Sector Analysis
Online Betting
36%
SECTOR PERFORMANCE
36
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The online betting sector across Africa has expanded rapidly in recent years, particularly in East, Southern, and parts of West Africa, with countries such as Rwanda, Tanzania, Mauritius, Zimbabwe, Kenya, Uganda, Nigeria, Ghana, and Botswana emerging as important markets. This growth has been fuelled by increased internet connectivity, widespread mobile phone adoption, digital payment systems, and a rising interest in sports betting and online casino gaming, especially among younger populations.
Although the sector is relatively new in some jurisdictions, countries like Rwanda and Botswana have taken steps to formally license operators and introduce regulatory controls to manage online sports betting and casino activities. Tanzania and Kenya represent more established markets, where football betting dominates and a mix of local and international operators operate under sector-specific regulators such as the Gaming Board of Tanzania and Kenya's Betting Control and Licensing Board. Kenya, in particular, stands out due to its advanced mobile money ecosystem, which has significantly lowered barriers to participation.
Mauritius is often regarded as a mature and well-regulated betting market, with strong institutional oversight by the Gambling Regulatory Authority and a clear emphasis on compliance, consumer protection, and ethical standards. In Zimbabwe and Uganda, online betting especially via mobile platforms continues to grow steadily, supported by regulatory frameworks overseen by the respective Lotteries and Gaming Boards.
Meanwhile, Nigeria and Ghana represent some of the largest and fastest-growing betting markets in West Africa, driven by population size, high sports engagement, and increasing digital access, although regulatory enforcement and consistency remain ongoing challenges.
Across these countries, the online betting industry continues to grapple with common concerns such as problem gambling, underage participation, data protection, and regulatory enforcement. Nevertheless, demand for convenient, digitally accessible gaming services continues to drive market expansion, making effective regulation and responsible industry practices increasingly critical.
Analysis of Compliance With Each Criterion
The report in this sector includes data from 36 companies in total, with four (4) companies chosen from each country. These consisted of: Bet9ja, Bet365, Accessbet, and Betway Nigeria from Nigeria; Betpawa Ghana, 1xbet Ghana, Soccabet, and Betway Ghana from Ghana; Sunbet Botswana, PstBet Botswana, SportPesa Botswana, and BetXplosion in Botswana; Premierbet Rwanda, Africabet Rwanda, Gorilla Games, and BetPawa Rwanda from Rwanda; SportPesa Tanzania, Betika Tanzania, Bikosports, and SportyBet from Tanzania; Supertote, Stevenhills Mauritius, Totelepep Ltd, and William Hill from Mauritius; Bezbets, Africabet, Mrbet, and Pinnacle Sports from Zimbabwe; 1xbet Kenya, Betika Kenya, BetPawa Kenya, and SportPesa Kenya from Kenya; and 1xbet Uganda, Forbet, BetPawa Uganda, and 22bet Uganda from Uganda.
Findings - Online Betting Sector
Online Betting Sector - Nigeria
Bet9ja, Bet365, Accessbet and Betway Nigeria in Nigeria
Overall, the assessment reveals a pattern of uneven and fragmented compliance across the online betting companies reviewed. While all companies recorded very low levels of compliance with registration requirements under the national data protection regulator, indicating a fundamental gap in meeting baseline legal obligations, they simultaneously demonstrated varying degrees of maturity in their internal privacy frameworks. This divergence highlights a recurring theme across the sector: strong policy design and operational controls are not consistently matched by formal regulatory compliance and accountability mechanisms.
All companies made visible efforts to maintain accessible privacy policies. Bet9ja, Bet365, and Accessbet led in this area, each scoring 88%, while Betway Nigeria followed with 75%. These high accessibility scores reflect an industry-wide recognition that privacy notices are a minimum expectation in user-facing, data-intensive services such as online betting. However, accessibility alone does not equate to legal compliance, particularly in the absence of registration and transparency reporting.
Bet9ja emerges as a notable and somewhat unexpected leader in substantive privacy practices within the sector. Despite low regulatory registration compliance, the company demonstrates advanced data governance practices that exceed those of many traditional financial and digital platforms. Its privacy policy provides extensive contact information, including a dedicated data protection email address, customer service numbers, and physical office locations, strengthening accountability and user trust. The policy offers a detailed and granular account of the categories of personal data processed through betting operations, including identity verification documents, financial transaction records, betting history, device and location data, and behavioural analytics.
Importantly, Bet9ja clearly articulates the purposes of processing, which extend beyond service delivery to include fraud prevention, anti-money laundering compliance, responsible gambling monitoring, and adherence to regulatory obligations under the National Lottery Regulatory Commission. Bet9ja also demonstrates exceptional transparency regarding behavioural marketing, explicitly acknowledging the use of betting patterns and preferences for targeted promotions. The availability of opt-out mechanisms and clear explanations of user controls align closely with international data protection standards. Its third-party data sharing disclosures are equally robust, detailing relationships with payment processors, identity verification providers, responsible gambling organisations, regulators, and law enforcement, along with the legal justifications and safeguards governing such disclosures. The company further distinguishes itself by providing clear procedures for exercising data subject rights and escalating complaints, including pathways involving regulatory authorities.
Betway Nigeria also demonstrates relatively strong privacy compliance, with policies reflecting international best practices adapted to the Nigerian context. The company provides detailed contact information, explains the categories of data collected, and clearly links data processing to service delivery, fraud prevention, and regulatory compliance. Betway acknowledges third-party data sharing and provides users with access, correction, and complaint mechanisms. However, while its policy framework is sound, weaknesses remain in formal transparency reporting and regulatory registration, limiting full accountability.
Bet365 shows solid but less locally tailored compliance. Its privacy policy addresses most core criteria, including categories of data collected, basic third-party sharing disclosures, and standard data subject rights. However, compared to Bet9ja and Betway, Bet365 provides less Nigeria-specific detail, particularly regarding regulatory interfaces and local enforcement mechanisms. This suggests a reliance on global compliance templates rather than fully contextualised national implementation.
Despite relatively strong policy content among some operators, all companies performed poorly on third-party data sharing compliance in practice, with scores ranging from just 6% to 28%. This reflects persistent deficiencies in transparency around data flows, particularly where data is shared with advertisers, analytics providers, and external service partners. Such gaps directly undermine core data protection principles of transparency, purpose limitation, and accountability.
Similarly, while data security practices showed visible effort particularly among Bet9ja and Betway Nigeria, none of the companies published transparency reports, and all recorded very low compliance in internal data breach resolution mechanisms. The absence of documented breach response frameworks and public accountability measures raises serious concerns about preparedness to meet breach notification obligations under data protection laws.
Accessbet demonstrates only moderate compliance. While it provides basic contact information, acknowledges the collection of personal data for betting purposes, and implements fundamental data subject rights, its privacy framework lacks depth. Key gaps include the absence of clearly defined retention periods, limited detail on third-party data sharing, and weaker articulation of accountability mechanisms. These shortcomings are reflected in its lower performance across several indicators.
Taken together, the findings indicate that the online betting sector exhibits a form of "policy-led but regulator-light" compliance. Companies such as Bet9ja and Betway have developed sophisticated internal privacy frameworks driven by operational risk management, international standards, and sector-specific regulatory pressures. However, the consistent failure to meet registration requirements, publish transparency reports, and formalise breach response processes exposes these companies to significant legal and regulatory risk.
To achieve full compliance with data protection laws, companies must align their strong internal practices with formal legal obligations, including registration with data protection authorities, clear documentation of third-party processing arrangements, and the establishment of robust breach detection, response, and notification mechanisms. Without these steps, even well-designed privacy policies will fall short of legal expectations and may not withstand regulatory scrutiny in an increasingly enforcement-driven data protection environment.
In sum, while parts of the sector demonstrate encouraging maturity in privacy governance, compliance remains partial and fragile, underscoring the need for stronger regulatory engagement and a shift from voluntary best practices to enforceable, end-to-end data protection compliance.
Overall, the assessment reveals a pattern of uneven and fragmented compliance across the online betting companies reviewed. While all companies recorded very low levels of compliance with registration requirements under the national data protection regulator, indicating a fundamental gap in meeting baseline legal obligations, they simultaneously demonstrated varying degrees of maturity in their internal privacy frameworks. This divergence highlights a recurring theme across the sector: strong policy design and operational controls are not consistently matched by formal regulatory compliance and accountability mechanisms.
All companies made visible efforts to maintain accessible privacy policies. Bet9ja, Bet365, and Accessbet led in this area, each scoring 88%, while Betway Nigeria followed with 75%. These high accessibility scores reflect an industry-wide recognition that privacy notices are a minimum expectation in user-facing, data-intensive services such as online betting. However, accessibility alone does not equate to legal compliance, particularly in the absence of registration and transparency reporting.
Bet9ja emerges as a notable and somewhat unexpected leader in substantive privacy practices within the sector. Despite low regulatory registration compliance, the company demonstrates advanced data governance practices that exceed those of many traditional financial and digital platforms. Its privacy policy provides extensive contact information, including a dedicated data protection email address, customer service numbers, and physical office locations, strengthening accountability and user trust. The policy offers a detailed and granular account of the categories of personal data processed through betting operations, including identity verification documents, financial transaction records, betting history, device and location data, and behavioural analytics.
Importantly, Bet9ja clearly articulates the purposes of processing, which extend beyond service delivery to include fraud prevention, anti-money laundering compliance, responsible gambling monitoring, and adherence to regulatory obligations under the National Lottery Regulatory Commission. Bet9ja also demonstrates exceptional transparency regarding behavioural marketing, explicitly acknowledging the use of betting patterns and preferences for targeted promotions. The availability of opt-out mechanisms and clear explanations of user controls align closely with international data protection standards. Its third-party data sharing disclosures are equally robust, detailing relationships with payment processors, identity verification providers, responsible gambling organisations, regulators, and law enforcement, along with the legal justifications and safeguards governing such disclosures. The company further distinguishes itself by providing clear procedures for exercising data subject rights and escalating complaints, including pathways involving regulatory authorities.
