The Autorité Nationale des Jeux (ANJ), in collaboration with the Commission Nationale de l’Informatique et des Libertés (CNIL), has issued a revised guide to assist gambling operators in France with compliance regarding data practices under the General Data Protection Regulation (GDPR). Released in May 2026, the updated guidance aims to clarify existing regulatory expectations and offer practical advice for operators, including casinos, online betting platforms, and entities with exclusive rights like the Française des Jeux (FDJ) and Pari Mutuel Urbain (PMU). This update is significant as it addresses the unique intersection of commercial operations and state goals in the gambling sector, such as mitigating excessive gambling, safeguarding minors, and combating fraud and money laundering.
The guide begins by revisiting the core principles of GDPR, emphasizing the importance of understanding what constitutes personal data and the definition of “processing.” It underscores that even basic actions like consulting records or maintaining paper files are subject to GDPR regulations. Special attention is given to sensitive data types, such as health or biometric information, which require heightened protection and can only be collected when justified by public interests, like preventing gambling addiction. The ANJ emphasizes that all data collection activities must have a clear, legitimate purpose, and data collected for one purpose, such as monitoring excessive gambling, cannot be repurposed for marketing without explicit consent.
In the regulatory framework, operators are identified as the primary entities responsible for data processing, while entities like payment processors and IT service providers are considered subcontractors with distinct obligations. These responsibilities must be clearly outlined in contracts, covering aspects from security measures to breach notification procedures. Key compliance steps for operators include the appointment of a Data Protection Officer (DPO), comprehensive mapping of data flows, and the publication of transparent privacy policies. Operators are advised to develop internal protocols for managing consent, addressing security incidents, and responding to player rights requests. When high-risk practices are involved, such as player profiling or anti-money laundering (AML) monitoring, a thorough impact assessment is mandated.
The guide also dedicates a substantial section to the interplay between GDPR and AML as well as counter-terrorism financing (CTF) obligations. It describes how the processing of personal data is integral to detecting suspicious activities, identifying unusual payment patterns, and monitoring high-risk customers. Operators must ensure these processes are conducted lawfully and transparently, with robust security measures in place. The ANJ and CNIL stress that impact assessments are compulsory when data is utilized to prevent money laundering due to potential risks to individual rights. Furthermore, operators must meticulously record how they collect, store, and share data with authorities, implementing stringent safeguards against data misuse. Contracts with third-party service providers should delineate responsibilities to ensure compliance with GDPR standards, especially for payment processors, IT hosts, and identity-verification services.
The revised guidance reflects growing regulatory expectations for gambling operators, who must navigate complex requirements balancing commercial interests with stringent data protection and preventative measures. The ANJ’s and CNIL’s collaborative efforts highlight the importance of regulatory clarity in maintaining industry standards and protecting consumer rights within an increasingly digital landscape.
Looking ahead, French gambling operators are expected to implement these updated guidelines promptly to align with GDPR requirements while also meeting their AML and CTF obligations. The guidance serves as a foundation for the industry’s compliance efforts, with ongoing monitoring by the ANJ and potential adjustments in response to regulatory developments. As the regulatory environment evolves, operators must remain vigilant in upholding data protection standards to sustain market integrity and consumer trust.
Sarah Thompson is a seasoned writer specializing in casino gaming and online gambling. With over a decade of experience in the industry, Sarah brings in-depth knowledge and a keen eye for detail to her work at CasinoNoDeposits.com. Her expertise lies in uncovering the latest no deposit bonuses and providing comprehensive reviews of online casinos. Passionate about helping players maximize their gaming experience, Sarah combines her analytical skills with a flair for engaging storytelling.
4/5
