France's Autorité nationale des jeux (ANJ) has published a practical compliance guide to help licensed gambling operators navigate the intersection of data protection law and sector-specific obligations. Developed in collaboration with the National Commission for Data Protection and Liberties (CNIL), the guide addresses persistent difficulties operators have encountered when reconciling the GDPR (General Data Protection Regulation, dated 27 April 2016) with requirements unique to the gambling sector.
Why the ANJ-CNIL GDPR Guide Was Needed
Licensed operators process substantial volumes of personal data as a matter of routine — from account creation through to marketing and risk monitoring. The tension arises when gambling law obligations, particularly around excessive gambling prevention and anti-money laundering (AML), create data processing requirements that sit uneasily alongside RGPD principles. The guide directly addresses that articulation.
What the 59-Page GDPR Compliance Guide Covers
GDPR vs. Gambling Law: The Core Tension
Under GDPR, data minimisation and purpose limitation are foundational principles — operators must collect only what is strictly necessary. Yet gambling regulation in France requires operators to retain detailed player behaviour records for AML audits (typically 5 years under Directive 2015/849) and to monitor play patterns for responsible gambling purposes. These overlapping mandates from different regulatory frameworks have historically lacked a unified interpretation, leaving compliance teams navigating conflicting guidance from separate authorities.
The document opens by recapping foundational data protection principles before diving into three specific themes. The following areas represent the operational contexts where RGPD compliance is most complex for licensed gambling operators:
- Player account management and commercial prospection
- Prevention of excessive or pathological gambling
- Anti-money laundering and counter-terrorism financing
The 59-page guide (925 KB, PDF) was consulted with all legal operators and formally reviewed by both the ANJ college and the CNIL college before publication.
The guide organises its compliance guidance across three operational themes, each presenting distinct challenges when RGPD principles are applied to gambling-specific obligations. The table below maps each theme to its primary regulatory tension and the corresponding gambling-sector requirement.
| Theme | Primary RGPD Challenge | Relevant Gambling Obligation |
|---|---|---|
| Player account management & commercial prospection | Consent validity, purpose limitation | Marketing authorization under ANJ licence |
| Prevention of excessive or pathological gambling | Data retention, profiling rules (Art. 22) | Mandatory play monitoring and self-exclusion registers |
| Anti-money laundering & counter-terrorism financing | Data minimisation vs. record-keeping | AML Directive retention and reporting requirements |
Together, these three themes cover the full lifecycle of player data — from first contact through to long-term record retention — and reflect the compliance areas where operators have historically received the least unified regulatory guidance.
Release Timing and Strategic Context for Operators
The ANJ published the guide two weeks before the start of the FIFA World Cup — a period of peak commercial prospection activity for operators. The timing is deliberate: marketing campaigns around major sporting events are precisely when data collection and player outreach practices face the greatest compliance scrutiny.
Pre-Tournament Compliance Window
Major sporting events like the FIFA World Cup trigger a surge in player acquisition campaigns, bonus offers, and retargeting activity — all of which involve significant personal data flows. Operators running email, SMS, or programmatic advertising campaigns should audit their consent mechanisms and data retention schedules before campaign launch, not after. CNIL has historically issued formal notices and fines following peak-period complaints, making pre-event compliance reviews a standard best practice in regulated markets.
Implications for Gambling Operators Under Dual ANJ-CNIL Oversight
The guide's dual-authority provenance — ANJ and CNIL — sends a clear signal that data protection compliance in gambling will be evaluated jointly. Operators who have treated RGPD obligations as secondary to gambling-specific rules should reassess their approach. With the World Cup imminent, this is an operationally urgent document, not a theoretical framework.
The joint publication also aligns with a broader European trend of gambling regulators coordinating more closely with data protection authorities. The Kansspelautoriteit has revised its affordability test guidelines in the Netherlands following similar tensions between player data obligations and proportionality requirements — a dynamic that resonates directly with the compliance challenges this ANJ-CNIL guide is designed to resolve.
According to ANJ.




