DCMS Voluntary Code
Prize draw compliance in the UK
The DCMS Voluntary Code of Good Practice sets out what UK prize draw operators are expected to do from 20 May 2026. This guide explains what the requirements mean in practice, and what a compliant draw process actually looks like.
The regulatory context
What the DCMS Voluntary Code requires
The DCMS Voluntary Code of Good Practice for Prize Draw Operators was published on 20 November 2025. It came into force on 20 May 2026. The government has been explicit: if voluntary adoption fails, formal legislation follows.
The Code covers five areas. Four are broadly procedural: fair and transparent operations, accessible free entry routes, robust complaints handling, and clear terms and conditions. The fifth is technical, and it is the one most operators will find hardest to meet with existing tools.
The draw process requirements
Verifiably random draws
The draw result must be produced by a genuinely random process that a third party can independently confirm.
Auditable processes
The draw must leave a complete record that can be reviewed after the fact. The record must be sufficient to reconstruct and verify the draw.
Transparent draw mechanics
Operators must disclose how the winner was selected. The method must be published and understandable, not just described in general terms.
The Code was preceded by government-commissioned research published by London Economics in June 2025. It found that transparency in draw operations was "particularly lacking," that operators regularly failed to disclose how winners were selected, and that hundreds of consumer complaints had been received about deceptive practices. Between August 2024 and April 2025 alone, 93 draws were referred for potential enforcement action.
The compliance gap
Why a screenshot is not enough
Most operators currently run draws using free tools: Google’s random number generator, a wheel spinner, or a name picker. They take a screenshot of the result and post it alongside the winner announcement. Some operators record a live stream on Facebook or Instagram instead. Both approaches are widespread. Neither satisfies the Code’s verifiably random requirement.
The problem is structural, not superficial. A screenshot or a live video proves that a number was generated. It cannot prove when that number was committed to. If an operator ran the generator ten times before the draw and selected the most convenient result, the screenshot of the final selection would look identical. No amount of video resolution or screenshot quality changes this.
Legal commentary on the sector has noted that live-streaming draws on social media became common specifically to "avoid allegations that the selection process was rigged." This confirms what operators already know: the trust problem is routine, not exceptional. And it confirms that the existing workaround — the live stream — exists because operators have no better tool. A live stream proves something happened in public. It does not prove that a commitment was made before ticket sales opened.
What current tools cannot prove
When the method was fixed
A screenshot timestamps when the screenshot was taken, not when the draw method was committed to.
How many times the generator ran
There is no record of whether the tool was run once or twenty times before a satisfactory result appeared.
Independent verification
Entrants must take the operator's word for it. There is no calculation they can re-run themselves.
Permanent audit trail
A screenshot or video can be deleted. There is no permanent record that survives independently of the operator.
The technical standard
What a verifiable prize draw requires
Pre-commitment before ticket sales open
Before a single ticket is sold, the draw method must be fixed and published. This means generating a secret key, computing a cryptographic hash of it, and publishing that hash on the draw page before entries open. An entrant buying ticket 1,847 must be able to verify that the winning calculation was already locked in before they spent any money. This is the pre-commitment. It is what separates a verifiable draw from an honest one.
An independent randomness source
The entropy source — the input that determines which ticket wins — must be something no individual can predict or control. An operator's own random number generator is technically random, but it is still operator-controlled. Using a data source with no connection to the operator removes the conflict of interest. The source must also be publicly recorded, so that any entrant can independently look it up and confirm it was used correctly.
Public verification by anyone
After the draw, any entrant must be able to independently confirm that the winner was selected exactly as advertised. This means the formula, all inputs, and the result must be publicly disclosed. The entrant must be able to run the verification themselves — in their own browser, without relying on any server the operator or draw platform controls. If verification requires trusting the platform, it is not independent.
Prize draw certification
How VeriDraw addresses each requirement
VeriDraw is a UK prize draw certification platform. It uses a cryptographic commitment published before ticket sales open, combined with a Bitcoin block hash as an independent randomness source, to produce a tamper-proof public certificate for every draw. Any entrant can independently verify the result in their browser, without trusting VeriDraw.
Pre-commitment
When you create a draw, VeriDraw generates a secret key and computes its SHA-256 hash. This commitment hash is published before ticket sales open. Once published, neither you nor VeriDraw can change the key behind it. After the draw runs, the key is revealed on the certificate. Any entrant can verify that the published hash matches the revealed key, confirming the calculation was fixed in advance.
Independent randomness source
Every VeriDraw draw uses a Bitcoin block hash as its external randomness source. For live draws, the block is fetched at draw time, after ticket sales close. For instant-win draws, the block is fetched at the moment of confirmation, before ticket sales open. In both cases, VeriDraw verifies the hash against three independent block explorers: mempool.space, blockchain.info, and blockchair.com. Each block hash depends on the accumulated computational work of the entire network. No individual, company, or government can predict or influence what it will be. It is publicly recorded and independently verifiable by anyone.
Documented winning formula
Every winning ticket is calculated using SHA-256 and a Bitcoin block hash. For live draws: SHA-256(secret key + ":" + block hash + ":" + tickets sold) mod tickets sold + 1. For instant-win draws: SHA-256(secret key + ":" + block hash + ":" + prize ID + ":" + instance) mod total tickets + 1. Both formulas are documented on every certificate. The calculation uses only public information and a standard cryptographic function available in every browser.
Permanent certificate
A certificate is issued at a permanent public URL immediately after the draw runs. It contains the winning ticket, the draw date, the operator's details, and every input needed to verify the result. The URL never expires, cannot be edited, and does not require a login. It is the audit trail.
Independent browser verification
Any entrant can open the certificate, click "Verify," and their browser recomputes the full calculation using the Web Crypto API. No request is sent to VeriDraw's servers during verification. The entrant is not trusting VeriDraw. They are running the numbers themselves.
VeriDraw does not provide regulatory or legal advice. Operators should review the full DCMS Voluntary Code alongside their specific draw format. Full technical walkthrough →
Common questions
