Skip to main content
Back to Guides
Compliance8 min read

Cookie Consent for iGaming and Online Gambling Sites

Licensed betting and casino operators answer to a gambling regulator and a data protection authority at the same time. Here's how to run cookie consent on an iGaming site without breaking marketing rules, affiliate tracking, or self-exclusion.

A licensed gambling operator answers to two regulators on the same page load. The gambling regulator (the UK Gambling Commission, the Malta Gaming Authority, a US state division, Ontario's iGaming body) polices how you market, verify age, and protect vulnerable players. The data protection authority (the ICO in the UK, a supervisory authority under GDPR) polices how you track those same players with cookies. Get the consent banner wrong and you can breach both at once: an ePrivacy violation on the tracking side, and a licence-condition breach on the marketing side.

iGaming sites also carry heavier tracking than almost any other vertical. Affiliate attribution, real-time odds personalisation, retargeting on high-value depositors, fraud and multi-account detection, and responsible-gambling monitoring all lean on cookies and third-party scripts. This guide covers how to keep that machinery running while staying compliant with both rulebooks.

Two regulators, one banner

The UK Gambling Commission's Licence Conditions and Codes of Practice (LCCP) don't mention cookies directly, but two conditions govern the marketing your cookies feed. Condition 5.1.11 requires operators to secure appropriate consent before sending direct electronic marketing, and condition 5.1.12 requires you to honour a customer's marketing preferences and stop when they opt out. The Commission's own guidance on gambling and GDPR makes the operator the data controller and reminds licensees that consent is one lawful basis among six, so behavioural profiling for marketing usually needs opt-in consent while fraud prevention and age checks can rest on legal obligation or legitimate interests.

The practical consequence: your marketing and analytics cookies need affirmative consent under both ePrivacy/PECR and the LCCP marketing conditions, but your KYC, fraud, and responsible-gambling cookies generally don't, because they serve a legal duty. Classifying each cookie against the right lawful basis is the whole job. Lump them together and you either block cookies you're legally required to run, or fire marketing pixels you had no consent for.

  • Consent required: retargeting pixels, affiliate marketing tags, ad-platform conversion tracking, behavioural analytics for personalisation and CRM segmentation.
  • Consent not required (necessary): session and authentication cookies, deposit-limit and self-exclusion state, age-verification session tokens, fraud and multi-account detection, and bet-slip state.

Affiliate scripts are your liability, not the affiliate's

iGaming runs on affiliates. Comparison sites, streamers, and tipsters send traffic and get paid on a revenue share or CPA, and that attribution depends on tracking scripts and cookies that fire on your domain. Under UK GDPR Article 28, when a third party processes player data on your site, you're the controller answering for it, even if an affiliate manager added the tag through a tag manager and you never reviewed it.

This is where gambling sites get caught. An affiliate postback pixel, a smartlink redirect script, or a partner's analytics tag loads before the banner resolves, drops an identifier, and you've processed personal data with no consent and no record of it. The fix is the same discipline you'd apply to any marketing tag: block affiliate and partner scripts until the visitor grants the marketing category, and keep an inventory so a new affiliate integration can't quietly add tracking you never signed off on.

Run a cookie scan across your landing pages, not the homepage alone. Affiliate landing pages and promo pages often carry a different, heavier tag set than the rest of the site because marketing teams build them fast. CookieBeam's scanner crawls those pages and flags new cookies and network connections when a partner integration changes.

Self-exclusion, age gates, and vulnerable players

Responsible-gambling rules add a wrinkle no other vertical has. If a customer has self-excluded (through GAMSTOP in the UK, or a scheme operator-side), you're required to stop marketing to them, and you must not use tracking to pull them back. That means a self-excluded player's status has to override every marketing pixel and retargeting audience, regardless of what they clicked on a cookie banner months earlier. Consent to marketing cookies does not override a self-exclusion; the exclusion wins.

Age verification runs before the customer becomes a customer. The LCCP's customer identity verification condition requires operators to verify age and identity, and the cookies that carry an age-gate session or a verification token are necessary, not marketing. Don't gate them behind consent. What you should gate is the analytics and ad tracking that would otherwise profile a visitor before you even know they're old enough to be there. Our age assurance and consent guide covers how age checks and consent interact without one breaking the other.

