By Luke Clark — Full Professor at the University of British Columbia, specialising in gambling behaviour and the psychology of player engagement
What Crown Coins collects and why the sweepstakes model changes the picture
Crown Coins Casino is a social sweepstakes platform operated by Sunflower Limited, launched in 2023, and available across Canada under the federal Competition Act’s promotional contest framework rather than provincial gambling regulation. This legal classification creates a distinctive privacy context: Crown Coins isn’t subject to the gambling-specific data handling requirements that AGCO-licensed Ontario operators must meet as licensing conditions, nor to the GDPR-influenced standards that MGA licensing imposes. What does apply is Canada’s federal PIPEDA framework, which governs how any organisation handles Canadian personal data regardless of its industry classification, alongside general Competition Act transparency standards. This guide examines what data Crown Coins Casino collects, how it uses that data, and what Canadian players’ rights are in 2026.
The regulatory privacy framework for Canadian Crown Coins players
| Framework | Applies | Key obligations |
|---|---|---|
| PIPEDA (Canada federal) | Yes – all Canadian players | Rights of access, correction, complaint to Privacy Commissioner |
| AGCO / iGaming Ontario data requirements | No | Not an AGCO-licensed gambling operator |
| Competition Act | Yes | Sweepstakes transparency requirements including prize value accuracy |
| US sweepstakes law | Yes – Delaware incorporation | Governs the operator’s compliance structure |
| GDPR-influenced standards | Not directly | Not an MGA-licensed operator |
PIPEDA is the primary federal protection available to Canadian Crown Coins players. Because PIPEDA governs how organisations handle the personal information of Canadians regardless of where the organisation is incorporated – Crown Coins Inc. is a Delaware entity – Canadian players retain federal privacy rights regardless of the platform’s US corporate structure. These rights include access to personal information the platform holds, correction of inaccurate data, withdrawal of marketing consent, and the right to complain to the Privacy Commissioner of Canada if requests aren’t appropriately addressed.
The Competition Act transparency requirement is specific to Crown Coins’ sweepstakes model: all material terms of the sweepstakes, including prize values, odds of winning, and entry methods, must be accurately represented in advertising and promotional materials. Misleading prize claims or obscuring the no-purchase-necessary pathway would engage the Competition Act’s misleading advertising provisions independently of any privacy concern.
What Crown Coins collects from Canadian players at each account stage
Data provided at registration
Crown Coins’ registration is deliberately low-friction: email address, password, date of birth, and optional social sign-in via Google. SMS phone number verification follows. No government-issued ID is required at signup, and no payment information is collected unless a Crown Coins package purchase is made.
| Data category | Collected at signup | Notes |
|---|---|---|
| Email address | Yes | Primary account identifier and communication channel |
| Date of birth | Yes | Age verification (19+ in most Canadian provinces) |
| Full legal name | Partial – expanded at redemption | Full name required for KYC before first SC prize |
| Phone number | Yes – via SMS verification | Two-factor account authentication |
| Social sign-in data | Optional – Google | If Google sign-in used, Google profile data is accessed |
| Government-issued ID | No – deferred to KYC | Required only at Sweeps Coins redemption stage |
Data collected through account activity and gameplay
| Category | Specific data points |
|---|---|
| Purchase transaction data | Crown Coins package purchases via Visa, MC, AMEX, Apple Pay, Skrill, Interac |
| Sweeps Coins redemption data | SC balance, redemption requests, prize amounts, payment method for prizes |
| Behavioural session data | Games played across 500+ title library, session duration, bet sizes, near-miss exposure patterns, daily login streak records |
| Daily login bonus data | Streak length, days claimed, CC and SC amounts received per login |
| VIP programme data | Points accumulated in standard and promotional play, Coinback tier (Bronze and above), Crown Race participation |
| Crown Races data | Competitive performance records, leaderboard position, SC prizes from race participation |
| Device and technical data | IP address, device type (iOS given the only available app is iOS), browser version, operating system |
| Email interaction data | Open rates, click-through on promotional emails, opt-in and opt-out records |
| KYC verification data | Government-issued photo ID, selfie photo, proof of address – collected at first SC redemption |
| Cookie and analytics data | Navigation patterns, lobby behaviour, game filter usage, promotional content interaction |
The behavioural session data category is the one I want to examine most carefully, given my research background in what this type of data can reveal about player engagement and risk. My laboratory’s work has demonstrated that within a single platform’s session data – specifically session frequency, bet size variability over time, response to losses, and escalation patterns – machine learning models can predict self-exclusion and problem gambling status with meaningful accuracy. The data types listed above at Crown Coins are structurally similar to what our PlayNow.com research used. Crown Coins’ session data captures daily login streak behaviour, in-game purchase escalation across CC package tiers, competitive engagement through Crown Races, and game-by-game session duration – a dataset that could, if the operator chose to deploy it responsibly, support proactive player protection monitoring regardless of the platform’s non-gambling classification.