Betway Nigeria also demonstrates relatively strong privacy compliance, with policies reflecting international best practices adapted to the Nigerian context. The company provides detailed contact information, explains the categories of data collected, and clearly links data processing to service delivery, fraud prevention, and regulatory compliance. Betway acknowledges third-party data sharing and provides users with access, correction, and complaint mechanisms. However, while its policy framework is sound, weaknesses remain in formal transparency reporting and regulatory registration, limiting full accountability.
Bet365 shows solid but less locally tailored compliance. Its privacy policy addresses most core criteria, including categories of data collected, basic third-party sharing disclosures, and standard data subject rights. However, compared to Bet9ja and Betway, Bet365 provides less Nigeria-specific detail, particularly regarding regulatory interfaces and local enforcement mechanisms. This suggests a reliance on global compliance templates rather than fully contextualised national implementation.
Despite relatively strong policy content among some operators, all companies performed poorly on third-party data sharing compliance in practice, with scores ranging from just 6% to 28%. This reflects persistent deficiencies in transparency around data flows, particularly where data is shared with advertisers, analytics providers, and external service partners. Such gaps directly undermine core data protection principles of transparency, purpose limitation, and accountability.
Similarly, while data security practices showed visible effort particularly among Bet9ja and Betway Nigeria, none of the companies published transparency reports, and all recorded very low compliance in internal data breach resolution mechanisms. The absence of documented breach response frameworks and public accountability measures raises serious concerns about preparedness to meet breach notification obligations under data protection laws.
Accessbet demonstrates only moderate compliance. While it provides basic contact information, acknowledges the collection of personal data for betting purposes, and implements fundamental data subject rights, its privacy framework lacks depth. Key gaps include the absence of clearly defined retention periods, limited detail on third-party data sharing, and weaker articulation of accountability mechanisms. These shortcomings are reflected in its lower performance across several indicators.
Taken together, the findings indicate that the online betting sector exhibits a form of "policy-led but regulator-light" compliance. Companies such as Bet9ja and Betway have developed sophisticated internal privacy frameworks driven by operational risk management, international standards, and sector-specific regulatory pressures. However, the consistent failure to meet registration requirements, publish transparency reports, and formalise breach response processes exposes these companies to significant legal and regulatory risk.
To achieve full compliance with data protection laws, companies must align their strong internal practices with formal legal obligations, including registration with data protection authorities, clear documentation of third-party processing arrangements, and the establishment of robust breach detection, response, and notification mechanisms. Without these steps, even well-designed privacy policies will fall short of legal expectations and may not withstand regulatory scrutiny in an increasingly enforcement-driven data protection environment.
In sum, while parts of the sector demonstrate encouraging maturity in privacy governance, compliance remains partial and fragile, underscoring the need for stronger regulatory engagement and a shift from voluntary best practices to enforceable, end-to-end data protection compliance.
Online Betting Sector - Ghana
Betpawa Ghana, 1xbet Ghana, Soccabet and Betway Ghana in Ghana
Overall, the assessment shows uneven but emerging compliance among online betting companies operating in Ghana. While all companies demonstrated some effort to meet regulatory and privacy requirements, compliance remains fragmented, with strong performance in certain areas such as policy availability and security controls offset by persistent weaknesses in transparency, third-party data governance, and breach management.
All companies made efforts to comply with registration requirements under the national data protection framework. 1xBet Ghana and Betway Ghana are the strongest performers in this category, each achieving a perfect score of 100% and maintaining active registrations valid until 2026 and 2025 respectively. In contrast, BetPawa Ghana and Soccabet, while previously registered, currently hold inactive registration statuses due to expired certifications (November 3, 2023, and October 26, 2021, respectively), resulting in significantly lower effective compliance. This distinction has important legal implications: active registration signals formal accountability and regulatory oversight, whereas expired or inactive registrations expose companies to potential enforcement action under Ghana's Data Protection Act and weaken consumer trust.
All four companies publish privacy policies on their websites, reflecting baseline transparency. 1xBet Ghana and Soccabet lead in policy accessibility with scores of 88%, while BetPawa Ghana and Betway Ghana follow at 75%. However, visibility does not always align with usability. BetPawa Ghana's policy, while less prominent, is the most readable and concise (Hemingway grade 8; 376 words), making it more accessible to average users. By contrast, Betway Ghana's policy, though noticeable, is lengthy and difficult to read (grade 14; 3,214 words), potentially undermining meaningful user understanding. These variations highlight that accessibility and readability are as important as mere publication in meeting transparency obligations.
All companies made measurable efforts to recognise data subject rights. Betway Ghana (73%) and BetPawa Ghana (72%) performed best, offering relatively clear explanations of rights such as access, correction, and deletion. However, both impose conditions on certain rights, often linked to gambling regulations or anti-money-laundering (AML) obligations, which may limit practical enforceability. 1xBet Ghana (57%) recognises GDPR-like rights but omits key elements such as complaint mechanisms and clear retention timelines. Soccabet (23%) lags significantly, offering minimal recognition of user rights and reflecting weak alignment with data protection principles of fairness and user control.
All companies share personal data with third parties, yet compliance in this area remains consistently low, presenting one of the most significant risks under data protection law. Soccabet and Betway Ghana lead with only 34%, followed by 1xBet Ghana (24%) and BetPawa Ghana (12%). Although some companies identify categories of recipients such as payment processors, affiliates, regulators, and law enforcement, none provide comprehensive disclosure of the specific data types shared, safeguards applied, or reporting channels for misuse. This lack of transparency undermines core legal principles of purpose limitation, proportionality, and accountability under Ghana's Data Protection Act.
There were visible efforts to ensure data security across the sector. Betway Ghana performed best with 78%, supported by explicit measures including encryption, network security, authentication controls, and audits, alongside relatively strong technical indicators (B SSL rating; B security header score). BetPawa Ghana (67%) and 1xBet Ghana (61%) also demonstrate moderate security maturity, though both suffer from weak security header scores and insufficient policy detail. Soccabet, despite a strong SSL score (A), performs poorly overall (45%) due to inadequate policy disclosures and a failing security header score. These findings suggest that while encryption is widely implemented, broader security governance and transparency remain inconsistent.
All companies scored 0% for transparency reporting, as none have published transparency reports since 2024. This absence significantly weakens accountability and deprives users and regulators of insight into government requests, enforcement actions, or data breaches. Similarly, internal data breach resolution mechanisms are underdeveloped. BetPawa Ghana and Betway Ghana scored only 8%, referencing general compliance with security and data protection laws but failing to outline clear breach notification procedures or reporting channels. 1xBet Ghana and Soccabet scored 0%, offering no meaningful breach management frameworks. These gaps directly conflict with legal obligations to detect, report, and remediate breaches in a timely and transparent manner.
Taken together, the findings indicate that Ghana's online betting companies exhibit policy-driven but incomplete compliance. While accessible privacy policies, recognition of data subject rights, and basic security measures are increasingly common, critical elements of full legal compliance — active regulatory registration, transparent third-party data governance, breach response mechanisms, and public accountability — remain weak or absent. From a regulatory perspective, inactive registrations, opaque data sharing practices, and the absence of transparency reporting expose companies to enforcement risks under the Data Protection Act, 2012 (Act 843). From a consumer perspective, these gaps limit users' ability to understand, control, and seek redress for the use of their personal data.
To strengthen compliance and trust, companies must move beyond surface-level transparency and invest in end-to-end privacy governance, including maintaining active registrations, clarifying third-party data flows, publishing transparency reports, and implementing robust breach response and notification procedures. Without these measures, current improvements in policy accessibility and security will remain insufficient to meet legal standards or protect users in Ghana's rapidly expanding online betting market.
Overall, the assessment shows uneven but emerging compliance among online betting companies operating in Ghana. While all companies demonstrated some effort to meet regulatory and privacy requirements, compliance remains fragmented, with strong performance in certain areas such as policy availability and security controls offset by persistent weaknesses in transparency, third-party data governance, and breach management.
All companies made efforts to comply with registration requirements under the national data protection framework. 1xBet Ghana and Betway Ghana are the strongest performers in this category, each achieving a perfect score of 100% and maintaining active registrations valid until 2026 and 2025 respectively. In contrast, BetPawa Ghana and Soccabet, while previously registered, currently hold inactive registration statuses due to expired certifications (November 3, 2023, and October 26, 2021, respectively), resulting in significantly lower effective compliance. This distinction has important legal implications: active registration signals formal accountability and regulatory oversight, whereas expired or inactive registrations expose companies to potential enforcement action under Ghana's Data Protection Act and weaken consumer trust.
All four companies publish privacy policies on their websites, reflecting baseline transparency. 1xBet Ghana and Soccabet lead in policy accessibility with scores of 88%, while BetPawa Ghana and Betway Ghana follow at 75%. However, visibility does not always align with usability. BetPawa Ghana's policy, while less prominent, is the most readable and concise (Hemingway grade 8; 376 words), making it more accessible to average users. By contrast, Betway Ghana's policy, though noticeable, is lengthy and difficult to read (grade 14; 3,214 words), potentially undermining meaningful user understanding. These variations highlight that accessibility and readability are as important as mere publication in meeting transparency obligations.
