RTM v Bonne Terre Ltd [2026] EWCA Civ 488

A recovering problem gambler sued Sky Betting and Gaming, alleging its cookies, data processing and direct marketing were unlawful because he had not validly consented. The Court of Appeal held that consent under data protection law is objective, not subjective, and allowed the operator's appeal.

Facts

The appellants (SBG) operated an online betting and gaming business under the name ‘Sky Betting and Gaming’. The respondent (RTM), an anonymised former problem gambler, had used SBG’s services during a two-year relevant period prior to early 2019, during which SBG placed cookies on his devices, processed his personal data, and sent him targeted direct marketing. RTM lost money gambling and later sued SBG for compensation and declarations, alleging that SBG’s activities were unlawful because he had not given legally operative consent under the Data Protection Act 1998, the GDPR, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

At trial, Collins Rice J held that the question of liability turned on consent. She devised a three-strand test comprising: (1) subjective consent dependent on the individual’s actual state of mind; (2) absent that, a fully autonomous choice about granting consent; and (3) minimum evidential standards. She found that RTM’s gambling condition and associated vulnerability meant his consenting behaviour was insufficiently freely given, and therefore held SBG’s activities unlawful throughout the relevant period.

Issues

The principal issue on appeal was what must be proved to establish consent for the placement of cookies, the processing of personal data, and the sending of unsolicited direct marketing. More specifically, whether ‘consent’ under the relevant legislation has a subjective aspect dependent on the data subject’s actual state of mind or autonomous decision-making capacity. Further grounds concerned procedural fairness, whether RTM had in fact opted in to direct marketing on 26 July 2017, and whether the judge’s conclusions on cookies-based personalisation and profiling were sustainable.

Arguments

For SBG (Appellants)

SBG argued that the judge erred in deciding the case on a basis RTM never advanced, namely that his gambling addiction rendered his consent ineffective, and that SBG had no fair opportunity to address this analysis. Substantively, SBG contended the test for consent is objective, focused on outward manifestations rather than the data subject’s subjective state of mind. SBG also argued the judge’s conclusions about cookies, profiling and direct marketing causation were unsupported by the evidence.

For RTM (Respondent)

RTM contended that the judge’s overall conclusion was supported by proper findings of objective fact. He submitted the judge’s approach was holistic, treating subjective and objective consent as alternative bases, and that her findings about SBG’s policies and practices were fatal to the appeal. He did not adopt the argument that the data controller’s knowledge of vulnerability was relevant.

For the Information Commissioner (Intervener)

The ICO supported SBG’s view that the test for consent is essentially objective, but suggested it could be qualified by the data controller’s actual or constructive knowledge of an individual’s vulnerability, potentially creating a ‘clear imbalance of power’ under Recital 43 of the GDPR.

Judgment

Lord Justice Warby (Dame Victoria Sharp P and Lewison LJ agreeing) allowed the appeal on all five grounds.

The test for consent is objective

The Court held that consent under Article 4(11) of the GDPR and equivalent provisions requires the data controller to prove that the data subject made a statement or took a clear affirmative action amounting to an indication of wishes signifying agreement. These are purely objective questions about the quality and significance of an identifiable communication from the data subject. The four criteria—that the indication be freely given, specific, informed and unambiguous—are each objective in nature and require assessment in the context of the communications and structural relationship between the parties.

Warby LJ found support in the legislative language, which identifies consent as something constituted by an action rather than a subjective state of mind. He also drew on CJEU authority including Planet 49, Orange Romania and Meta Platforms, and on the Court of Appeal’s decision in Cooper v National Crime Agency, which was not cited below but held that consent is an objective concept depending on outward manifestation. Guidance from the Article 29 Working Party, EDPB and ICO also pointed to an objective approach focused on the data controller’s provision of genuine choice.

Rejection of the judge’s three-strand test

The Court disagreed with the judge’s analysis that consent had subjective and autonomous decision-making strands. The data controller need not prove what was actually in the data subject’s mind at the time, nor whether the data subject was vulnerable with impaired autonomy. The judge’s approach would create unworkable legal risk, since even the best systems could not guarantee subjective consent or truly autonomous choice. This would conflict with Recital 7’s objective of legal and practical certainty and with the proportionate balance the GDPR strikes between fundamental rights and commercial freedom.

Rejection of the data controller’s knowledge qualification

Warby LJ also rejected the qualification advanced by SBG and the ICO that consent could be undermined where the data controller knew or ought to have known of the data subject’s vulnerability. This adopted an impermissible individualised approach to the ‘clear imbalance of power’ concept, introduced further subjective tests, and would reintroduce the very uncertainty the objective approach avoids.

Procedural unfairness

The Court held that the judge erred by deciding the case on the basis of her three-part subjective test without giving SBG an adequate opportunity to address it. That analysis was no part of RTM’s pleaded case, was entirely of the judge’s own devising, and was only alluded to briefly and belatedly at trial.

Other grounds

On Ground 3, the judge’s factual findings required the conclusion that RTM had given factual consent to direct marketing on 26 July 2017, most likely by ticking an opt-in box. On Grounds 4 and 5, the evidence did not support findings that SBG used cookies to personalise the direct marketing of which RTM complained, and the conclusion that profiling was unlawful was parasitic on the erroneous consent analysis and mis-stated a concession made by SBG.

Implications

The decision establishes, in the most authoritative domestic statement to date, that consent under the GDPR, DPA 1998 and PECR is an objective concept. A data controller proves consent by showing an identifiable communication from the data subject—typically ticking a box or a similar clear affirmative action—that satisfies the four criteria of being freely given, specific, informed and unambiguous. These criteria are assessed in context, including the communications between the parties and the structural character of their relationship, but without enquiry into the data subject’s actual state of mind or autonomous decision-making capacity.

The ruling provides significant legal and practical certainty for economic operators across sectors, particularly those dealing with potentially vulnerable consumers, by confirming that well-engineered consent mechanisms can satisfy the legislative requirements without exposing data controllers to liability based on unknowable subjective vulnerabilities. The Court expressly rejected the notion that data protection law should fill gaps in the protection of problem gamblers, indicating that such protection is a matter for regulators and the legislature.

The Court nonetheless acknowledged, without deciding, that concerns about vulnerable data subjects might be accommodated in other ways: for instance, where a data subject makes their condition known to the data controller, any indication might not be ‘unambiguous’; or processing might not be ‘fair’ where the controller knew or should have known of a disability overbearing the data subject’s will; or codes of conduct under the Gambling Act 2005 might be engaged. The decision also leaves undisturbed RTM’s remaining claims about fairness, purpose limitation, data minimisation and storage retention, which fall to be resolved on remission. The scope of remission, including whether the Court of Appeal itself could decide certain issues objectively on the existing findings, was reserved for further argument.

Verdict: The Court of Appeal allowed the appeal on all five grounds, set aside the judge’s decision and order entering judgment on liability in favour of RTM, and indicated that the case must be remitted to the High Court, with the scope of remission to be the subject of further submissions.

Source: RTM v Bonne Terre Ltd [2026] EWCA Civ 488