France’s gambling regulator has issued updated guidance explaining how data protection rules apply to licensed gambling operators, strengthening the link between the General Data Protection Regulation (GDPR) and sector-specific legal obligations. The document was produced by the National Gaming Authority (ANJ) in cooperation with the National Commission for Information Technology and Freedoms (CNIL) to help operators align compliance with both gambling law and data protection requirements.
The guidance responds to ongoing challenges faced by operators managing large volumes of player data while also meeting obligations linked to responsible gambling and anti-money laundering controls. It is intended to ensure personal data is processed lawfully while supporting consumer protection and financial crime prevention objectives.
The framework revisits core GDPR principles and applies them to gambling operations. It focuses on three areas: player account management and marketing communications, prevention of excessive gambling behaviour, and anti-money laundering and counter-terrorism financing obligations. Both ANJ and CNIL boards reviewed the document.
Operators are noted to process extensive datasets, including identification details, payment records, transaction histories, gaming activity, marketing interactions and behavioural indicators. As a result, strong governance over data handling is required.
Governance and Marketing Consent Rules
The guidance stresses accountability measures such as appointing data protection officers, mapping data processing activities, implementing privacy policies, maintaining registers and conducting impact assessments when necessary.
It also sets strict rules for marketing. Consent is required before any gambling-related promotional communication, regardless of channel, including email, SMS, phone, post and automated systems. Consent must be separate from account registration terms.
Operators must also obtain consent before sharing data with marketing partners, who must be clearly identified.
Cookies, Profiling and Responsible Gambling Controls
The regulator states that cookie use generally requires consent, except for essential technical functions. Refusing cookies must be as simple as accepting them.
Responsible gamblingrules highlight that identifying risky behaviour may constitute processing health-related data. Operators may use algorithmic tools for risk assessment, but any restriction on players must be reviewed by a human. Profiling must be explained clearly, including criteria and consequences.
AML Controls, Data Retention and Player Rights
In relation to anti-money laundering and terrorist financing rules, the guidance confirms that data processing is primarily based on legal obligations. Operators may collect identity documentation, payment information, and transaction records, and may request additional evidence on the origin of funds when justified by alerts. However, such requests must be proportionate and cannot be applied systematically. The regulator specifically notes that bank statements and copies of payment cards are not generally justified for these purposes.
The document also outlines data retention timelines. Player account data governed by gambling regulation is typically retained for up to six years after account closure, while certain AML-related records must be kept for five years.
Finally, the guidance clarifies that some GDPR rights are limited in the AML context. Rights such as erasure, objection, and data portability may not apply where processing is required by law, while access rights are also restricted under specific anti-money laundering provisions.
Source:
“Personal data protection and gambling: a guide to good practices to support the compliance of gaming operators”, anj.fr, May 26, 2026
The post French Regulator Sets Out GDPR Standards for Gambling Sector first appeared on RealMoneyAction.com.