All companies made measurable efforts to recognise data subject rights. Betway Ghana (73%) and BetPawa Ghana (72%) performed best, offering relatively clear explanations of rights such as access, correction, and deletion. However, both impose conditions on certain rights, often linked to gambling regulations or anti-money-laundering (AML) obligations, which may limit practical enforceability. 1xBet Ghana (57%) recognises GDPR-like rights but omits key elements such as complaint mechanisms and clear retention timelines. Soccabet (23%) lags significantly, offering minimal recognition of user rights and reflecting weak alignment with data protection principles of fairness and user control.
All companies share personal data with third parties, yet compliance in this area remains consistently low, presenting one of the most significant risks under data protection law. Soccabet and Betway Ghana lead with only 34%, followed by 1xBet Ghana (24%) and BetPawa Ghana (12%). Although some companies identify categories of recipients such as payment processors, affiliates, regulators, and law enforcement, none provide comprehensive disclosure of the specific data types shared, safeguards applied, or reporting channels for misuse. This lack of transparency undermines core legal principles of purpose limitation, proportionality, and accountability under Ghana's Data Protection Act.
There were visible efforts to ensure data security across the sector. Betway Ghana performed best with 78%, supported by explicit measures including encryption, network security, authentication controls, and audits, alongside relatively strong technical indicators (B SSL rating; B security header score). BetPawa Ghana (67%) and 1xBet Ghana (61%) also demonstrate moderate security maturity, though both suffer from weak security header scores and insufficient policy detail. Soccabet, despite a strong SSL score (A), performs poorly overall (45%) due to inadequate policy disclosures and a failing security header score. These findings suggest that while encryption is widely implemented, broader security governance and transparency remain inconsistent.
All companies scored 0% for transparency reporting, as none have published transparency reports since 2024. This absence significantly weakens accountability and deprives users and regulators of insight into government requests, enforcement actions, or data breaches. Similarly, internal data breach resolution mechanisms are underdeveloped. BetPawa Ghana and Betway Ghana scored only 8%, referencing general compliance with security and data protection laws but failing to outline clear breach notification procedures or reporting channels. 1xBet Ghana and Soccabet scored 0%, offering no meaningful breach management frameworks. These gaps directly conflict with legal obligations to detect, report, and remediate breaches in a timely and transparent manner.
Taken together, the findings indicate that Ghana's online betting companies exhibit policy-driven but incomplete compliance. While accessible privacy policies, recognition of data subject rights, and basic security measures are increasingly common, critical elements of full legal compliance — active regulatory registration, transparent third-party data governance, breach response mechanisms, and public accountability — remain weak or absent. From a regulatory perspective, inactive registrations, opaque data sharing practices, and the absence of transparency reporting expose companies to enforcement risks under the Data Protection Act, 2012 (Act 843). From a consumer perspective, these gaps limit users' ability to understand, control, and seek redress for the use of their personal data.
To strengthen compliance and trust, companies must move beyond surface-level transparency and invest in end-to-end privacy governance, including maintaining active registrations, clarifying third-party data flows, publishing transparency reports, and implementing robust breach response and notification procedures. Without these measures, current improvements in policy accessibility and security will remain insufficient to meet legal standards or protect users in Ghana's rapidly expanding online betting market.
Online Betting Sector - Botswana
Sunbet Botswana, PstBet Botswana, SportPesa Botswana and BetXplosion in Botswana
The assessment of SportPesa Botswana, Sunbet Botswana, PstBet Botswana, and BetXplosion reveals uneven and largely incomplete compliance with data protection requirements. While some operators demonstrate partial efforts in policy accessibility, data security, and transparency, most fail to provide meaningful and comprehensive protections for users, particularly in areas central to accountability and risk management.
Visible efforts to maintain accessible privacy policies were observed among three of the four companies. SportPesa Botswana performed best with a perfect score of 100%, followed by PstBet Botswana (88%) and Sunbet Botswana (75%). These scores suggest that these operators recognise the importance of making privacy information visible and available to users. By contrast, BetXplosion scored 0%, as it provides no accessible privacy policy, representing a fundamental failure to meet basic transparency obligations under data protection laws.
All companies, except BetXplosion, made some effort to recognise data subject rights. SportPesa Botswana again led with 63%, followed by Sunbet Botswana (57%) and PstBet Botswana (39%), while BetXplosion scored 0%. Although these results indicate some awareness of rights such as access, correction, and deletion, the moderate scores suggest that mechanisms for exercising these rights are limited, unclear, or inconsistently implemented. This undermines the principle of user control that is central to modern data protection frameworks.
All companies were found to share personal data with third parties, yet compliance in this area is critically low across the sector. SportPesa Botswana, the strongest performer, scored only 26%, while PstBet Botswana scored 14% and Sunbet Botswana and BetXplosion both scored 0%. These findings highlight a widespread lack of transparency regarding who receives user data, for what purposes, and under what safeguards. Given the volume of sensitive financial and personal data processed in online betting, such deficiencies present significant compliance and consumer protection risks.
Visible efforts to ensure data security were observed, though with varying levels of maturity. SportPesa Botswana again led with a relatively strong score of 72%, followed by Sunbet Botswana (45%), PstBet Botswana (39%), and BetXplosion (33%). While these results suggest that technical safeguards such as encryption may be in place, lower scores for several operators indicate gaps in organisational measures, documentation, and ongoing security governance.
Transparency and breach preparedness remain major weaknesses. Sunbet Botswana was the only company to publish a transparency report, while all others lacked any such disclosure. However, even Sunbet scored poorly in internal data breach resolution, and all companies registered very low levels of compliance in this area. The absence of clearly defined breach response procedures, reporting channels, and notification commitments raises serious concerns about how these companies would respond to data incidents, contrary to legal requirements under Botswana's data protection framework.
Sunbet Botswana performs relatively better in the sector. It provides an accessible privacy policy, explains data collection purposes, and demonstrates some attention to security and pre-collection disclosures. However, it scores zero on third-party transfer transparency and breach resolution, meaning users remain unprotected once data leaves its systems or in the event of a breach.
PstBet Botswana shows mixed performance. While its privacy policy is accessible, it performs poorly on transparency indicators, leaving customers largely uninformed about how their data is shared and protected. Limited disclosure of third-party transfers, weak security governance, and the absence of internal breach resolution mechanisms significantly weaken its compliance posture.
SportPesa Botswana demonstrates stronger practices than most peers. It combines a fully accessible privacy policy with relatively good security measures and above-average pre-collection transparency. Nonetheless, it continues to allow poorly disclosed third-party data transfers and has not published any transparency reports since 2023. Like the other companies, it also lacks effective internal breach resolution mechanisms.
BetXplosion is by far the weakest performer. It provides no accessible privacy policy, no meaningful disclosures on data processing or third-party transfers, and minimal evidence of data security measures. Its zero scores for transparency and breach resolution reflect a near-total absence of privacy governance and pose severe risks to user data.
Overall, the online betting sector in Botswana is characterised by serious and systemic compliance gaps. While SportPesa and Sunbet show some effort in policy accessibility and data security, and PstBet demonstrates limited progress, these measures fall well short of the comprehensive protections required under data protection laws. BetXplosion's near-total non-compliance represents a particularly high risk for both users and regulators. Key areas requiring urgent attention across the sector include the establishment of robust internal breach resolution mechanisms, meaningful transparency reporting, and strict controls and disclosures around third-party data sharing. Without addressing these weaknesses, companies risk regulatory enforcement, reputational damage, and erosion of consumer trust in an industry that relies heavily on the processing of sensitive personal and financial data.
The assessment of SportPesa Botswana, Sunbet Botswana, PstBet Botswana, and BetXplosion reveals uneven and largely incomplete compliance with data protection requirements. While some operators demonstrate partial efforts in policy accessibility, data security, and transparency, most fail to provide meaningful and comprehensive protections for users, particularly in areas central to accountability and risk management.
Visible efforts to maintain accessible privacy policies were observed among three of the four companies. SportPesa Botswana performed best with a perfect score of 100%, followed by PstBet Botswana (88%) and Sunbet Botswana (75%). These scores suggest that these operators recognise the importance of making privacy information visible and available to users. By contrast, BetXplosion scored 0%, as it provides no accessible privacy policy, representing a fundamental failure to meet basic transparency obligations under data protection laws.
All companies, except BetXplosion, made some effort to recognise data subject rights. SportPesa Botswana again led with 63%, followed by Sunbet Botswana (57%) and PstBet Botswana (39%), while BetXplosion scored 0%. Although these results indicate some awareness of rights such as access, correction, and deletion, the moderate scores suggest that mechanisms for exercising these rights are limited, unclear, or inconsistently implemented. This undermines the principle of user control that is central to modern data protection frameworks.
All companies were found to share personal data with third parties, yet compliance in this area is critically low across the sector. SportPesa Botswana, the strongest performer, scored only 26%, while PstBet Botswana scored 14% and Sunbet Botswana and BetXplosion both scored 0%. These findings highlight a widespread lack of transparency regarding who receives user data, for what purposes, and under what safeguards. Given the volume of sensitive financial and personal data processed in online betting, such deficiencies present significant compliance and consumer protection risks.
Visible efforts to ensure data security were observed, though with varying levels of maturity. SportPesa Botswana again led with a relatively strong score of 72%, followed by Sunbet Botswana (45%), PstBet Botswana (39%), and BetXplosion (33%). While these results suggest that technical safeguards such as encryption may be in place, lower scores for several operators indicate gaps in organisational measures, documentation, and ongoing security governance.
Transparency and breach preparedness remain major weaknesses. Sunbet Botswana was the only company to publish a transparency report, while all others lacked any such disclosure. However, even Sunbet scored poorly in internal data breach resolution, and all companies registered very low levels of compliance in this area. The absence of clearly defined breach response procedures, reporting channels, and notification commitments raises serious concerns about how these companies would respond to data incidents, contrary to legal requirements under Botswana's data protection framework.
