When you sell raffle tickets online, you’re collecting personal data from your supporters. Under UK GDPR, getting data protection wrong can result in hefty fines and serious reputational damage. This comprehensive guide explains exactly what you need to do to stay compliant whilst running successful online raffles.
In This Guide
- What Data You’re Collecting
- Your Legal Basis for Processing
- Privacy Policy Requirements
- Marketing Consent Rules
- Data Storage and Security
- Data Protection Impact Assessments (DPIAs)
- International Data Transfers
- Handling Data Subject Rights
- Record-Keeping Requirements
- Working with Third-Party Platforms
- Data Retention and Deletion
- Children’s Data Considerations
- What to Do If Something Goes Wrong
Key Takeaways
- Collect only the minimum data necessary to run your raffle
- You need different legal bases for ticket sales, running draws, and marketing
- Marketing emails require opt-in consent — pre-ticked boxes don’t count
- Privacy policies must clearly explain your data practices
- Data breaches must be reported to the ICO within 72 hours if there’s risk to individuals
What Data You’re Collecting
Every online raffle ticket sale involves collecting personal data. Typically, this includes names, email addresses, phone numbers, postal addresses, and payment details. Under GDPR’s data minimisation principle, you must collect only what’s necessary for your specific purpose.
For most raffles, you’ll need:
- Full name (to identify the winner)
- Email address (for confirmation and results)
- Phone number (to contact winners)
- Payment information (processed by your payment provider)
- Date of birth (unless age verification is legally required)
- Detailed address (unless physical prize delivery is needed)
- Marketing preferences for future events (without explicit consent)
Pro Tip
Review your ticket purchase form regularly. Remove any fields that aren’t absolutely necessary for running your raffle or delivering prizes.
Your Legal Basis for Processing
GDPR requires a legal basis for every piece of data you process. For online raffles, you’ll typically need three different legal bases. Understanding these requirements is part of ensuring you run your online raffle legally in the UK:
| Purpose | Legal Basis | Example |
|---|---|---|
| Ticket sales | Contract | Processing payment and issuing tickets |
| Running the draw | Contract | Conducting the draw and delivering prizes (part of the ticket purchase contract) |
| Marketing | Consent | Sending newsletters about future events |
Most raffle organisers need all three bases for different aspects of their operation. The key is being clear about which basis applies to each activity and communicating this in your privacy policy.
Privacy Policy Requirements
Your privacy policy must be clear, accessible, and comprehensive. It should include:
Your Identity
Who you are, your contact details, and your role as data controller.
Data Collection
What data you collect and why you need it for each purpose.
Legal Basis
Your legal basis for processing different types of data.
Retention
How long you keep data and when you delete it.
Individual Rights
How people can access, correct, or delete their data.
Marketing Consent Rules
This is where many organisations go wrong. The rules on electronic marketing come from the Privacy and Electronic Communications Regulations 2003 (PECR), which works alongside UK GDPR. PECR specifically governs email, SMS, and automated telephone marketing. You cannot automatically add raffle ticket buyers to your mailing list. Marketing consent must be:
- Explicitly given (not assumed)
- Freely given (not conditional on entering the raffle)
- Informed (people know what they’re signing up for)
- Specific (separate consent for different types of marketing)
Compliant Marketing Consent
- Unticked checkbox by default
- Clear explanation of what emails they’ll receive
- Easy unsubscribe option in every email
- Separate from raffle entry process
Non-Compliant Practices
- Pre-ticked marketing boxes
- Bundling marketing consent with raffle entry
- Vague language about “updates and offers”
- Complicated unsubscribe processes
The Soft Opt-In Exception
PECR includes an important exception: if someone bought a raffle ticket from you, you can email them about similar products and services (such as future raffles and fundraising events) without fresh consent. This “soft opt-in” applies provided you: (1) collected their email during a sale, (2) gave them a clear opportunity to opt out at the point of purchase, and (3) include an unsubscribe link in every message. This doesn’t cover unrelated marketing or sharing data with third parties.
Remember the distinction between transactional emails (ticket confirmations, draw results) and marketing emails (newsletters, future event promotions). You don’t need consent for transactional emails related to the raffle they’ve entered.
GDPR-Compliant Marketing Consent Wording Examples
Use clear, specific language for marketing opt-ins. Here are compliant examples:
Email Marketing Consent
“I would like to receive emails about future fundraising events and raffles from [Organisation Name]. I understand I can unsubscribe at any time using the link in any email.”
SMS Marketing Consent
“I consent to receiving SMS updates about this raffle and future events from [Organisation Name]. Standard message rates apply. Reply STOP to opt out.”
Social Media Marketing
“I agree to [Organisation Name] featuring my participation in this raffle on social media (Facebook, Instagram, Twitter). This may include sharing my name if I win.”
Data Storage and Security
You must protect the personal data you collect with appropriate security measures. For small organisations, this means:
- Using secure, password-protected systems
- Limiting access to data on a need-to-know basis
- Regular password updates and strong password policies
- Keeping software and systems up to date
- Having a clear desk policy for printed materials
Important
Avoid storing sensitive data in basic spreadsheets or unsecured cloud storage. If you must use spreadsheets, ensure they’re password-protected and stored securely.
Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (DPIA) is required when your online raffle processing is “likely to result in a high risk to the rights and freedoms of individuals”. For most small charity raffles, a DPIA isn’t required, but you should conduct one if you’re:
- Processing large amounts of personal data (thousands of entries)
- Using automated profiling or targeting systems
- Processing children’s data
- Using new or innovative technology platforms
- Combining data from multiple sources
How to Conduct a DPIA
Describe the Processing
Document what data you’re collecting, why, and how you’ll use it.
