With Super Bowl LVIII fever gripping the US, millions of sports fans are flocking to mobile betting apps for a piece of the action. But beneath the thrill of the game lies a troubling reality: many users are unwittingly gambling with not just their money, but also their personal data. The latest Incogni research uncovers some concerning practices of the most popular betting services. DraftKings emerges as the frontrunner when it comes to extensive data collection, while Caesars stands out as the most generous when sharing users’ data with third parties.
For years, sports betting was heavily restricted due to multiple scandals. However, legislation enacted in the past decade has opened the possibility of making new bets across multiple states. Given the buzz around the 2024 Super Bowl, concerns over data privacy loom larger than ever.
Incogni, a personal data protection company, conducted research that sheds light on the data collection and sharing practices of the 7 most popular betting apps. Researchers analyzed 15 data-point categories to understand the scope of their data collection and sharing practices to better understand the risks involved for users. The findings are concerning: user data is extensively collected and shared, often without clear disclosure or transparency in privacy policies.
DraftKings emerged as the frontrunner when it comes to data collection by gathering 22 data points from users, including precise location, photos, videos, contacts, files, and messages. Close behind it are Caesars, Sky Bet, and William Hill, gathering 17 data points each, including sensitive information such as precise location, in-app search history, health information, purchase histories, and credit scores, which may extend to bank account, debt, and mortgage information. FanDuel follows with 14 data points, including precise and approximate location, as well as information on installed apps.
Caesars stands out for its extensive data-sharing practices. It shares 14 data points with third parties, including precise location and search history. Meanwhile, FanDuel shares “other info,” which, according to Google’s support pages, can include “ any other personal information such as date of birth, gender identity, veteran status, etc.” Some data collection and sharing with third parties is understandable, as they are necessary to provide the service or proceed with payments. Nevertheless, these numbers of data points seem excessive. Unfortunately, the privacy policies of many betting apps can be unclear, raising questions about what data is actually collected and shared.
Among all investigated betting apps, BetMGM claims not to collect or share any data. This is rare among betting apps, and might be attributed to the fact that Google can only partially monitor whether data collection or sharing disclosures are correct.
Given that data breaches and hacking attacks have affected more than half of the investigated apps, including BetMGM, FanDuel, DraftKings, and Caesars, the risks of giving up any data can be severe. These findings underscore the need for users to be cautious when engaging with betting apps, especially during events like the Super Bowl, where heightened activity may attract malicious actors seeking to exploit vulnerabilities in these platforms.
“As consumers increasingly rely on mobile applications for entertainment and engagement, it should be a priority for developers and regulatory bodies to protect user privacy and data security. Clear and transparent privacy policies, stricter data protection measures, and proactive steps to reduce the risks of data breaches are essential in building trust and confidence among users” – underlines Darius Belejevas, Head of Incogni.
Having identified the top sports betting platforms in the US and UK, Incogni researchers collected information about their apps from the Google Play Store. In cases where several apps were published by the same company or with similar names, apps used for sports betting were prioritized.