The reality of data practices in online sports betting

With the 2024 Super Bowl approaching, enthusiasts are flocking to their favorite betting apps to place wagers on the game’s outcome. While betting was mainly restricted to dedicated locations like Las Vegas due to notable scandals, over the past decade new legislation has made sports betting legal across various states.¹ This has led to the popularization of betting apps.  

Thanks to high-profile incidents like the 2022 breach of 1.5 million BetMGM user records, the data collection practices of the betting app industry (which is estimated to reach 52 million users by 2028²) have been under increased scrutiny. Unfortunately, the privacy policies of many betting apps can be unclear. According to Google, it can only partially monitor whether data collection or sharing disclosures are correct.³ 

Since betting apps deal with financial information, it begs the question: How much data do these platforms collect and what safeguards do they put in place to protect this data? Incogni’s researchers looked closely at the most popular sports betting apps taken from the Business of Apps⁴  (the leading B2B media and information platform for the global app industry) to get to the bottom of it.

Online sports betting apps offer the convenience of placing bets from anywhere at any time. These apps offer live betting, bonuses, promotions, and more. Players generally grasp that financial losses, whether from gambling or other expenses tied to using specialized services, are part of online betting. However, what some users may overlook is that they also pay for this form of entertainment with their data.

Key insights

• DraftKings collects the most data (22 data points), including your precise location, photos, videos, contacts, files, and docs. It even collects data about other installed apps, and messages.
• Caesars, Sky Bet, and William Hill tied for second place (17 data points), all collecting data that includes purchase history.
• Sky Bet gathers health information as well as users’ credit scores, which may extend to information about bank accounts, debts, and mortgages.
• FanDuel collects a total of 14 data points. These include precise and approximate location, photos, and installed apps.
• Caesars stands out as the most data-sharing app (14 data points reach third parties). This includes precise location and in-app search history. 
• BetMGM claims not to collect or share any data, which seems unlikely. 
• More than half of the investigated apps, including BetMGM, FanDuel, DraftKings, and Caesars, have been directly or indirectly affected by a data breach or hacking attack.

Data collection

Our research team examined 7 popular betting apps, analyzing 15 data-point categories to understand the scope of data collection and sharing practices. Our intent is to gain a better understanding of the risks involved in using these apps.

In most cases, online sports betting apps only address data issues if “discrepancies” appear. This doesn’t mean that these practices are illegal. According to Google, “[i]n some cases, developers do not need to disclose data as ‘collected,’ even if the data technically leaves your device.” This means that you may have little recourse should your data end up in the wrong hands.⁵

We’ve already mentioned the potential misuse of personal information, but that’s not all that’s at risk. These apps will ask you for specific financial information to withdraw your winnings. After all, many of these apps exist to facilitate financial transactions.⁶ 

Overview of betting platform apps

There’s a notable range in the amount of data collected and shared between these sports betting apps despite them all serving the same basic function. Out of the 7 apps we analyzed, our research team found that only 1 (BetMGM) claimed not to collect any data. This seems unlikely as most of the apps collect financial data as they handle betting transactions. The remaining 6 collect an average of 16 data points. However, Google Play seems to have little control over what is being reported by developers, which only deepens concerns over what information might actually be collected.

Furthermore, the average doesn’t fully capture the fact that there’s a difference of 13 data points between the app that collects the most data (DraftKings, at 22 data points) and the app that collects the least (bet365, at 9 data points). This suggests that betting can be facilitated through the collection of just 9 data points or fewer.

Given that these apps process money, we can reasonably expect that they would collect some personal and financial details. What’s of particular interest is the data they collect beyond that.

We found that DraftKings collects data from photos, files, docs, and contacts. Bet365, on the other hand, gathers app and precise location information from its users. FanDuel collects data through your precise location, photos, and apps. Caesars and William Hill gather it from precise locations, photos, and videos. Sky Bet stands out for its interest in a greater variety of user data. Sky Bet even gathers health information, as well as users’ purchase histories and credit scores, which may extend to information about bank accounts, debts, and mortgages.

Data sharing

Having seen what data reaches developers, let’s look at what reaches third parties.

On average, the apps we investigated (except BetMGM, which claims to collect no data) share 6 data points with third parties. 

Caesars stands out as the app that shares the most data. 14 (out of the 17 collected) data points reach third parties. We observed that Caesar’s shares precise location and in-app search history. In contrast, Sky Bet indicates that none of the 17 data points they collect reach third parties.

The second most “generous” app is FanDuel, which shares 11 of its 14 collected data points. Alongside users’ precise location, it also shares in-app search history. 

DraftKings and William Hill were found to each share 8 data points with third parties. We observed users’ approximate location and purchase history among the data points shared by DraftKings. The William Hill app was found to share in-app search history. 

Lastly, bet365, which shares only 2 data points, was found to share data on installed apps with third parties. 

Purpose of sharing and collecting data

Developers are required by Google Play to disclose what information they collect and share on their apps’ data safety pages. 

Now that we understand what data reaches the developers and other parties, let’s look at the reasons given for sharing this data:

When it comes to the purposes given for sharing user data (represented above), fraud prevention makes up a fourth of all purposes, followed by analytics at 24%. App functionality comes up 18% of the time while advertising or marketing is cited 13% of the time.

When collecting data (not represented in the chart), app functionality covers 23% of all purposes while fraud prevention constitutes 21%. This means that these two together account for almost half of all purposes developers gave for collecting user data. They were followed by analytics (17%) and account management (15%). We also found that advertising or marketing makes up 11% of all stated data-collection purposes.

