Gambling Direct Marketing and Consent Requirements in the EU

Understanding the Regulatory Framework

Direct marketing in the EU gambling sector operates under a dual regulatory framework: general data protection and electronic communications law (GDPR and ePrivacy Directive), and gambling-specific regulations imposed by national licensing authorities. Operators must comply with both layers of regulation, with the stricter rule applying where requirements differ.

The European Commission's data protection framework establishes baseline consent requirements through the General Data Protection Regulation (GDPR) and the ePrivacy Directive (2002/58/EC). Under these instruments, electronic marketing communications require prior consent that is freely given, specific, informed, and unambiguous. The proposed ePrivacy Regulation, currently under negotiation, would update and strengthen these requirements.

Beyond general data protection law, EU gambling regulators have increasingly imposed sector-specific marketing restrictions that often exceed GDPR requirements. These restrictions reflect concerns about problem gambling and the potential for marketing to encourage harmful gambling behaviors among vulnerable populations. Operators looking to assess their overall compliance posture can use our Compliance Risk Assessor tool to evaluate regulatory requirements across multiple jurisdictions.

EU-Wide Consent Requirements Under GDPR

The GDPR establishes uniform consent standards across all EU member states. For gambling marketing purposes, operators must meet the following requirements:

Consent Must Be Freely Given

Players cannot be coerced or pressured into accepting marketing. Consent cannot be a condition of service provision or account registration. If operators bundle marketing consent with terms of service acceptance, the consent is likely invalid. The European Data Protection Board (EDPB) has issued guidelines clarifying that consent requests must be separate from other agreements and players must have a genuine free choice.

Consent Must Be Specific

Operators must obtain separate consent for different marketing channels. A single consent for "marketing communications" does not authorize email, SMS, and push notifications together. Best practice requires granular consent options allowing players to choose which channels they wish to receive communications through.

Consent Must Be Informed

Players must understand what they are consenting to before agreeing. This requires clear disclosure of what types of marketing communications will be sent, how frequently they will be sent, and how players can withdraw consent. The information must be provided in clear, plain language accessible to the average consumer.

Consent Must Be Unambiguous

Pre-ticked consent boxes are explicitly prohibited under GDPR. Consent must be demonstrated by a clear affirmative action, such as actively checking an unchecked box or clicking a specific opt-in button. Silence, inactivity, or continued use of a service does not constitute valid consent.

Right to Withdraw Consent

Players must be able to withdraw consent as easily as they gave it. Every marketing communication must include a clear and functional opt-out mechanism. For emails, this typically means an unsubscribe link. For SMS, a STOP reply option. Withdrawal requests must be processed promptly, generally within 48-72 hours at maximum.

Country-by-Country Direct Marketing Regulations

While GDPR provides baseline requirements, EU gambling jurisdictions have implemented varying additional restrictions on direct marketing. The following analysis covers major regulated markets:

Germany

Germany's Interstate Gambling Treaty (Glücksspielstaatsvertrag 2021) imposes comprehensive restrictions on gambling marketing, including direct communications. Under the GluStV framework, operators must maintain a "Sperrdatei" (blocking database) and cross-reference marketing lists against self-exclusion registers before sending any communications. Marketing to players identified as at-risk through behavioral monitoring is prohibited.

Push notifications are subject to specific restrictions under German law. Bonus promotions via push notification are generally prohibited, and operators must implement quiet hours during which no marketing notifications may be sent (typically 6am-9pm rule applies to advertising, with stricter guidelines emerging for push notifications). Failure to comply can result in regulatory action from the Gemeinsame Glücksspielbehörde der Länder (GGL).

Netherlands

The Kansspelautoriteit (KSA) has implemented strict marketing rules under the Koa (Remote Gambling Act). The KSA's official guidance prohibits untargeted bonus advertising and places restrictions on marketing frequency and content.

Direct marketing in the Netherlands requires explicit consent separate from account registration. Operators are prohibited from sending marketing to players who have activated deposit limits, cooling-off periods, or loss limits. The KSA has issued significant fines for marketing violations, with penalties reaching EUR 400,000 or more for systematic non-compliance.

For players registered on the Centraal Register Uitsluiting Kansspelen (CRUKS, the national self-exclusion database), all marketing must cease immediately upon registration. Sending marketing to CRUKS-registered players is a serious violation that can result in license conditions or revocation.

Spain

Spain's gambling regulator DGOJ (Dirección General de Ordenación del Juego) has implemented some of Europe's most restrictive direct marketing rules through Royal Decree 958/2020. Marketing communications to registered players are heavily restricted, and operators face significant limitations on promotional content.

Welcome bonuses can only be marketed during the first 30 days after registration. After this period, direct marketing of bonuses is prohibited. All marketing must include responsible gambling messages in a specified format, occupying at least 15% of the communication area.