The KYC data timing and its privacy implications
Crown Coins’ KYC verification is triggered at the first Sweeps Coins redemption rather than at account creation. This creates a specific privacy dynamic: players may have accumulated significant session history, purchase history, and behavioural data before the platform holds formal identity documentation linking that history to a verified individual. At the redemption gate, identity documents required include government-issued photo ID, a selfie photo, and proof of residential address. For Canadian players, this means Crown Coins holds detailed behavioural records from potentially months of account activity that become formally attributed to an identified individual only at the point of prize claiming.
How Crown Coins uses Canadian player data
Crown Coins processes Canadian player data for:
- Account authentication and session management across web and iOS app
- Payment processing via Visa, MC, AMEX, Apple Pay, Skrill, and Interac for Canadian players
- Crown Coins package purchase record-keeping
- SC balance tracking, redemption processing, and prize payment delivery within the documented four-business-day timeframe
- KYC identity verification through the platform’s third-party KYC partner
- VIP programme tier administration including Coinback percentage calculation and Crown Race prize distribution
- Daily login streak tracking and progressive bonus delivery
- Email marketing communications with consent, including game promotion and exclusive offers for opted-in players
- Analytics and platform performance measurement
- Social Media Promotions – Crown Coins maintains active social media accounts and distributes promotional codes through these channels, generating associated engagement data
- Responsible Social Play monitoring and tool provision
The social media channel specifically is worth noting as a data collection dimension that extends beyond the platform itself. Crown Coins has documented active social media accounts where promotional codes and race notifications are distributed. Players who engage with Crown Coins through social channels generate data through those platforms’ own systems – Facebook, Instagram, X – in addition to the data Crown Coins collects on its own platform. Understanding that the social media engagement layer is a data collection surface beyond what any casino privacy policy directly controls is relevant to the full data picture.
Third parties who may receive your data
| Third party | Purpose | Notes |
|---|---|---|
| KYC verification provider | Identity document verification at SC redemption | Third-party identity verification partner |
| Payment processors | Crown Coins package purchase and prize redemption payments | Visa, MC, AMEX, Apple Pay, Skrill, Interac networks |
| Analytics platforms | Platform performance and player behaviour measurement | Standard third-party analytics infrastructure |
| Email/CRM platforms | Email marketing and communication delivery | Used for promotional and transactional communications |
| Game providers (Pragmatic Play, Hacksaw, etc.) | Session data during individual game play | Provider-level session interaction |
| Social media platforms | Engagement data from Crown Coins social channels | Facebook, Instagram, X platforms |
| Delaware corporate entities | US-based corporate infrastructure | Crown Coins Inc. Delaware incorporation |
The game provider network at Crown Coins – spanning Pragmatic Play, Hacksaw Gaming, Ruby Play, Relax Gaming, Booming Games, BGaming, ELK Studios, and others – creates a third-party data ecosystem similar to what multi-provider casinos generate. Session data during individual game play flows through each provider’s own infrastructure as a functional requirement of delivering the game, creating data relationships across all the studios whose titles are in the Crown Coins library.
Security: encryption and what it covers
Crown Coins uses industry-standard encryption to protect player data and account information across the site, consistent with what regulated gambling platforms apply. The iOS app’s 4.8/5 rating from over 8,400 players and the platform’s Trustpilot 4.6/5 from over 100,000 reviews are indirect positive indicators of security reliability – major data security failures tend to generate rapid and substantial negative review activity.
No major publicly documented data breach appears in Crown Coins’ operating history since its 2023 launch. The KYC partner handles identity document security through their own dedicated security infrastructure, which is typically more specialised for sensitive document handling than a casino platform’s general security stack.
Your PIPEDA rights as a Canadian Crown Coins player
Under PIPEDA, Canadian players at Crown Coins retain the right of access to all personal information the platform holds, the right to correction of inaccurate or outdated data, the right to withdraw marketing consent without affecting account access, the right to know what third parties have received their data, and the right to complain to the Office of the Privacy Commissioner of Canada if these requests aren’t appropriately addressed. These federal rights apply regardless of Crown Coins Inc.’s Delaware incorporation.
