Many firms use players’ IP (internet protocol) addresses – a numerical identification that is assigned to devices logged into a computer network - as a means of combating fraud and other regulatory reasons.

That includes assessing whether a player is attempting to play online from a country or jurisdiction that has outlawed internet gaming.

However, Brigitte Zammit, senior associate at telecom and technology lawyers Preiskel & Co, said that firms run the risk of breaking data protection laws by making a request to identify an IP address.

European Union data privacy regulators indicated earlier this year that they regarded an IP address as personal data unless it could be proved that it definitely is not.

The EU’s Article 29 Working Party, which is advising the EU on privacy and data protection policy, is expected to issue tighter regulations on the use of IP addresses.

In contrast, others, including search engine Google, have argued that IP addresses only identify a number of machines on a network and not an individual.

Although the IP address issue is still a recommendation, some countries in Europe have already ruled that they should be regarded as personal. That means that passing such personal data to a third party to identify where a player is could breach data protection rules.

Current EU law (directive 2002/58/EC) rules that “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communication service may only be processed when they are made anonymous, or with the consent of the users or subscribers.”

Until it is resolved, the issue leaves online gaming firms between a rock and a hard place – trying to find enough information about customers to comply with underage gambling, anti-money laundering and jurisdictional regulations but keeping within data protection law.

A data protection conference held this week in London by World Online Gambling Law Report heard that complying with national gaming regulations would not be regarded as legitimate reason for using the IP address data.

Ms Zammit said: “There are legal implications for gambling operators using geo-location software to track players’ location.

“An individual is seeking access to a gambling website. The operator wants to make sure whether any players from a particular jurisdiction are allowed to play.

“The operator sends a location request to a third party. This geo-location provider has a database of geo-locations and IP addresses. When it receives the request it will search its database and give an educated guess as to the location of the individual.

“The operator is then in a position to decide whether the access seeker should have access to the website.

“This may risk data protection issues if the IP address constitutes personal data. Then there is a question of whether the geo-location request is lawful.

“The difficulty is the data that identifies equipment. We have had cases where it has been ruled that IP addresses equate to personal data such as in Switzerland.”

Before the working group’s declaration, it had previously been regarded that IP addresses could only be regarded as personal data if it was used in conjunction with other information to provide a user profile.

Identifying locations and individuals from IP addresses can be inexact, with many numbers self-assigned or assigned on the fly. Computers being used by numerous people – such as in an internet café – also give no indication of who is using a machine.

However, the usefulness of the technology has been highlighted by a recent case involving an operator working out of Malta, where a fraudulent group of players were tracked down using their IP addresses.