Sunbet Botswana performs relatively better in the sector. It provides an accessible privacy policy, explains data collection purposes, and demonstrates some attention to security and pre-collection disclosures. However, it scores zero on third-party transfer transparency and breach resolution, meaning users remain unprotected once data leaves its systems or in the event of a breach.
PstBet Botswana shows mixed performance. While its privacy policy is accessible, it performs poorly on transparency indicators, leaving customers largely uninformed about how their data is shared and protected. Limited disclosure of third-party transfers, weak security governance, and the absence of internal breach resolution mechanisms significantly weaken its compliance posture.
SportPesa Botswana demonstrates stronger practices than most peers. It combines a fully accessible privacy policy with relatively good security measures and above-average pre-collection transparency. Nonetheless, it continues to allow poorly disclosed third-party data transfers and has not published any transparency reports since 2023. Like the other companies, it also lacks effective internal breach resolution mechanisms.
BetXplosion is by far the weakest performer. It provides no accessible privacy policy, no meaningful disclosures on data processing or third-party transfers, and minimal evidence of data security measures. Its zero scores for transparency and breach resolution reflect a near-total absence of privacy governance and pose severe risks to user data.
Overall, the online betting sector in Botswana is characterised by serious and systemic compliance gaps. While SportPesa and Sunbet show some effort in policy accessibility and data security, and PstBet demonstrates limited progress, these measures fall well short of the comprehensive protections required under data protection laws. BetXplosion's near-total non-compliance represents a particularly high risk for both users and regulators. Key areas requiring urgent attention across the sector include the establishment of robust internal breach resolution mechanisms, meaningful transparency reporting, and strict controls and disclosures around third-party data sharing. Without addressing these weaknesses, companies risk regulatory enforcement, reputational damage, and erosion of consumer trust in an industry that relies heavily on the processing of sensitive personal and financial data.
Online Betting Sector - Rwanda
Fortebet Rwanda, Africabet Rwanda, Gorilla Games and BetPawa Rwanda in Rwanda
The current assessment shows measurable progress in policy availability, data subject rights recognition, and security disclosures, alongside persistent structural weaknesses in transparency reporting, third-party data governance, and breach management. Compared to last year, the sector demonstrates incremental maturity rather than systemic transformation, with compliance improvements concentrated among a few operators while others stagnate or regress.
All companies assessed now have publicly available and noticeable privacy policies exceeding 200 words, reflecting baseline compliance with transparency obligations. ForteBet Rwanda leads with a perfect score of 100%, supported by a relatively concise and readable policy (1,133 words). Africabet Rwanda, Gorilla Games, and BetPawa Rwanda each score 88%, maintaining or improving on last year's performance — Africabet Rwanda and Gorilla Games remained consistent, while BetPawa Rwanda improved from 75%. However, usability remains uneven. Gorilla Games and BetPawa Rwanda have extremely long policies (over 4,700 words each) with higher readability grades (12–13), which may discourage meaningful user engagement despite their comprehensiveness. This reflects a continuing trend from last year: policy availability has improved, but user-friendly transparency remains limited.
Visible improvements were observed in the recognition of data subject rights. BetPawa Rwanda now leads with 71%, a dramatic increase from 18% last year, reflecting clearer articulation of rights such as access, correction, deletion, objection, portability, and complaint mechanisms. ForteBet Rwanda and Gorilla Games follow closely at 67%, with Gorilla Games improving from 56%.
In contrast, Africabet Rwanda's score dropped sharply to 16%, marking a regression from last year's moderate performance. This decline signals a shift toward a more compliance-minimalist approach focused on legal obligations rather than user empowerment. Overall, while leading companies now provide stronger rights frameworks, implementation gaps remain, particularly where rights are conditional, poorly explained, or unsupported by clear procedures.
As in last year's analysis, third-party data sharing remains the most problematic compliance area. All companies share personal data with third parties, yet scores remain low across the board. Gorilla Games again leads at 28%, unchanged from last year, followed by Africabet Rwanda (24%), a steep decline from 70%, BetPawa (16%), and ForteBet (14%). While BetPawa provides the most comprehensive list of third-party categories — including advertisers, payment processors, affiliates, and regulators — it still fails to specify the exact data types shared or breach reporting channels. ForteBet and Gorilla Games disclose broad categories of recipients but lack specificity and safeguards, while Africabet provides minimal detail. These recurring deficiencies, also highlighted in last year's assessment, continue to undermine compliance with principles of purpose limitation, transparency, and accountability under Rwandan law.
Data security practices show incremental improvement across all companies. Africabet Rwanda now leads with 78%, up from 72%, followed by BetPawa Rwanda (67%), a notable increase from 33%, ForteBet Rwanda (72%), and Gorilla Games (56%). Strong SSL ratings (A to A+) are common, and some improvement in security headers is evident. However, as last year, most policies remain high-level and non-technical, offering general assurances rather than detailed explanations of safeguards, access controls, or monitoring mechanisms. This limits users' and regulators' ability to assess actual security effectiveness, indicating that technical maturity is advancing faster than governance transparency.
None of the companies have published a transparency report since 2024. This results in a 0% score across the sector, unchanged from last year. The continued absence of transparency reporting reflects limited public accountability regarding government requests, enforcement actions, or data handling practices and remains one of the most entrenched weaknesses in the sector.
Internal data breach resolution mechanisms remain poorly developed, with only marginal improvements. Gorilla Games again leads with 17%, unchanged from last year, by acknowledging that breach procedures exist and that users and regulators will be notified when legally required, though without timelines or reporting channels. BetPawa Rwanda improved slightly to 8% from 0%, referencing legal compliance but offering no procedural detail. ForteBet Rwanda and Africabet Rwanda continue to score 0%, providing no guidance on breach detection, response, notification, or redress. As highlighted in last year's analysis, this deficiency poses a serious risk given the sensitive financial, identity, and behavioural data processed by betting platforms.
Taken together, the current findings indicate that Rwanda's online betting sector is slowly consolidating baseline privacy compliance, particularly in policy availability, security measures, and data subject rights among leading operators. BetPawa Rwanda now emerges as the strongest overall performer, while ForteBet Rwanda and Gorilla Games maintain relatively solid but incomplete frameworks. Africabet Rwanda, however, shows concerning regression in user rights and transparency.
Critically, the most serious weaknesses identified last year remain unresolved: poor transparency around third-party data sharing, the absence of transparency reports, and weak or non-existent breach response mechanisms. These persistent gaps expose companies to regulatory enforcement risks under Rwanda's Data Protection and Privacy Law and undermine consumer trust in a sector handling highly sensitive personal and financial data. To move from partial to meaningful compliance, companies must complement strong policies and security measures with clear accountability tools including transparency reporting, detailed third-party disclosures, and robust breach management procedures. Without addressing these systemic shortcomings, progress in other areas will remain insufficient to ensure full legal compliance or effective user protection.
The current assessment shows measurable progress in policy availability, data subject rights recognition, and security disclosures, alongside persistent structural weaknesses in transparency reporting, third-party data governance, and breach management. Compared to last year, the sector demonstrates incremental maturity rather than systemic transformation, with compliance improvements concentrated among a few operators while others stagnate or regress.
All companies assessed now have publicly available and noticeable privacy policies exceeding 200 words, reflecting baseline compliance with transparency obligations. ForteBet Rwanda leads with a perfect score of 100%, supported by a relatively concise and readable policy (1,133 words). Africabet Rwanda, Gorilla Games, and BetPawa Rwanda each score 88%, maintaining or improving on last year's performance — Africabet Rwanda and Gorilla Games remained consistent, while BetPawa Rwanda improved from 75%. However, usability remains uneven. Gorilla Games and BetPawa Rwanda have extremely long policies (over 4,700 words each) with higher readability grades (12–13), which may discourage meaningful user engagement despite their comprehensiveness. This reflects a continuing trend from last year: policy availability has improved, but user-friendly transparency remains limited.
Visible improvements were observed in the recognition of data subject rights. BetPawa Rwanda now leads with 71%, a dramatic increase from 18% last year, reflecting clearer articulation of rights such as access, correction, deletion, objection, portability, and complaint mechanisms. ForteBet Rwanda and Gorilla Games follow closely at 67%, with Gorilla Games improving from 56%.
In contrast, Africabet Rwanda's score dropped sharply to 16%, marking a regression from last year's moderate performance. This decline signals a shift toward a more compliance-minimalist approach focused on legal obligations rather than user empowerment. Overall, while leading companies now provide stronger rights frameworks, implementation gaps remain, particularly where rights are conditional, poorly explained, or unsupported by clear procedures.
As in last year's analysis, third-party data sharing remains the most problematic compliance area. All companies share personal data with third parties, yet scores remain low across the board. Gorilla Games again leads at 28%, unchanged from last year, followed by Africabet Rwanda (24%), a steep decline from 70%, BetPawa (16%), and ForteBet (14%). While BetPawa provides the most comprehensive list of third-party categories — including advertisers, payment processors, affiliates, and regulators — it still fails to specify the exact data types shared or breach reporting channels. ForteBet and Gorilla Games disclose broad categories of recipients but lack specificity and safeguards, while Africabet provides minimal detail. These recurring deficiencies, also highlighted in last year's assessment, continue to undermine compliance with principles of purpose limitation, transparency, and accountability under Rwandan law.
Data security practices show incremental improvement across all companies. Africabet Rwanda now leads with 78%, up from 72%, followed by BetPawa Rwanda (67%), a notable increase from 33%, ForteBet Rwanda (72%), and Gorilla Games (56%). Strong SSL ratings (A to A+) are common, and some improvement in security headers is evident. However, as last year, most policies remain high-level and non-technical, offering general assurances rather than detailed explanations of safeguards, access controls, or monitoring mechanisms. This limits users' and regulators' ability to assess actual security effectiveness, indicating that technical maturity is advancing faster than governance transparency.