SMS marketing for gambling is effectively prohibited in Spain. While technically possible with consent, the restrictions on content make commercial SMS campaigns impractical. Email marketing is permitted with consent but subject to frequency limitations and content restrictions.

Belgium

Belgium's 2023 gambling advertising reform implemented one of Europe's most comprehensive marketing bans. Under the new regulations, direct marketing of gambling services is largely prohibited, including email and SMS communications. The Belgian Gaming Commission (Commission des jeux de hasard) enforces these restrictions with significant penalties for violations.

Existing players who consented to marketing before the ban may still receive limited communications, but operators cannot acquire new marketing consents. The Belgian approach represents the strictest interpretation of gambling marketing restrictions in the EU and may influence other member states considering similar reforms.

Italy

Italy's Decreto Dignità (Dignity Decree) implemented a comprehensive gambling advertising ban in 2019. Direct marketing is included within the scope of this prohibition. Operators cannot send promotional emails, SMS messages, or push notifications to Italian players.

The Agenzia delle Dogane e dei Monopoli (ADM) enforces these restrictions. Transactional communications (account statements, withdrawal confirmations, regulatory notices) remain permitted, but any promotional content transforms a communication into prohibited advertising. The distinction between permitted transactional messages and prohibited marketing requires careful compliance review.

France

France maintains a regulated but restricted approach to gambling marketing under ANJ (Autorité nationale des jeux) oversight. Direct marketing requires explicit opt-in consent and must comply with general advertising restrictions including time-based limitations and content requirements.

Operators must maintain suppression lists including self-excluded players and those who have opted out of marketing. The ANJ has increasingly focused on marketing compliance and has issued warnings and fines for operators who fail to respect opt-out requests promptly or who send marketing to players showing signs of problem gambling.

Sweden

Sweden's Spelinspektionen (Swedish Gambling Authority) regulates marketing under the Gambling Act (2018:1138). Bonus offers can only be marketed to new customers within their first week of registration. Marketing to players who have set voluntary limits or requested self-exclusion via the Spelpaus system is strictly prohibited.

Swedish law requires operators to implement responsible gambling assessments that may restrict marketing to individual players based on their gambling patterns. If behavioral monitoring systems identify concerning patterns, marketing intensity must be reduced or eliminated for that player.

Malta

The Malta Gaming Authority (MGA) regulates marketing under its Player Protection Directive and associated guidelines. While Malta maintains a more permissive approach than some EU jurisdictions, operators must still obtain valid consent and respect opt-out requests. The MGA's compliance guidelines require operators to maintain suppression lists and implement marketing frequency controls.

Marketing to self-excluded players is prohibited, and operators must cross-reference marketing lists against their self-exclusion databases before sending communications. The MGA has issued sanctions for marketing violations, though generally as part of broader compliance failures rather than standalone enforcement actions.

Channel-Specific Requirements

Email Marketing

Email remains the most common direct marketing channel for gambling operators. Under EU law, commercial emails require prior consent regardless of any existing customer relationship. Unlike some non-EU jurisdictions that allow "soft opt-in" for existing customers, EU law requires explicit consent.

Required elements for compliant gambling marketing emails include: clear sender identification showing the licensed operator name, functional unsubscribe link that processes requests within a reasonable timeframe (typically 48-72 hours), responsible gambling messaging as required by the applicable jurisdiction, and no misleading subject lines that could constitute deceptive marketing.

Operators should implement preference centers allowing players to select marketing frequency and content types. This granular approach demonstrates respect for player choice and reduces unsubscribe rates while maintaining compliance.

SMS Marketing

SMS marketing faces the strictest restrictions across EU gambling jurisdictions. The immediate, intrusive nature of text messages has led regulators to impose enhanced protections.

Where SMS marketing is permitted (which excludes Belgium, Italy, and effectively Spain), operators must obtain specific consent for SMS communications separate from email consent. Messages must include clear identification of the sender and an opt-out mechanism (typically "Reply STOP to unsubscribe"). Many jurisdictions prohibit SMS marketing outside business hours, typically between 8am and 8pm local time.

The content of gambling SMS messages is restricted in most jurisdictions. Bonus offers, inducements to gamble, and time-limited promotions are often prohibited or heavily restricted. Transactional messages (deposit confirmations, verification codes, responsible gambling alerts) are generally permitted.

Push Notifications

Mobile app push notifications present unique compliance challenges. While technically requiring device-level permission to send, gambling regulators increasingly treat push notifications as equivalent to other direct marketing channels requiring explicit consent.

Germany's GluStV framework explicitly addresses push notifications, restricting promotional content and requiring responsible gambling messaging. The Netherlands' KSA has issued guidance treating push notifications as advertising subject to all applicable restrictions, including the prohibition on untargeted bonus marketing.