When looking at purposes given for handling user data, we found that some companies do share sensitive data with third parties for advertising or marketing:

• FanDuel and DraftKings share approximate locations.
• DraftKings shares names, email addresses, phone numbers, and purchase history.
• FanDuel also shares “other info” with third parties for marketing purposes. According to Google’s support pages, this can include “[a]ny other personal information such as date of birth, gender identity, veteran status, etc.” ⁵

Breaches and data mishandling

We found that you don’t need to give up too much data to place bets on sporting events. However, the risks of giving up any data can be severe. The full impact of doing so is felt when a platform you use experiences a data breach.

We found that more than half of the companies behind the apps we investigated were directly or indirectly affected by a data breach. 

• BetMGM was hacked around May 2022 and had the personal information of 1.5M users breached. The information included names, email addresses, and phone numbers.⁷
• FanDuel’s customer emails and names were accessed by hackers after a mail service provider was breached in early 2023.⁸
• DraftKings experienced a data breach in late 2022, wherein unauthorized parties accessed information about 68K users. The information included names, addresses, phone numbers, and email addresses.⁹
• Caesar’s parent company, Caesars Entertainment, had customer data stolen from a compromised third-party IT vendor. The company decided to pay half of the ransom for the stolen data, which has not been leaked as of writing.¹⁰

While not breached, we also found that Sky Bet sent marketing emails to users who had opted out of receiving such material. This has been called a breach of the General Data Protection Regulation (GDPR) in the European Union, and legal action against the betting platform was explored.¹¹

Conclusion

Data breaches are scary. They can leave users with a loss of trust, financial damages, or even having their identity stolen. As betting apps gain traction, it’s crucial to recognize that convenience comes with risks. This is why it is unwise to blindly entrust sensitive financial data to these platforms.

This is proven by the alarming frequency of data breaches. Our findings shed light on the lack of transparency and accountability in the industry. For example, we found that some betting apps may not reliably report the data they collect. While legislators prioritize safeguards and regulatory measures, it’s up to users to first consider whether placing bets online is worth identity theft or greater financial loss. 

Methodology

Having identified the top sports betting platforms in the US and UK, Incogni researchers collected information about their apps from the Google Play Store. In cases where several apps were published by the same company or with similar names, apps used for sports betting were prioritized.

Incogni researchers then noted what user information the selected apps collected and shared and for what purposes on January 22, 2024.

The data used in this study is available here: Public dataset.

Note on data:

Some apps’ Google Play Store pages could only be accessed from specific regions. Furthermore, for every data point collected or shared, the developer needs to indicate at least one purpose for handling the data. The collection (or sharing) of a single data point can have several purposes ascribed to it. 

Sources

1. Forbes. “Where is sports betting legal? A guide to all 50 states.” Accessed January 8, 2024. https://www.forbes.com/sites/willyakowicz/2024/01/08/where-is-sports-betting-legal-america-2022/?sh=7f8d4725440a.
2. Statistica. “Online sports betting – United States.” Updated November 2023.
   https://www.statista.com/outlook/dmo/eservices/online-gambling/online-sports-betting/united-states.
3. Android Developers. “Declare your app’s data use.” Accessed January 31, 2024.
   https://developer.android.com/privacy-and-security/declare-data-use.
4. Business of Apps. “Sports betting app revenue and usage statistics (2024).” Updated January 8, 2024.
   https://www.businessofapps.com/data/sports-betting-app-market/.
5. Google Play Help. “Understand app privacy & security practices with Google Play’s data safety section.” Accessed January 31, 2024. https://support.google.com/googleplay/answer/11416267?hl=en&co=GENIE.Platform%3DAndroid.
6. Google Play. “BetMGM – Online Sports Betting.” Updated October 27, 2023.
   https://play.google.com/store/apps/details?id=com.playmgm.nj.sports&hl=en&gl=US
7. SecurityWeek Network. “BetMGM confirms breach as hackers offer to sell data of 1.5 million customers.” Accessed December 23, 2022. 
   https://www.securityweek.com/betmgm-confirms-breach-hackers-offer-sell-data-15-million-customers/
8. Bleeping Computer. “FanDuel warns of data breach after customer info stolen in vendor hack.” Accessed January 22, 2023. https://www.bleepingcomputer.com/news/security/fanduel-warns-of-data-breach-after-customer-info-stolen-in-vendor-hack/.
9. Bleeping Computer. “DraftKings warns data of 67K people was exposed in account hacks.” Accessed December 19, 2022. https://www.bleepingcomputer.com/news/security/draftkings-warns-data-of-67k-people-was-exposed-in-account-hacks/.
10. TechCrunch. “Caesars Entertainment says customer data stolen in cyberattack.” Accessed September 14, 2023. https://techcrunch.com/2023/09/14/caesars-entertainment-data-breach-cyberattack/?guccounter=1.
11. iGaming Business. “Sky Betting and Gaming fined £1.17m over self-exclusion breaches.” Accessed March 2022.
    https://igamingbusiness.com/legal-compliance/sky-betting-and-gaming-fined/.

Visuals

We welcome the reuse of our images if proper attribution is given to Incogni. The charts, graphs, and tables used in this research can seamlessly embed into your website. Use the menu that appears at the top right of the visual when you hover over it with your mouse. When embedded, these visuals maintain their interactivity and preserve their original quality.