None of the companies have published a transparency report since 2024. This results in a 0% score across the sector, unchanged from last year. The continued absence of transparency reporting reflects limited public accountability regarding government requests, enforcement actions, or data handling practices and remains one of the most entrenched weaknesses in the sector.
Internal data breach resolution mechanisms remain poorly developed, with only marginal improvements. Gorilla Games again leads with 17%, unchanged from last year, by acknowledging that breach procedures exist and that users and regulators will be notified when legally required, though without timelines or reporting channels. BetPawa Rwanda improved slightly to 8% from 0%, referencing legal compliance but offering no procedural detail. ForteBet Rwanda and Africabet Rwanda continue to score 0%, providing no guidance on breach detection, response, notification, or redress. As highlighted in last year's analysis, this deficiency poses a serious risk given the sensitive financial, identity, and behavioural data processed by betting platforms.
Taken together, the current findings indicate that Rwanda's online betting sector is slowly consolidating baseline privacy compliance, particularly in policy availability, security measures, and data subject rights among leading operators. BetPawa Rwanda now emerges as the strongest overall performer, while ForteBet Rwanda and Gorilla Games maintain relatively solid but incomplete frameworks. Africabet Rwanda, however, shows concerning regression in user rights and transparency.
Critically, the most serious weaknesses identified last year remain unresolved: poor transparency around third-party data sharing, the absence of transparency reports, and weak or non-existent breach response mechanisms. These persistent gaps expose companies to regulatory enforcement risks under Rwanda's Data Protection and Privacy Law and undermine consumer trust in a sector handling highly sensitive personal and financial data. To move from partial to meaningful compliance, companies must complement strong policies and security measures with clear accountability tools including transparency reporting, detailed third-party disclosures, and robust breach management procedures. Without addressing these systemic shortcomings, progress in other areas will remain insufficient to ensure full legal compliance or effective user protection.
Online Betting Sector - Tanzania
SportPesa Tanzania, Betika Tanzania, Bikosports and SportyBet in Tanzania
The current assessment of Tanzania's online betting sector — covering SportPesa Tanzania, Betika Tanzania, SportyBet Tanzania, and Bikosports — shows continued strength in privacy policy accessibility and pre-collection transparency, alongside persistent and in some cases worsening weaknesses in third-party data sharing, transparency reporting, and breach response mechanisms. Compared with last year, the sector reflects incremental progress in user rights recognition and data security for some operators, but also regression in critical accountability indicators, suggesting uneven and fragile compliance maturity.
All companies demonstrate clear efforts to maintain accessible privacy policies. SportPesa Tanzania again leads with a perfect 100%, maintaining its top position from last year. Its policy remains highly readable (Hemingway grade 8) despite its length (3,687 words), striking a balance between comprehensiveness and usability. Bikosports and SportyBet Tanzania each score 88%, with Bikosports showing notable improvement from 63% last year, while SportyBet maintains its previous performance. Betika Tanzania continues to lag slightly at 63%, unchanged from last year.
This sustained performance indicates that baseline transparency through policy publication is now well established across the sector, representing a positive and stable compliance trend.
Considerable progress is evident in the recognition of data subject rights. SportPesa Tanzania leads with 81%, followed by Betika Tanzania at 76%, reflecting clearer articulation of rights such as access, correction, deletion, and objection. SportyBet Tanzania scores a moderate 59%, while Bikosports remains a weak outlier at 22%, suggesting minimal practical mechanisms for users to exercise their rights.
Compared to last year, this marks a general upward trajectory, particularly for SportPesa and Betika. However, the uneven performance highlights that rights recognition remains policy-dependent rather than sector-wide, limiting consistent user protection.
As in last year's analysis, third-party data sharing remains the most problematic compliance area. All companies share personal data with third parties, yet none score above 26%. Betika Tanzania leads marginally at 26%, improving from 10% last year, while SportPesa Tanzania, SportyBet Tanzania, and Bikosports each score 20%. Notably, SportPesa Tanzania declined sharply from 40% last year, and SportyBet Tanzania dropped from a relatively strong 70%, indicating regression in transparency and safeguards around third-party transfers. Although Bikosports improved from 10%, its overall performance remains weak. These trends confirm that opaque third-party data flows remain a systemic and unresolved risk, directly conflicting with the transparency and accountability requirements of Tanzania's data protection law.
In the area of data security, SportyBet Tanzania emerges as the strongest performer at 72%, improving significantly from 50% last year, supported by an A+ SSL rating. However, even SportyBet's policy remains high-level, lacking detailed explanations of technical and organisational safeguards. SportPesa Tanzania, Betika Tanzania, and Bikosports each score 39%, unchanged from last year, indicating stagnation in security governance despite handling sensitive financial and identity data. This pattern suggests that while technical infrastructure may be adequate, policy-level transparency and accountability around security controls remain underdeveloped.
As in the previous assessment, none of the companies have published a transparency report, resulting in a 0% score across the sector. This ongoing absence indicates limited public accountability regarding data requests, enforcement actions, or internal compliance practices.
Similarly, internal data breach resolution mechanisms remain extremely weak. Only Betika Tanzania references data breaches in its privacy policy, but without clear procedures, timelines, or reporting channels. The remaining companies make no meaningful provision for breach management. This lack of progress mirrors last year's findings and represents a serious compliance gap under Tanzania's Personal Data Protection Act, particularly given the sensitivity of betting-related personal and financial data.
Overall, Tanzania's online betting sector demonstrates strong and stable performance in privacy policy accessibility and pre-collection transparency, with incremental improvements in data subject rights and security among leading operators. SportPesa Tanzania and Betika Tanzania continue to set the pace in user-facing compliance, while SportyBet Tanzania shows meaningful improvement in security practices. However, the most critical weaknesses identified last year remain largely unchanged and in some cases have worsened, notably in third-party data sharing transparency, breach preparedness, and public accountability through transparency reporting.
These persistent gaps expose operators to regulatory enforcement risks and undermine user trust in an industry that processes highly sensitive personal and financial data. To achieve full and durable compliance, companies must move beyond accessible policies and technical safeguards to implement robust accountability mechanisms, including detailed third-party disclosures, clear breach response frameworks, and regular transparency reporting. Without addressing these systemic shortcomings, progress in other compliance areas will remain insufficient to meet the requirements of Tanzania's evolving data protection regime.
The current assessment of Tanzania's online betting sector — covering SportPesa Tanzania, Betika Tanzania, SportyBet Tanzania, and Bikosports — shows continued strength in privacy policy accessibility and pre-collection transparency, alongside persistent and in some cases worsening weaknesses in third-party data sharing, transparency reporting, and breach response mechanisms. Compared with last year, the sector reflects incremental progress in user rights recognition and data security for some operators, but also regression in critical accountability indicators, suggesting uneven and fragile compliance maturity.
All companies demonstrate clear efforts to maintain accessible privacy policies. SportPesa Tanzania again leads with a perfect 100%, maintaining its top position from last year. Its policy remains highly readable (Hemingway grade 8) despite its length (3,687 words), striking a balance between comprehensiveness and usability. Bikosports and SportyBet Tanzania each score 88%, with Bikosports showing notable improvement from 63% last year, while SportyBet maintains its previous performance. Betika Tanzania continues to lag slightly at 63%, unchanged from last year.
This sustained performance indicates that baseline transparency through policy publication is now well established across the sector, representing a positive and stable compliance trend.
Considerable progress is evident in the recognition of data subject rights. SportPesa Tanzania leads with 81%, followed by Betika Tanzania at 76%, reflecting clearer articulation of rights such as access, correction, deletion, and objection. SportyBet Tanzania scores a moderate 59%, while Bikosports remains a weak outlier at 22%, suggesting minimal practical mechanisms for users to exercise their rights.
Compared to last year, this marks a general upward trajectory, particularly for SportPesa and Betika. However, the uneven performance highlights that rights recognition remains policy-dependent rather than sector-wide, limiting consistent user protection.
As in last year's analysis, third-party data sharing remains the most problematic compliance area. All companies share personal data with third parties, yet none score above 26%. Betika Tanzania leads marginally at 26%, improving from 10% last year, while SportPesa Tanzania, SportyBet Tanzania, and Bikosports each score 20%. Notably, SportPesa Tanzania declined sharply from 40% last year, and SportyBet Tanzania dropped from a relatively strong 70%, indicating regression in transparency and safeguards around third-party transfers. Although Bikosports improved from 10%, its overall performance remains weak. These trends confirm that opaque third-party data flows remain a systemic and unresolved risk, directly conflicting with the transparency and accountability requirements of Tanzania's data protection law.
In the area of data security, SportyBet Tanzania emerges as the strongest performer at 72%, improving significantly from 50% last year, supported by an A+ SSL rating. However, even SportyBet's policy remains high-level, lacking detailed explanations of technical and organisational safeguards. SportPesa Tanzania, Betika Tanzania, and Bikosports each score 39%, unchanged from last year, indicating stagnation in security governance despite handling sensitive financial and identity data. This pattern suggests that while technical infrastructure may be adequate, policy-level transparency and accountability around security controls remain underdeveloped.
As in the previous assessment, none of the companies have published a transparency report, resulting in a 0% score across the sector. This ongoing absence indicates limited public accountability regarding data requests, enforcement actions, or internal compliance practices.
Similarly, internal data breach resolution mechanisms remain extremely weak. Only Betika Tanzania references data breaches in its privacy policy, but without clear procedures, timelines, or reporting channels. The remaining companies make no meaningful provision for breach management. This lack of progress mirrors last year's findings and represents a serious compliance gap under Tanzania's Personal Data Protection Act, particularly given the sensitivity of betting-related personal and financial data.
