allowing them to build detailed user profiles like “Impulse Bettor” or “Late-night Gambler.” Based on these profiles, they target problem gamblers with specific offers and targeted ads such as ‘Bet now, limited time’.

Under the prior legal framework, decisions based on profiling that had a legal or similarly significant effect was prohibited unless an exception applied (often explicit consent). The ICO and the EDPB noted that targeting vulnerable individuals (e.g., known problem gamblers) could meet that threshold in some cases.

The DUAA significantly relaxes the Article 22 prohibition: Profiling based on automated processing that has legal or similarly significant effects will generally be allowed for non-special-category data, unless sensitive data such as heath data is processed.

These changes raise concerns that profiling could be applied more broadly, potentially increasing the exposure of vulnerable individuals to exploitative, targeted ads.

The restrictions on targeted advertising to vulnerable individuals through profiling techniques under the previous version of the UK GDPR

Previously, article 22(1) of the UK GDPR gave individuals the right not to be subjected to a decision based on automated processing, including profiling, if such a process or profiling results in legal effects or similarly and significantly impacts him/her.

As per the UK ICO’s Guidance, the use of profiling to serve targeted advertisements to vulnerable individuals, such as problem gamblers, may fall under the scope of article 22 of the UK GDPR.

While the UK GDPR does allow three narrow exceptions to this prohibition, the only relevant exception for targeted advertising based on profiling is the individual’s explicit consent. This form of consent is more stringent than the standard consent described in Article 6; it requires a clear, affirmative statement from the individual, either in writing or orally, as outlined by the UK ICO’s Guidance on Consent.

The Data Act 2025, however, will weaken these safeguards.

How the DUAA 2025 changes the UK GDPR’s restrictions on automated decision-making and profiling

The new law will no longer impose a blanket restriction on taking decisions based on the use of automated decision-making and profiling, which results in a legal or similarly significant effect on individuals, unless sensitive data, such as data concerning health, race, or gender, is processed. However, mandatory safeguards such as right to obtain human intervention, and other legal requirements under the UK GDPR still apply.

Put simply, the new law gives businesses much greater scope to use these techniques for non-special-category data.

Will these changes allow gambling companies to target problem gamblers with exploitative targeted ads without obtaining consent?

Under the new Act, gambling companies that use profiling to target problem gamblers with exploitative targeted ads will no longer be required to obtain explicit consent, unless they process sensitive personal data.

Given that gambling companies predominantly rely on non-sensitive data points such as an individual’s favourite games, preferred gambling times, and transactional history, they will likely avoid triggering restrictions related to targeted ads powered by profiling.

However, gambling companies will still need to rely on a lawful basis under Article 6 of the UK GDPR in order to collect customer data and build profiles for delivering targeted ads. In this context, the two most relevant legal bases are ‘consent’ and ‘legitimate interests’. Both of these bases impose a lower threshold than the requirement of explicit consent under Article 22.

In practice, the gambling companies will likely rely on ‘legitimate interests’ to build profiles of their existing customers and then serve exploitative targeted ads to their most vulnerable customers; problem gamblers.

Under the UK ICO’s Legitimate Interests Guidance, businesses may rely on ‘legitimate interests’ under UK GDPR to deliver targeted ads to existing customers, provided they conduct a balancing test weighing their commercial interests against individuals’ rights and vulnerabilities. Gambling companies may argue that profiling to target existing customers is justified on this basis.

Is it lawful for gambling companies to rely on legitimate interests under the UK GDPR to serve targeted ads to problem gamblers based on profiling?

While the gambling companies will likely choose to rely on legitimate interests, this legal ground would not be the appropriate for the following reasons.

Firstly, the gambling companies largely rely on data collected through cookies and similar technologies to profile problem gamblers, which requires consent under the PECR. As per the ICO’s guidance on cookies, the secondary use of this collected data, such as for profiling and serving targeted ads, will likely require consent. Therefore, choosing legitimate interests would not be in line with the UK GDPR and the PECR.

Secondly, as noted by the ICO in its legitimate interest guidance, a marketing activity may fail the purpose test under the legitimate interest assessment if such marketing activity violates applicable ethical, legal and industry standards. Considering that the Gambling Commission’s Rule 5.1.6 and ASA Code 16.1 requires gambling operators to be socially responsible and prohibit them from targeting vulnerable individuals, reliance on legitimate interests is unlikely to be appropriate.

How will this impact the way gambling companies serve exploitative ads to problem gamblers? 

Regardless of whether the gambling companies rely on legitimate interests or consent under article 6 of the GDPR, the changes will allow them to serve exploitative ads to vulnerable problem gamblers more easily.

If they choose legitimate interests, gambling firms can proceed unless the individual actively objects. While individuals retain an absolute right to object to direct marketing under Article 21 UK GDPR, this puts the onus on them to take action rather than requiring the company to obtain explicit, opt-in consent upfront. By contrast, under the previous regime where Article 22 could apply, firms needed to demonstrate that they had secured a person’s explicit consent before engaging in significant profiling for advertising, providing a stronger, proactive safeguard for individuals.

If they choose consent under article 6.1.a of the UK GDPR, they will not have to obtain a clear, affirmative consent statement from problem gamblers.

Conclusion: What the DUAA Means for GDPR Compliance in the Gambling Sector

The DUAA 2025 will likely make it easier for gambling companies to engage in intrusive profiling practices for the purpose of delivering exploitative ads to problem gamblers without having to obtain explicit consent.

Further secondary legislation and regulatory guidance are expected to follow, which will clarify how the DUAA’s revised automated decision-making provisions should be interpreted and implemented in practice.