Best practice for push notification compliance includes: implementing granular notification preferences within the app, avoiding push notifications for bonus offers or time-limited promotions in restrictive jurisdictions, respecting quiet hours (typically no notifications between 11pm and 7am), and never sending push notifications to players who have activated responsible gambling tools.

Marketing to Vulnerable Players

A critical compliance area across all EU jurisdictions is the prohibition on marketing to vulnerable players. This includes:

Self-Excluded Players

Marketing to self-excluded players is prohibited throughout the EU. Operators must maintain real-time integration with both their own self-exclusion systems and national registers (CRUKS in Netherlands, OASIS in Germany, Spelpaus in Sweden, etc.). Any marketing communication to a self-excluded player represents a serious compliance failure that regulators treat as demonstrating inadequate player protection systems.

Players Using Responsible Gambling Tools

Many jurisdictions prohibit or restrict marketing to players who have activated deposit limits, loss limits, session time limits, or cooling-off periods. The rationale is that a player who has chosen to limit their gambling should not receive promotional communications encouraging them to gamble more.

Germany, Netherlands, and Sweden explicitly prohibit marketing to players with active limits. Other jurisdictions are moving in this direction. Operators should implement compliance systems that automatically suppress marketing to players using any responsible gambling tools. Our Compliance Checklist Generator can help operators identify all applicable requirements for their target markets.

At-Risk Players Identified Through Behavioral Monitoring

Modern responsible gambling requirements include behavioral monitoring systems that identify potentially problematic gambling patterns, including through harm reduction strategies. When such systems flag a player as at-risk, marketing intensity should be reduced or eliminated. Continuing to market aggressively to a player showing signs of gambling harm demonstrates inadequate duty of care and may result in regulatory action.

Enforcement and Penalties

Enforcement of direct marketing requirements comes from both data protection authorities and gambling regulators:

Data Protection Authority Enforcement

National data protection authorities enforce GDPR consent requirements. Penalties can reach EUR 20 million or 4% of global annual turnover, whichever is higher. While gambling-specific enforcement has been limited, several DPAs have indicated increased focus on high-risk sectors including gambling.

Gambling Regulator Enforcement

Gambling regulators impose penalties for violation of sector-specific marketing rules. The Netherlands KSA has issued fines exceeding EUR 400,000 for marketing violations. Spain's DGOJ can impose fines up to EUR 1 million for serious marketing breaches. Sweden's Spelinspektionen has sanctioned operators for marketing to self-excluded players. For an overview of potential penalties across jurisdictions, see our analysis of gambling operator fines and sanctions in the EU or use the Penalty Estimator tool.

Beyond monetary penalties, gambling regulators can impose license conditions requiring enhanced compliance measures, restrict marketing activities, or in serious cases revoke operating licenses. For more information about license enforcement, see our guide to gambling license revocation and enforcement actions. The risk of license action typically motivates compliance more effectively than financial penalties alone.

Compliance Best Practices

Operators seeking to maintain compliant direct marketing programs should implement the following practices:

Consent Management

Implement a robust consent management platform that records when, how, and for what purposes consent was obtained. Consent records should be easily retrievable for regulatory inspection. Review consent mechanisms regularly to ensure they meet current regulatory expectations, particularly as the regulatory landscape continues to evolve.

Suppression List Management

Maintain comprehensive suppression lists integrating opt-outs, self-exclusions, players with active limits, and players flagged by behavioral monitoring systems. Suppression lists should update in real-time and be applied before any marketing campaign deploys. Regular audits should verify suppression list integrity.

Content Compliance

Develop content templates that include required elements (responsible gambling messaging, unsubscribe mechanisms) for each jurisdiction. Marketing content should be reviewed against applicable regulations before deployment. Consider implementing approval workflows that include compliance sign-off for all marketing campaigns.

Channel-Specific Controls

Implement technical controls that prevent marketing through channels where consent has not been obtained or where channel-specific prohibitions apply. SMS and push notification systems should include jurisdiction-based logic that respects country-specific restrictions.

The Future of Gambling Direct Marketing in the EU

The regulatory trajectory across the EU points toward continued restriction of gambling marketing, including direct communications. The proposed ePrivacy Regulation, once adopted, may impose additional consent requirements that affect gambling marketing practices.

Several member states are actively considering or implementing new marketing restrictions. The Belgian model of near-complete prohibition may influence other jurisdictions. Operators should prepare for an environment where direct marketing capabilities become increasingly limited and compliance requirements increasingly complex.

Successful operators will likely shift toward permission-based relationship marketing that prioritizes player engagement over promotional intensity. Building trust through responsible communications, respecting player preferences, and demonstrating genuine commitment to player protection may become competitive advantages as regulatory restrictions continue to tighten. The rise of influencer marketing regulation shows how quickly new marketing channels become subject to regulatory oversight.