Overall, Tanzania's online betting sector demonstrates strong and stable performance in privacy policy accessibility and pre-collection transparency, with incremental improvements in data subject rights and security among leading operators. SportPesa Tanzania and Betika Tanzania continue to set the pace in user-facing compliance, while SportyBet Tanzania shows meaningful improvement in security practices. However, the most critical weaknesses identified last year remain largely unchanged and in some cases have worsened, notably in third-party data sharing transparency, breach preparedness, and public accountability through transparency reporting.
These persistent gaps expose operators to regulatory enforcement risks and undermine user trust in an industry that processes highly sensitive personal and financial data. To achieve full and durable compliance, companies must move beyond accessible policies and technical safeguards to implement robust accountability mechanisms, including detailed third-party disclosures, clear breach response frameworks, and regular transparency reporting. Without addressing these systemic shortcomings, progress in other compliance areas will remain insufficient to meet the requirements of Tanzania's evolving data protection regime.
Online Betting Sector- Mauritius
Supertote, Stevenhills Mauritius, Totelepep Ltd and William Hill in Mauritius
The current assessment of Mauritius' online betting sector — covering William Hill Mauritius, Supertote, Stevenhills Mauritius, and Totelepep Ltd — reveals a persistent compliance divide between internationally established operators and smaller or less transparent platforms. Compared with last year, leading companies have consolidated their strengths in policy accessibility and security, while structural weaknesses remain entrenched across the sector, particularly in transparency reporting, third-party data governance, and breach response mechanisms.
As in the previous assessment, William Hill Mauritius and Supertote continue to lead in making privacy policies accessible to users, scoring 100% and 88% respectively. These results reflect sustained compliance and align with last year's findings, where both companies already outperformed their peers.
In contrast, Stevenhills Mauritius and Totelepep Ltd once again recorded 0%, indicating that neither company has a publicly available privacy policy. This unchanged outcome underscores a continuing failure to meet even the most basic transparency requirements under data protection law.
Performance on data subject rights largely mirrors last year's trends. Supertote and William Hill maintained relatively strong scores at 72% and 64% respectively, reflecting ongoing recognition of rights such as access, rectification, erasure, objection, and complaint mechanisms. Their policies provide at least one clear channel — typically via a Data Protection Officer — for users to exercise these rights.
By contrast, Stevenhills Mauritius and Totelepep Ltd continue to show no meaningful recognition of data subject rights, reinforcing their overall non-compliance. The lack of progress in this area signals a continued risk of rights violations and regulatory exposure.
All companies assessed share personal data with third parties, yet compliance remains weak across the sector, consistent with last year's findings. William Hill Mauritius improved slightly to 26% from 22%, while Supertote declined to 34% from 48%, indicating reduced clarity or safeguards around data sharing arrangements. The remaining companies again scored 0%, reflecting either non-disclosure or the absence of documented controls. Although William Hill and Supertote both outline categories of third parties such as service providers, regulators, financial institutions, and auditors, the disclosures remain broad. They generally fail to specify the exact data shared, individual recipients, or robust accountability measures, limiting compliance with the principles of transparency and purpose limitation.
Data security remains one of the stronger areas of compliance, with William Hill Mauritius improving to 72% from 61%, demonstrating increased attention to technical and organisational safeguards. Supertote, however, declined to 44% from 61%, suggesting stagnation or reduced emphasis on security governance. Stevenhills Mauritius and Totelepep Ltd each scored 33%, reflecting slight improvement or maintenance compared to last year but still indicating inadequate protection for sensitive betting and financial data.
While leading companies reference encryption, safeguards, and compliance frameworks, policy disclosures remain high-level, offering limited insight into internal security controls, monitoring, or incident response preparedness.
As in last year's assessment, none of the companies have published a transparency report, resulting in a 0% score across the sector. This persistent absence highlights limited public accountability regarding government requests, data access, or enforcement actions.
Similarly, internal data breach resolution mechanisms remain severely underdeveloped. Neither William Hill nor Supertote provides clear internal procedures, notification timelines, or multi-channel reporting mechanisms for data breaches. Stevenhills Mauritius and Totelepep Ltd offer no guidance at all. This unchanged situation represents a significant compliance gap under Mauritius' Data Protection Act, particularly given the sensitive nature of gambling-related personal and financial data.
Overall, the Mauritian online betting sector continues to exhibit a two-tier compliance landscape. William Hill Mauritius and Supertote demonstrate relatively mature privacy governance, with accessible policies, recognised user rights, defined retention periods, and references to legal safeguards. However, even these leading companies fall short in critical accountability areas, notably third-party data transparency, breach management, and public reporting.
Conversely, Stevenhills Mauritius and Totelepep Ltd remain largely non-compliant, with no visible progress since last year. Their continued failure to publish privacy policies, recognise user rights, or demonstrate security and accountability mechanisms exposes users to significant privacy risks and places the companies at high risk of regulatory enforcement and reputational harm.
In sum, while there has been incremental improvement among top performers, the core weaknesses identified in last year's analysis remain unresolved. Meaningful compliance will require not only accessible policies and security assurances, but also robust accountability frameworks, including transparency reporting, detailed third-party disclosures, and clearly defined breach response procedures. Without these reforms, user trust and lawful data processing in Mauritius' online betting sector will remain fragile.
The current assessment of Mauritius' online betting sector — covering William Hill Mauritius, Supertote, Stevenhills Mauritius, and Totelepep Ltd — reveals a persistent compliance divide between internationally established operators and smaller or less transparent platforms. Compared with last year, leading companies have consolidated their strengths in policy accessibility and security, while structural weaknesses remain entrenched across the sector, particularly in transparency reporting, third-party data governance, and breach response mechanisms.
As in the previous assessment, William Hill Mauritius and Supertote continue to lead in making privacy policies accessible to users, scoring 100% and 88% respectively. These results reflect sustained compliance and align with last year's findings, where both companies already outperformed their peers.
In contrast, Stevenhills Mauritius and Totelepep Ltd once again recorded 0%, indicating that neither company has a publicly available privacy policy. This unchanged outcome underscores a continuing failure to meet even the most basic transparency requirements under data protection law.
Performance on data subject rights largely mirrors last year's trends. Supertote and William Hill maintained relatively strong scores at 72% and 64% respectively, reflecting ongoing recognition of rights such as access, rectification, erasure, objection, and complaint mechanisms. Their policies provide at least one clear channel — typically via a Data Protection Officer — for users to exercise these rights.
By contrast, Stevenhills Mauritius and Totelepep Ltd continue to show no meaningful recognition of data subject rights, reinforcing their overall non-compliance. The lack of progress in this area signals a continued risk of rights violations and regulatory exposure.
All companies assessed share personal data with third parties, yet compliance remains weak across the sector, consistent with last year's findings. William Hill Mauritius improved slightly to 26% from 22%, while Supertote declined to 34% from 48%, indicating reduced clarity or safeguards around data sharing arrangements. The remaining companies again scored 0%, reflecting either non-disclosure or the absence of documented controls. Although William Hill and Supertote both outline categories of third parties such as service providers, regulators, financial institutions, and auditors, the disclosures remain broad. They generally fail to specify the exact data shared, individual recipients, or robust accountability measures, limiting compliance with the principles of transparency and purpose limitation.
Data security remains one of the stronger areas of compliance, with William Hill Mauritius improving to 72% from 61%, demonstrating increased attention to technical and organisational safeguards. Supertote, however, declined to 44% from 61%, suggesting stagnation or reduced emphasis on security governance. Stevenhills Mauritius and Totelepep Ltd each scored 33%, reflecting slight improvement or maintenance compared to last year but still indicating inadequate protection for sensitive betting and financial data.
While leading companies reference encryption, safeguards, and compliance frameworks, policy disclosures remain high-level, offering limited insight into internal security controls, monitoring, or incident response preparedness.
As in last year's assessment, none of the companies have published a transparency report, resulting in a 0% score across the sector. This persistent absence highlights limited public accountability regarding government requests, data access, or enforcement actions.
Similarly, internal data breach resolution mechanisms remain severely underdeveloped. Neither William Hill nor Supertote provides clear internal procedures, notification timelines, or multi-channel reporting mechanisms for data breaches. Stevenhills Mauritius and Totelepep Ltd offer no guidance at all. This unchanged situation represents a significant compliance gap under Mauritius' Data Protection Act, particularly given the sensitive nature of gambling-related personal and financial data.
Overall, the Mauritian online betting sector continues to exhibit a two-tier compliance landscape. William Hill Mauritius and Supertote demonstrate relatively mature privacy governance, with accessible policies, recognised user rights, defined retention periods, and references to legal safeguards. However, even these leading companies fall short in critical accountability areas, notably third-party data transparency, breach management, and public reporting.
Conversely, Stevenhills Mauritius and Totelepep Ltd remain largely non-compliant, with no visible progress since last year. Their continued failure to publish privacy policies, recognise user rights, or demonstrate security and accountability mechanisms exposes users to significant privacy risks and places the companies at high risk of regulatory enforcement and reputational harm.
In sum, while there has been incremental improvement among top performers, the core weaknesses identified in last year's analysis remain unresolved. Meaningful compliance will require not only accessible policies and security assurances, but also robust accountability frameworks, including transparency reporting, detailed third-party disclosures, and clearly defined breach response procedures. Without these reforms, user trust and lawful data processing in Mauritius' online betting sector will remain fragile.
