United Kingdom Court of Appeal: The central issue in the present appeal was what must be established to prove valid consent under General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR) for the placement of cookies, processing of personal data, and sending of unsolicited direct marketing communications. The Bench comprising Dame Victoria Sharp, President of the King’s Bench Division, Lewison and Warby, JJ., held that the valid consent under GDPR and PECR must be assessed objectively. The Court stated that whether consent is freely given must be judged objectively. This depends on factors such as the relative position of the data controller and the data subject, and the nature of their relationship. Data controllers must offer a real and non-misleading choice, which can be exercised freely and without pressure arising from the relationship. The assessment focuses on the parties’ status or the general characteristics of a group, not on the individual’s personal circumstances.
Background
RTM was a problem gambler and has therefore been anonymised in these proceedings. He overcame his gambling problem by early 2019. This case concerns events during the two years before that period.
During that time, Sky Betting and Gaming (SBG) placed cookies on RTM’s devices or browser, processed his personal data, and sent him targeted direct marketing. As a result, RTM used SBG services and lost money. He later brought a claim against SBG, alleging that SBG acted unlawfully in placing cookies, processing his data, and sending direct marketing. He says this caused him to gamble more, lose more money than he otherwise would have, and suffer financial loss and distress.
RTM’s case is that SBG collected data about him, including through cookies, and used it to analyse and profile him. SBG then used this data to send personalised and targeted direct marketing, which encouraged his compulsive gambling and led to further gambling and harm. RTM says these activities breached PECR, GDPR because SBG did not obtain valid consent and had no other lawful basis to process his data. He also claims the processing was not transparent or fair and breached key data protection principles, including purpose limitation, data minimisation, and storage limitation. In addition, RTM claimed that the data revealed his gambling addiction or problem gambling, amounting to special category data, which was processed without meeting the required legal conditions.
During trial, the Judge treated RTM as a vulnerable person. It found that his consent was not genuinely meaningful. First, his consent to cookies was limited to clicking the buttons shown to him, without really thinking about what he was agreeing to. Second, because he did not read the information provided, he had little or no understanding of how his online behaviour was being collected and analysed to target marketing at him. Third, his interaction with direct marketing was closely connected to his problematic gambling behaviour and was influenced by it.
Grounds of appeal
SBG first two grounds of appeal are —
1. The Judge erred in deciding the consent issue using an argument that RTM never made. RTM did not argue that his alleged gambling addiction made his consent legally invalid. It was, therefore, not proper to treat the gambling addiction as decisive in determining whether valid consent was given.
2. The Judge applied the law incorrectly when deciding what counts as valid consent under PECR and data protection law. Focusing on how RTM’s problem gambling affected his decision-making is inconsistent with legal principles and leads to extreme outcomes that lawmakers could not have intended. This approach implies that online gambling providers and others cannot realistically design systems that fully comply with PECR and data protection law.
Analysis, Law, and Decision
A. Correct approach to consent — Valid consent under GDPR and PECR
The Court stated that must adopt an interpretation of the legislation that follows the wording of the law as a whole and in context, reflects its purpose, and avoids results that are impractical or clearly unintended. The interpretation must be autonomous in two ways. First, it must apply uniformly across all jurisdictions and not depend on the law of any single State. Second, it must not vary based on the facts of a particular case or type of case. The application of the concept of consent may depend on the context. For instance, statements may be clear to adults but not to children. But the concept of consent must be uniform for all purposes, regardless of the specific facts, or the business context involved.
The Court after examining the definition of the consent under GDPR and data protection law observed two things. First, consent is defined as something shown by an action, not by a person’s internal state of mind. Consent is described as an outward indication of the person’s wishes that shows agreement. This means it is based on what the person communicates externally, not on what they may be thinking. Therefore, without such an outward indication, consent cannot exist, regardless of the person’s true state of mind. The legislation does not require or even allow an inquiry into the data subject’s inner thoughts or actual wishes.
Further, the Court stated that the law says that an action can amount to consent, but not every action will qualify. To be valid, consent must meet four requirements: it must be freely given, specific, informed, and unambiguous. These requirements focus on objective features of the communication between the parties. Whether consent is specific or unambiguous depends on the nature and clarity of the indication itself. Whether it is informed depends on the information given by the data controller beforehand. These criteria look at how the parties interacted, not at the data subject’s internal state of mind. Applying the same approach, whether consent is “freely given” should also be judged by the parties’ actions and their relationship, rather than by individual or subjective factors.
Thus, the Court held that the valid consent under GDPR and PECR must be assessed objectively. The Court stated that whether consent is freely given must be judged objectively. This depends on factors such as the relative position of the data controller and the data subject, and the nature of their relationship. Data controllers must offer a real and non-misleading choice, which can be exercised freely and without pressure arising from the relationship. The assessment focuses on the parties’ status or the general characteristics of a group, not on the individual’s personal circumstances. The guidance does not refer to subjective consent or personal decision-making ability. While some wording may suggest a subjective element, overall the guidance clearly supports an objective approach.
Also Read: Consent as Governance: Understanding DPDP’s Most Misread Obligation
B. Cookies, profiling and causation
SBG’s evidence was that cookie data was used only for personalised social media and digital display advertising on thirdparty platforms, and not for direct marketing. RTM did not complain about this type of marketing. His complaints concerned direct marketing by email and telephone, and targeted special offers through direct marketing and on SBG’s websites. The trial submissions were the same. There was no evidence that cookie data was used for these purposes. Instead, SBG’s user profiles were mainly based on transaction data.
The finding that SBG’s profiling for direct marketing was unlawful depended on other conclusions, which were incorrect. What SBG accepted was that a gambling provider could not rely on its legitimate interests to market to a problem gambler if it had grounds to know that fact. The trial court made no finding that SBG had such grounds.
Thus, the Court set aside the order finding SBG liable in RTM’s favour and accordingly remitted the matter back to the High Court.
[RTM v. Bonne Terre Limited, Case No CA-2025-000651, decided on 21-4-2026]
Advocates who appeared in this case:
For the Appellants: Anya Proops KC and Robin Hopkins (instructed by Wiggin LLP)
For the Respondents: Christopher Knight, Jennifer MacLeod and Aarushi Sahore (instructed by AWO)
For the Intervener: Heather Emmerson and Jack Steele (instructed by the ICO)
