The Court of Appeal’s recent decision in RTM v Bonne Terre Limited & Hestview Limited [2026] EWCA Civ 488 is an important one for any business/controller that relies on consent as a lawful basis for processing personal data or sending direct marketing communications. In short, the legal test for consent under data protection legislation is an objective one, not a subjective inquiry into the data subject’s internal state of mind.
Background
The respondent, known only as RTM to protect his anonymity, was a problem gambler who used Sky Betting and Gaming’s (“Sky Betting”) online platforms during a two-year period prior to early 2019. During that time, Sky Betting placed cookies on his devices, processed his personal data, and sent him targeted direct marketing communications. RTM subsequently brought a claim for compensation, arguing that he had never given legally valid consent to any of these activities, and that Sky Betting’s conduct had caused him to gamble more and suffer financial loss and distress as a result. In particular, he argued that because of his gambling addiction, his apparent consent was therefore not ‘freely given’, and therefore invalid.
At first instance, the High Court found in RTM’s favour, finding that because of the impact of RTM’s gambling problem, the judge found that he had not given ‘legally operative consent’, applying a novel three-strand test which included an assessment of his subjective autonomy.
Sky Betting appealed on the grounds that the judge’s analysis was legally wrong. Interestingly and most notably, the Information Commissioner’s Office (“ICO”) intervened to assist the court and agreed that the legal test for consent is objective, not subjective, while also contending that vulnerability might in some circumstances be relevant to other aspects of compliance.
The key legal question
At the heart of the appeal was a deceptively simple question: What must a data controller actually prove in order to establish that a data subject gave valid consent under the Data Protection Act 1998 and its parent Directive 95/46EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and its parent Directive 2002/58/EC (the PEC Directive), and the General Data Protection Regulation 2016/679 (“GDPR”) (together, the “Data Protection Legislation”).
Consent is defined in Article 4(11) of the GDPR as a “freely given, specific, informed and unambiguous indication of the data subject’s wishes” by which they “signify agreement” to the processing of their personal data. Under Article 7, the burden of proof lies with the data controller.
The first instance judge approached the definition of consent as having a subjective element, turning on an individual’s ‘internal state of mind’ at the time of giving the consent. This approach meant that Sky Betting, as the data controller, would need to demonstrate not just that RTM (the user) had clicked ‘accept’ to their terms of business or taken some other affirmative action, but that RTM had ‘genuinely and autonomously’ consented in his own mind at the time.
The Court of Appeal’s decision
The Court of Appeal allowed Sky Betting’s appeal and set aside the first instance judgment.
The Court held that consent under GDPR, PECR and their predecessor regimes is an objective concept. The question is whether, viewed objectively, the data subject gave:
- a freely given;
- informed;
- specific; and
- unambiguous indication of agreement, by statement or clear affirmative action.
Consent under the GDPR and related Data Protection Legislation is assessed by reference to an objective, outward-facing standard and not a subjective one, none of which import a requirement to probe the data subject’s inner psychological state or subjective decision-making capacity.
The Court was also critical of the practical consequences of the subjective approach (a sentiment which the ICO appeared to echo as well), as a user might lack true autonomy for any number of reasons entirely unknown to the controller such as relating to addiction, coercion, or other personal vulnerabilities. Extending liability to cover such circumstances would create an unworkable and unintended regime, with implications far beyond the gambling sector.
What this means for controllers of personal data from a compliance perspective
The Court of Appeal’s judgment provides welcome clarity for data controllers across all sectors. The key takeaways are:
- Consent remains an objective standard. A data controller does not need to prove that a user subjectively and autonomously consented in their own mind. What matters is whether the user’s ‘indication of agreement’, howsoever made, such as by clicking a button, ticking a box or completing a sign-up form, constitutes a clear affirmative action meeting the GDPR’s requirements.
- The bar for valid consent remains high. The Court reaffirmed that consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, vague opt-in language, and bundled consents will not suffice. Businesses should continue to review their consent mechanisms carefully and ensure that each element of valid consent is met.
- Vulnerability is not irrelevant, but it is not determinative. Vulnerability is not relevant to the specific question of whether consent was given but may be relevant to other GDPR principles such as fairness or transparency. This means that vulnerability cannot, of itself, invalidate consent that was otherwise validly obtained through a compliant process.
The case will now return to the High Court. It remains to be seen how the Court will approach the remaining issues of the case, including questions around fairness, purpose limitation, and whether RTM’s gambling data constituted special category personal data.
For now, however, controllers can take some reassurance that the Court of Appeal has drawn a sensible and workable line. Consent is about what users do, viewed objectively and in context, assessed against a clear and objective standard and not what they may or may not have been thinking at the time.
Further information
If you have any questions regarding this blog, please contact Caroline Sheldon in our Corporate, Commercial & Finance team.
About the author
Caroline Sheldon joined the Corporate, Commercial & Finance team in August 2022 as an Associate and specialises in advising on commercial matters. She advises entrepreneurs, startups and established businesses across a variety of sectors, with a focus on those in the technology sector.