Online Betting Sector - Zimbabwe
Ubuy Zimbabwe, Shumba Africa, Raines Africa and Tengai Online
in Zimbabwe
The analysis shows incremental but uneven progress across all four companies in strengthening their privacy practices and alignment with data protection principles. As in the previous year, all companies demonstrated efforts to maintain accessible privacy policies, an essential baseline for transparency and lawful processing. Bezbets and Pinnacle Sports remain the clear leaders, sustaining perfect scores of 100%, consistent with last year's findings and reflecting mature disclosure practices. Africabet Zimbabwe maintained its strong position at 88%, while Mr Xbet recorded a notable improvement, rising from 63% to 88%, indicating a significant enhancement in the accessibility and clarity of its privacy policy documentation.
More substantive gains were observed in the area of data subject rights, which is central to compliance with modern data protection laws. Mr Xbet now leads in this category with a score of 76%, up from 64%, suggesting strengthened mechanisms for rights such as access, correction, and deletion. Pinnacle Sports also improved, moving from 68% to 73%, maintaining its consistently strong performance. Africabet Zimbabwe showed meaningful progress, increasing from 28% to 47%, though implementation remains partial. In contrast, Bezbets experienced a slight decline from 23% to 20%, highlighting a relative stagnation in operationalising user rights despite its strong policy transparency. This divergence suggests that policy availability is not always matched by effective rights enablement.
All companies continued to share personal data with third parties, yet compliance in this area remains weak overall, posing ongoing risks under data protection frameworks that require purpose limitation, accountability, and safeguards for onward transfers. While Bezbets and Pinnacle Sports jointly lead at 38%, this still represents less than half of expected compliance, despite improvement from last year's 24%. Africabet Zimbabwe and Mr Xbet also improved, from 10% to 32% and 20% respectively, but the low scores across the board indicate insufficient disclosure, contractual controls, or user-facing transparency around third-party data sharing.
With respect to data security, performance remained largely static. Pinnacle Sports continues to lead at 56%, consistent with last year and suggesting relatively stable technical and organisational safeguards. Africabet Zimbabwe experienced a regression from 50% to 45%, while Bezbets (33%) and Mr Xbet (22%) showed no measurable improvement. These results point to limited advancement in documented security measures, staff accountability, or risk management practices, which are core obligations under data protection laws.
Critically, and unchanged from last year, none of the companies published transparency reports or demonstrated the existence of internal data breach detection and resolution mechanisms. This persistent gap represents a major compliance and accountability weakness, particularly in light of regulatory expectations for breach preparedness, notification, and auditability.
Overall, while the year-on-year analysis reflects modest improvements, especially in privacy policy accessibility and data subject rights, the companies' privacy practices remain largely compliance-driven at a surface level. Deeper operational measures, particularly around third-party data sharing, security governance, and breach response, remain underdeveloped. Without addressing these structural deficiencies, the companies continue to face elevated legal, regulatory, and reputational risks under applicable data protection laws.
The analysis shows incremental but uneven progress across all four companies in strengthening their privacy practices and alignment with data protection principles. As in the previous year, all companies demonstrated efforts to maintain accessible privacy policies, an essential baseline for transparency and lawful processing. Bezbets and Pinnacle Sports remain the clear leaders, sustaining perfect scores of 100%, consistent with last year's findings and reflecting mature disclosure practices. Africabet Zimbabwe maintained its strong position at 88%, while Mr Xbet recorded a notable improvement, rising from 63% to 88%, indicating a significant enhancement in the accessibility and clarity of its privacy policy documentation.
More substantive gains were observed in the area of data subject rights, which is central to compliance with modern data protection laws. Mr Xbet now leads in this category with a score of 76%, up from 64%, suggesting strengthened mechanisms for rights such as access, correction, and deletion. Pinnacle Sports also improved, moving from 68% to 73%, maintaining its consistently strong performance. Africabet Zimbabwe showed meaningful progress, increasing from 28% to 47%, though implementation remains partial. In contrast, Bezbets experienced a slight decline from 23% to 20%, highlighting a relative stagnation in operationalising user rights despite its strong policy transparency. This divergence suggests that policy availability is not always matched by effective rights enablement.
All companies continued to share personal data with third parties, yet compliance in this area remains weak overall, posing ongoing risks under data protection frameworks that require purpose limitation, accountability, and safeguards for onward transfers. While Bezbets and Pinnacle Sports jointly lead at 38%, this still represents less than half of expected compliance, despite improvement from last year's 24%. Africabet Zimbabwe and Mr Xbet also improved, from 10% to 32% and 20% respectively, but the low scores across the board indicate insufficient disclosure, contractual controls, or user-facing transparency around third-party data sharing.
With respect to data security, performance remained largely static. Pinnacle Sports continues to lead at 56%, consistent with last year and suggesting relatively stable technical and organisational safeguards. Africabet Zimbabwe experienced a regression from 50% to 45%, while Bezbets (33%) and Mr Xbet (22%) showed no measurable improvement. These results point to limited advancement in documented security measures, staff accountability, or risk management practices, which are core obligations under data protection laws.
Critically, and unchanged from last year, none of the companies published transparency reports or demonstrated the existence of internal data breach detection and resolution mechanisms. This persistent gap represents a major compliance and accountability weakness, particularly in light of regulatory expectations for breach preparedness, notification, and auditability.
Overall, while the year-on-year analysis reflects modest improvements, especially in privacy policy accessibility and data subject rights, the companies' privacy practices remain largely compliance-driven at a surface level. Deeper operational measures, particularly around third-party data sharing, security governance, and breach response, remain underdeveloped. Without addressing these structural deficiencies, the companies continue to face elevated legal, regulatory, and reputational risks under applicable data protection laws.
Online Betting Sector - Kenya
1xbet Kenya, Betika Kenya, BetPawa Kenya and SportPesa Kenya in Kenya
The assessment reflects a mixed compliance trajectory among the four Kenyan betting companies, with notable progress in regulatory registration and selective improvements in privacy governance, alongside persistent structural gaps that continue to undermine full compliance with data protection laws.
A significant positive development compared to last year is compliance with national regulatory registration requirements. 1Xbet Kenya, Betika Kenya, and BetPawa Kenya each scored 100%, marking a substantial improvement from 0% previously. This shift indicates increased regulatory engagement and alignment with licensing obligations, which strengthens accountability and provides a foundation for lawful personal data processing. SportPesa Kenya, however, did not demonstrate similar progress in this area, suggesting continued regulatory risk.
All companies continued to make efforts to maintain accessible privacy policies, reinforcing baseline transparency obligations. Betika Kenya and SportPesa Kenya now lead with perfect scores of 100%, reflecting improved clarity and accessibility compared to last year, when Betika scored 88% and SportPesa already led the category. BetPawa Kenya maintained its position at 75%, while 1Xbet Kenya remained unchanged at 63%. While these scores suggest that privacy notices are largely in place, they do not, on their own, guarantee effective implementation of data protection principles.
More meaningful progress was observed in the operationalisation of data subject rights. SportPesa Kenya leads this category with 77%, up from 63%, indicating strengthened mechanisms for enabling user rights such as access, rectification, and deletion. Betika Kenya also improved slightly, rising from 69% to 73%. BetPawa Kenya recorded the most significant year-on-year improvement, increasing from 19% to 71%, suggesting substantial investment in rights management processes. In contrast, 1Xbet Kenya's score dropped sharply from 41% to 22%, highlighting a regression that raises concerns about the consistency and effectiveness of its rights-handling procedures.
As in the previous year, all companies shared personal data with third parties but demonstrated very low levels of compliance in this area. Overall performance either stagnated or declined, underscoring a persistent weakness in transparency, safeguards, and accountability for data transfers. Betika Kenya leads marginally at 28%, down from 30%, followed by SportPesa Kenya at 20%, also down from 30%. 1Xbet Kenya remained unchanged at 10%, while BetPawa Kenya declined further to 6%. These results point to ongoing risks related to inadequate disclosure of third-party relationships, insufficient contractual controls, and limited user awareness, all of which are critical requirements under data protection laws.
Efforts to ensure data security remained comparatively stronger, though performance was uneven. SportPesa Kenya continues to lead at 72%, despite a decline from 83%, suggesting that while safeguards exist, continuous improvement may be lacking. BetPawa Kenya showed marked progress, doubling its score from 33% to 67%, indicating enhanced technical or organisational security measures. Betika Kenya also improved modestly from 39% to 45%, while 1Xbet Kenya remained static at 61%. These results suggest that while data security receives greater attention than other compliance areas, it is not being uniformly strengthened across all companies.
Notably, and unchanged from last year, none of the companies published transparency reports or demonstrated internal data breach detection and resolution mechanisms. This ongoing absence represents a critical compliance gap, particularly given legal obligations around breach preparedness, notification, and accountability. The lack of progress in these areas significantly undermines overall privacy governance maturity.
In summary, the year-on-year comparison reveals tangible progress in regulatory registration, privacy policy accessibility, and, for some companies, data subject rights and security. However, persistent deficiencies in third-party data sharing practices, breach management, and transparency reporting continue to expose the companies to legal and regulatory risks. To achieve meaningful compliance with data protection laws, future efforts will need to move beyond formal documentation and address the operational and accountability mechanisms that underpin effective privacy protection.
The assessment reflects a mixed compliance trajectory among the four Kenyan betting companies, with notable progress in regulatory registration and selective improvements in privacy governance, alongside persistent structural gaps that continue to undermine full compliance with data protection laws.
A significant positive development compared to last year is compliance with national regulatory registration requirements. 1Xbet Kenya, Betika Kenya, and BetPawa Kenya each scored 100%, marking a substantial improvement from 0% previously. This shift indicates increased regulatory engagement and alignment with licensing obligations, which strengthens accountability and provides a foundation for lawful personal data processing. SportPesa Kenya, however, did not demonstrate similar progress in this area, suggesting continued regulatory risk.
