An increasing number of betting sites are requesting user identity verification, but the real question is: how are they doing it, and how secure are their methods? A recent case in Croatia highlighted the severe consequences that can result from improper handling of personal data. The Croatian Personal Data Protection Agency (AZOP) imposed a fine of €175,000 on a sports betting site for asking users to send a copy of their ID via email, without a secure system for document transmission.

Such practices not only pose a high risk of identity theft and data misuse but also represent a serious violation of GDPR. Below, we explain why emailing ID documents is insecure and how digital identification offers a fast, simple, and compliant solution.

GDPR Fine Imposed on Betting Site

According to AZOP, the sports betting site collected a wide range of personal data for user identification and account verification on its website. This included the user’s full name, date of birth, personal identification number (OIB), place and date of ID issuance, residential address, document number, and a copy of the ID card, when the users requested their first payout. However, this processing occurred without the implementation of adequate technical safeguards, violating fundamental principles of the General Data Protection Regulation (GDPR).

The inspection revealed multiple deficiencies:

• Weak employee passwords: Some staff used passwords with as few as three characters, exposing user data to unauthorized access.
• Unsecured access to personal documents: These weakly protected devices were used to access email accounts containing personal data and scanned ID documents of numerous users.
• Use of insecure connections (HTTP): The administrative platform was accessed via unencrypted channels, further jeopardizing data security.

Additionally:

• Personal data was not deleted after the retention period, breaching Article 5(1)(e) of the GDPR.
• No data backups were performed, despite the site processing the data of over 70,000 users. The betting site cited cost as the reason for not implementing backups, which AZOP rejected as an unacceptable justification.

Why Is Sending ID Documents by Email Risky?

Emailing ID documents exposes users to considerable risks:

• Data leakage: Emails can be intercepted or accessed by unauthorized parties. In this case, employees could access inboxes containing thousands of scanned IDs from inadequately secured devices, significantly increasing the risk of both internal and external data leaks.
• Identity theft: A scanned ID provides a lot of data for malicious actors to impersonate someone. AZOP has warned of cases where scammers use such documents to forge contracts or commit fraud.
• Loss of trust: Today’s users are increasingly aware of privacy risks. Companies that request sensitive documents via insecure channels risk damaging their reputation and losing customers who question the security of such procedures.

GDPR-Compliant Personal Data Protection

Beyond the ethical and reputational risks, the Croatian GDPR Implementation Law requires companies to adopt the highest standards of data protection. Since 2018, the GDPR has mandated the use of technical and organizational measures to ensure the security of personal data, including encryption, access controls, strong passwords, backups, and data minimization principles. Storing and transmitting scanned documents without proper protection is a serious breach of these standards. 

Failing to invest in data security today can result in exponentially higher costs tomorrow, through penalties, lawsuits, or customer attrition. Regulatory authorities, such as AZOP, have made it clear that poor practices will be sanctioned.

How Can Betting Sites Verify Identities Without Risk?

How can betting sites and other businesses verify users remotely while protecting their data and ensuring regulatory compliance? The answer lies in the adoption of trusted digital identification systems.

Modern technology enables identity verification through secure digital channels, eliminating the need to send scanned IDs via email. Mobile apps and web portals for digital identification offer users a safe and intuitive remote verification experience. These systems can:

• Verify document authenticity: Automatically check whether an ID is valid (e.g., by analyzing security features).
• Extract and validate key data: Pull information such as name, address, OIB, and date of birth, and cross-check it with official registers if possible, to confirm accuracy.
• Confirm identity attributes as needed: For example, verify that the user is over 18, which is critical for betting sites. These services also enable selective disclosure, allowing companies to receive confirmation of a specific attribute (like age) without revealing the full document. This enhances user privacy and complies with data minimization principles.
• Securely store and provide access to data: Once the verification is complete, the company receives structured data (or a verification confirmation) via a secure interface. There’s no need to store JPG or PDF copies in email inboxes. This ensures compliance while maintaining data integrity.

Identyum: A Leader in Digital Identification

It is important to emphasize that such solutions are already available on the Croatian market. Identyum specializes in digital identification and digital identity, offering these services as ready-to-use solutions. Implementation is typically flexible and includes integration via API or SDK into the betting site’s web platform or mobile applications. This enables even smaller betting sites to quickly elevate their security levels to those of banks and financial institutions, which have long used these services for online client onboarding. 

The cost of such services does not represent a significant burden when compared to potential fines or damages resulting from data breaches. The use of digital identification can lead to long-term cost savings through process automation, reduced manual data entry, and fraud prevention.

The fine issued by AZOP is more than a warning to one betting site. It’s a call to action for the entire industry to re-evaluate its data protection practices. Sending personal documents via email is not only outdated, but also legally non-compliant and puts users at risk.

Now is the time for betting sites (and all organizations handling user verification) to adopt secure, digital, and regulation-compliant identity verification solutions that protect both users and businesses.