Assess Necessity and Proportionality
Confirm you’re only collecting data that’s essential for your raffle.
Identify Risks
Consider what could go wrong and how it might affect individuals.
Implement Safeguards
Put measures in place to reduce identified risks.
International Data Transfers
If you use global platforms like Facebook, MailChimp, or PayPal, you’re likely transferring data outside the UK/EEA. This requires additional safeguards:
Adequacy Regulations
The UK recognises some countries as having adequate data protection. Currently, this includes the EU, New Zealand, and several others. Check the ICO website for the current list.
UK Transfer Mechanisms (IDTA or UK Addendum)
For transfers to countries without adequacy regulations (like the US), ensure your platform provider uses the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. These replaced the old EU SCCs for UK transfers in March 2022. Most reputable platforms have updated their contracts accordingly.
Pro Tip
Before choosing any platform, ask them to confirm their data transfer safeguards and provide copies of relevant contractual clauses.
Handling Data Subject Rights Requests
Individuals have several rights under GDPR. You must have procedures to handle these requests within one month:
Right of Access (Subject Access Request)
People can request copies of their personal data. You must provide:
- All personal data you hold about them
- How you obtained it
- Why you’re processing it
- Who you’ve shared it with
- How long you’ll keep it
Practical Example
Sarah bought 10 raffle tickets and now wants to see what data you hold. You must provide her ticket details, payment information, any marketing preferences, and explain your legal basis for keeping this information.
Right to Rectification
If someone’s data is inaccurate, they can request corrections. This is straightforward for contact details but more complex for historical records like payment transactions.
Right to Data Portability
For data processed based on consent or contract, individuals can request their data in a commonly used format. For raffle entries, this might mean providing their ticket purchase history in CSV or PDF format.
Practical Example
A regular supporter wants to move their raffle participation history to a different platform. You should provide their purchase history, preferences, and contact details in a structured format they can easily import elsewhere.
Record-Keeping Requirements
You must maintain detailed records to demonstrate GDPR compliance. This documentation should include:
| Record Type | What to Document | Retention Period |
|---|---|---|
| Processing activities | What data you collect, legal basis, purposes | Current + 3 years |
| Consent records | When, how, and what consent was given | Until withdrawn + 3 years |
| Data breach incidents | What happened, impact, remedial action | Indefinitely |
| DPIA documents | Risk assessments and mitigation measures | Review annually |
| Data sharing agreements | Contracts with processors and third parties | Contract period + 6 years |
ICO Registration Update
Charities are not exempt from paying the ICO data protection fee, but they pay a reduced Tier 1 rate (currently £52/year) regardless of their size or turnover — compared to up to £3,763 for large commercial organisations. Check the ICO website for current fee rates.
Working with Third-Party Platforms
If you use an online raffle platform, they’re processing data on your behalf as a “data processor”. You remain the “data controller” and are responsible for ensuring they handle data appropriately. When considering platforms for Facebook raffles and social media, ensure they provide:
- A comprehensive data processing agreement
- Evidence of appropriate security measures
- Clear data retention and deletion policies
- GDPR compliance documentation
Popular platforms like those mentioned in our guide on how to sell raffle tickets online typically have these arrangements in place, but always verify before committing.
Data Retention and Deletion
You can’t keep personal data indefinitely. Set clear retention periods based on your needs:
| Data Type | Suggested Retention | Reason |
|---|---|---|
| Winner information | 6 years | HMRC record-keeping requirements and Limitation Act 1980 |
| General buyer data | 2 years | Customer service and dispute resolution |
| Marketing consent | Until withdrawn | Ongoing communication |
These are recommended retention periods based on HMRC record-keeping requirements and standard limitation periods, not statutory minimums specific to raffles. You should conduct your own data retention assessment based on your circumstances.
Children’s Data Considerations
School PTAs need extra caution. If parents buy raffle tickets, you’re collecting parental data, not children’s data. However, be explicit about this in your communications. Never collect children’s personal data in connection with raffles, and ensure parents understand they’re entering on their own behalf.
For guidance on running school raffles compliantly, including charity-specific requirements, see our article on running online raffles for charity and online raffle ideas for schools and PTAs.
What to Do If Something Goes Wrong
Data breaches happen, even to careful organisations. The ICO’s current requirements state that you must report breaches within 72 hours if they’re likely to result in a risk to individuals’ rights and freedoms. This includes breaches involving:
- Identity theft risk
- Financial loss potential
- Damage to reputation
- Loss of confidentiality
- Physical, material, or non-material damage
Assess the Risk
Determine if there’s a risk to individuals’ rights and freedoms.
Report to ICO
Notify within 72 hours if there’s likely to be a risk to individuals.
Notify Affected Individuals
Tell people directly if there’s a high risk to their rights and freedoms.
Document Everything
Keep detailed records of the breach, your response, and any remedial action.
Summary: Key GDPR Compliance Points for Online Raffles
Successful GDPR compliance for online raffle ticket buyers centres on transparency, minimal data collection, and robust security. Collect only essential data, clearly explain your legal basis for processing, obtain explicit consent for marketing, and maintain comprehensive records. Regular reviews of your data practices, prompt handling of individual rights requests, and prepared breach response procedures form the foundation of sustainable compliance that protects both your supporters and your organisation.
Frequently Asked Questions
Ready to Run Your Compliant Online Raffle?
Now you understand the GDPR requirements, it’s time to plan your raffle. Our professionally designed raffle tickets help ensure your draw looks legitimate and trustworthy whilst you focus on data protection compliance.