All companies continued to make efforts to maintain accessible privacy policies, reinforcing baseline transparency obligations. Betika Kenya and SportPesa Kenya now lead with perfect scores of 100%, reflecting improved clarity and accessibility compared to last year, when Betika scored 88% and SportPesa already led the category. BetPawa Kenya maintained its position at 75%, while 1Xbet Kenya remained unchanged at 63%. While these scores suggest that privacy notices are largely in place, they do not, on their own, guarantee effective implementation of data protection principles.
More meaningful progress was observed in the operationalisation of data subject rights. SportPesa Kenya leads this category with 77%, up from 63%, indicating strengthened mechanisms for enabling user rights such as access, rectification, and deletion. Betika Kenya also improved slightly, rising from 69% to 73%. BetPawa Kenya recorded the most significant year-on-year improvement, increasing from 19% to 71%, suggesting substantial investment in rights management processes. In contrast, 1Xbet Kenya's score dropped sharply from 41% to 22%, highlighting a regression that raises concerns about the consistency and effectiveness of its rights-handling procedures.
As in the previous year, all companies shared personal data with third parties but demonstrated very low levels of compliance in this area. Overall performance either stagnated or declined, underscoring a persistent weakness in transparency, safeguards, and accountability for data transfers. Betika Kenya leads marginally at 28%, down from 30%, followed by SportPesa Kenya at 20%, also down from 30%. 1Xbet Kenya remained unchanged at 10%, while BetPawa Kenya declined further to 6%. These results point to ongoing risks related to inadequate disclosure of third-party relationships, insufficient contractual controls, and limited user awareness, all of which are critical requirements under data protection laws.
Efforts to ensure data security remained comparatively stronger, though performance was uneven. SportPesa Kenya continues to lead at 72%, despite a decline from 83%, suggesting that while safeguards exist, continuous improvement may be lacking. BetPawa Kenya showed marked progress, doubling its score from 33% to 67%, indicating enhanced technical or organisational security measures. Betika Kenya also improved modestly from 39% to 45%, while 1Xbet Kenya remained static at 61%. These results suggest that while data security receives greater attention than other compliance areas, it is not being uniformly strengthened across all companies.
Notably, and unchanged from last year, none of the companies published transparency reports or demonstrated internal data breach detection and resolution mechanisms. This ongoing absence represents a critical compliance gap, particularly given legal obligations around breach preparedness, notification, and accountability. The lack of progress in these areas significantly undermines overall privacy governance maturity.
In summary, the year-on-year comparison reveals tangible progress in regulatory registration, privacy policy accessibility, and, for some companies, data subject rights and security. However, persistent deficiencies in third-party data sharing practices, breach management, and transparency reporting continue to expose the companies to legal and regulatory risks. To achieve meaningful compliance with data protection laws, future efforts will need to move beyond formal documentation and address the operational and accountability mechanisms that underpin effective privacy protection.
Online Betting Sector - Uganda
1xbet Uganda, Forbet, BetPawa Uganda and 22bet Uganda in Uganda
The performance of Ugandan betting companies reveals limited but notable progress in specific compliance areas, alongside persistent and systemic weaknesses that continue to undermine effective adherence to data protection laws. While incremental improvements are evident compared to last year, overall privacy governance across the sector remains underdeveloped.
A key development is progress in regulatory registration. Unlike last year, when none of the companies demonstrated compliance, 22Bet Uganda achieved full compliance with national regulatory registration requirements, scoring 100%. This marks a significant improvement from 0% and indicates increased regulatory accountability and a stronger legal basis for personal data processing. However, the remaining companies — Fortebet, BetPawa Uganda, and 1Xbet Uganda — continue to score 0%, suggesting ongoing non-compliance and heightened regulatory risk.
With respect to accessible privacy policies, performance remained largely unchanged from last year. Fortebet continues to lead with a perfect score of 100%, reflecting sustained transparency in policy availability. BetPawa Uganda maintained its score of 75%, while 1Xbet Uganda and 22Bet Uganda remained at 63%. These stable scores suggest that while baseline transparency through published privacy policies is established, progress has stalled, and accessibility alone has not translated into broader compliance improvements.
More encouraging developments were observed in the implementation of data subject rights. BetPawa Uganda recorded the most substantial improvement, rising from 29% to 68%, indicating enhanced recognition of user rights such as access, correction, and deletion. 22Bet Uganda also improved from 41% to 61%, suggesting more structured rights-handling processes. In contrast, Fortebet and 1Xbet Uganda experienced slight declines, falling to 53% (from 55%) and 45% (from 51%) respectively. These mixed results indicate uneven institutional commitment to embedding data subject rights into operational practices.
All companies continued to share personal data with third parties, but compliance in this area remains weak, despite some year-on-year improvements. 22Bet Uganda now leads with 34%, up from 10%, followed by BetPawa Uganda at 26% (up from 24%). Fortebet improved marginally from 0% to 16%, while 1Xbet Uganda declined significantly from 34% to 10%. The persistently low scores reflect insufficient transparency around the nature, purpose, and safeguards of third-party data sharing, posing ongoing risks under data protection laws that require accountability and user awareness.
Data security remains one of the stronger areas, though recent declines are notable. Fortebet maintained its lead at 72%, consistent with last year, suggesting relatively stable technical and organisational safeguards. However, both 1Xbet Uganda and 22Bet Uganda dropped sharply from 78% to 61%, raising concerns about stagnation or reduced emphasis on security measures. BetPawa Uganda improved from 33% to 50%, indicating increased attention to basic data protection controls, though gaps remain.
Despite these improvements, transparency and accountability mechanisms continue to be largely absent. None of the companies published transparency reports, and compliance with internal data breach detection and resolution mechanisms remains extremely low. BetPawa Uganda leads marginally at 17% (up from 0%), followed by 22Bet Uganda at 8% (up from 0%), while Fortebet and 1Xbet Uganda scored 0%. This persistent deficiency is particularly concerning given legal obligations related to breach notification, incident management, and accountability.
Overall, the year-on-year comparison demonstrates modest progress, particularly in regulatory registration, data subject rights, and limited aspects of third-party data sharing. However, these gains are outweighed by enduring weaknesses in regulatory compliance, breach preparedness, and transparency reporting. To meaningfully align with Uganda's data protection laws, companies will need to move beyond static policy disclosures and invest in robust governance structures, clearer third-party data controls, and effective incident response mechanisms. Without such reforms, user privacy remains insufficiently protected in a rapidly expanding digital betting market.
The performance of Ugandan betting companies reveals limited but notable progress in specific compliance areas, alongside persistent and systemic weaknesses that continue to undermine effective adherence to data protection laws. While incremental improvements are evident compared to last year, overall privacy governance across the sector remains underdeveloped.
A key development is progress in regulatory registration. Unlike last year, when none of the companies demonstrated compliance, 22Bet Uganda achieved full compliance with national regulatory registration requirements, scoring 100%. This marks a significant improvement from 0% and indicates increased regulatory accountability and a stronger legal basis for personal data processing. However, the remaining companies — Fortebet, BetPawa Uganda, and 1Xbet Uganda — continue to score 0%, suggesting ongoing non-compliance and heightened regulatory risk.
With respect to accessible privacy policies, performance remained largely unchanged from last year. Fortebet continues to lead with a perfect score of 100%, reflecting sustained transparency in policy availability. BetPawa Uganda maintained its score of 75%, while 1Xbet Uganda and 22Bet Uganda remained at 63%. These stable scores suggest that while baseline transparency through published privacy policies is established, progress has stalled, and accessibility alone has not translated into broader compliance improvements.
More encouraging developments were observed in the implementation of data subject rights. BetPawa Uganda recorded the most substantial improvement, rising from 29% to 68%, indicating enhanced recognition of user rights such as access, correction, and deletion. 22Bet Uganda also improved from 41% to 61%, suggesting more structured rights-handling processes. In contrast, Fortebet and 1Xbet Uganda experienced slight declines, falling to 53% (from 55%) and 45% (from 51%) respectively. These mixed results indicate uneven institutional commitment to embedding data subject rights into operational practices.
All companies continued to share personal data with third parties, but compliance in this area remains weak, despite some year-on-year improvements. 22Bet Uganda now leads with 34%, up from 10%, followed by BetPawa Uganda at 26% (up from 24%). Fortebet improved marginally from 0% to 16%, while 1Xbet Uganda declined significantly from 34% to 10%. The persistently low scores reflect insufficient transparency around the nature, purpose, and safeguards of third-party data sharing, posing ongoing risks under data protection laws that require accountability and user awareness.
Data security remains one of the stronger areas, though recent declines are notable. Fortebet maintained its lead at 72%, consistent with last year, suggesting relatively stable technical and organisational safeguards. However, both 1Xbet Uganda and 22Bet Uganda dropped sharply from 78% to 61%, raising concerns about stagnation or reduced emphasis on security measures. BetPawa Uganda improved from 33% to 50%, indicating increased attention to basic data protection controls, though gaps remain.
Despite these improvements, transparency and accountability mechanisms continue to be largely absent. None of the companies published transparency reports, and compliance with internal data breach detection and resolution mechanisms remains extremely low. BetPawa Uganda leads marginally at 17% (up from 0%), followed by 22Bet Uganda at 8% (up from 0%), while Fortebet and 1Xbet Uganda scored 0%. This persistent deficiency is particularly concerning given legal obligations related to breach notification, incident management, and accountability.
Overall, the year-on-year comparison demonstrates modest progress, particularly in regulatory registration, data subject rights, and limited aspects of third-party data sharing. However, these gains are outweighed by enduring weaknesses in regulatory compliance, breach preparedness, and transparency reporting. To meaningfully align with Uganda's data protection laws, companies will need to move beyond static policy disclosures and invest in robust governance structures, clearer third-party data controls, and effective incident response mechanisms. Without such reforms, user privacy remains insufficiently protected in a rapidly expanding digital betting market.