The takeaway: build the consent layer so responsible-gambling controls sit above marketing consent in precedence. A self-excluded or under-age visitor should never enter a marketing audience even if a cookie banner would otherwise allow it.

Every jurisdiction, a different rulebook

Gambling is licensed market by market, and each market layers its own consent expectations on top of the local privacy law. A single operator brand might serve UK players under UK GDPR and PECR, Maltese and other EU players under GDPR and the Malta Gaming Authority framework, New Jersey and Pennsylvania players under US state privacy laws and division rules, and Ontario players under Canadian privacy law and iGaming Ontario standards. The consent posture that's legal in one is wrong in another.

EU and UK players expect prior opt-in: no non-essential cookies fire until they agree. US state players (California, and the growing list of opt-out states) expect an opt-out model with a clear "Do Not Sell or Share" path for ad-related data. Defaulting the whole world to one banner either over-collects in the EU or under-serves opt-out rights in the US. Geo-targeted consent, matching each visitor to the framework for their location, is the only sane way to run a multi-jurisdiction gambling brand. See our regional consent guide for how one configuration can serve GDPR opt-in and US opt-out from the same script.

Whatever the jurisdiction, keep a durable record of what each player consented to and when. Both gambling regulators and data protection authorities expect you to evidence consent on request. Our consent logging guide covers what a defensible record looks like.

Keeping attribution alive when players decline

Decline rates on marketing consent in EU markets run high, and for a business built on paid acquisition and affiliate CPA, that's a direct hit to attribution. Blocking a conversion pixel when a depositor said no to marketing cookies is correct, but it doesn't have to blind your reporting.

  • Server-side conversions. Send deposit and registration events to ad platforms server-to-server, keyed off a consented first-party signal instead of a browser pixel. Our server-side conversions and consent guide walks through doing this without leaking data you had no basis to send.
  • Consent Mode signals. When a player denies marketing storage, fire the correct denied signals so Google's modelling can recover campaign-level visibility instead of dropping the conversion entirely.
  • First-party CRM audiences. Build retargeting from your own consented customer data (registered players who opted in) rather than pixel-scraped website audiences.

The point isn't to claw back every declined signal. It's to make sure a legitimate decline degrades your measurement gracefully instead of silently corrupting it, and that you never re-target someone who opted out or self-excluded.

How CookieBeam fits an iGaming stack

CookieBeam is a consent management platform, so it handles the tracking-consent side of the dual rulebook, not your licence obligations, but it's built for exactly the mess gambling sites create.

  • Script blocking by category. Affiliate tags, retargeting pixels, and ad-platform conversion scripts stay blocked until the marketing category is granted, while session, KYC, fraud, and self-exclusion cookies are never blocked. Registration and deposit flows work identically whether or not a player accepts marketing.
  • Scanning across promo and affiliate pages. The scanner crawls landing pages where partner tags accumulate and flags new cookies and outbound connections when an integration changes, so a new affiliate can't add silent tracking.
  • Regional consent. One configuration serves UK and EU opt-in and US state opt-out, matching each player to their jurisdiction's framework.
  • Durable consent records. Every choice is logged with a timestamp and the banner version shown, which is the evidence both a gambling regulator and a data protection authority will ask for.

Responsible-gambling precedence (self-exclusion and age gates overriding marketing) has to be enforced in your player platform, above the consent layer. CookieBeam controls which tracking fires; your operator systems decide who is eligible to be marketed to at all.

Compliance checklist for gambling operators

  1. Map every cookie to a lawful basis. Marketing and personalisation need consent; KYC, fraud, age checks, and self-exclusion state are necessary and shouldn't be gated.
  2. Block affiliate and partner scripts until consent. You're the Article 28 controller for anything that runs on your domain, including tags you didn't add.
  3. Put responsible-gambling controls above consent. Self-excluded and under-age visitors must never enter a marketing audience, whatever a banner allowed.
  4. Honour LCCP marketing conditions. Secure consent before direct electronic marketing and stop the moment a customer opts out.
  5. Geo-target the banner. UK and EU get opt-in; US states get opt-out with a Do Not Sell or Share path.
  6. Recover attribution server-side. Use server-side events and Consent Mode signals so declines degrade reporting instead of breaking it.
  7. Log and scan continuously. Keep timestamped consent records and re-scan promo and affiliate pages so tag drift is caught before your next audit.
iGaming & Online Gambling Cookie Consent 2026 | CookieBeam | CookieBeam