The Court of Appeal’s decision in RTM v Bonne Terre Ltd and Hestview Ltd [2026] EWCA Civ 488 has provided clarity for businesses that consent to personalised marketing and data processing should be judged to an objective standard rather than subjectively with reference to an individual’s state of mind.
Background
The claim was brought by a recovering problem gambler against Bonne Terre Limited and Hestview Limited, who together operate the Sky Betting and Gaming platform (SBG). This concerned a two-year period during which SBG placed cookies on RTM’s devices, processed his personal data and sent him targeted direct marketing. RTM used SBG’s services, lost money during this period and sued SBG by arguing that they had acted unlawfully in placing cookies on his devices, processing of his personal data and sending direct marketing communications, that increased his gambling harm.
SBG needed a lawful basis to process personal data under the General Data Protection Regulation 2016/679 (‘GDPR’) and so relied on consent. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) imposes an obligation to obtain valid prior consent for certain electronic marketing activities.
The High Court found that the test for consent under both the UK GDPR and the PECR rules on direct marketing is subjective and so RTM’s gambling addiction prevented him from giving valid consent to receive targeted direct marketing by email. SBG appealed, with the Information Commissioner intervening.
Court of Appeal decision
The Court of Appeal overturned the High Court’s findings and concluded that the test for consent is an objective, rather than subjective, one. This ruling was supported by EU and UK case law on consent with legislation not identifying consent as a subjective state of mind. It was emphasised that consent is given by a clear affirmative act and that under GDPR consent must be specific, informed, freely given and unambiguous. The ICO and SBG had submitted that actual or constructive knowledge of the state of mind of an individual is still relevant, but this argument was rejected. The Court of Appeal’s approach produces a clear and workable test, but it relocates the protection of vulnerable individuals from the concept of consent to other data protection principles, particularly fairness.
The decision confirmed that the four requirements for consent under the GDPR are distinct and should be assessed separately and by reference to objectively ascertainable features of the communications between the parties and the structural characteristics of their relationship. It was accepted that the purposes for which consent is sought, how that is done, and the context in which it is done are all relevant factors that feed into the objective assessment for consent.
The court also rejected the argument that a “clear imbalance” between SBG and its customers could invalidate consent individually. The court took the view “clear imbalance” between the data controller and data subject is to be assessed at the level of the general character of the relationship between the controller and its data subjects as a class, rather than by reference to the individual circumstances of one subject.
Takeaways
The Court of Appeal’s decision that consent under the GDPR and PECR is an entirely objective concept is welcoming for businesses relying on consent, as it has restored a workable standard. It is not a subjective concept and does not import a requirement to probe the data subject’s psychological state or decision-making capacity. If you’d like to read more about what the key takeaways are in relation to the changes made to the GDPR and PECR, please feel free to read our article on The Date (Use and Access) Act 2025.
Organisations do not need to carry out assessments of users’ internal decision-making to deliver valid consent. However, it is important to note that actual or constructive knowledge of an individual’s state of mind may be relevant outside the mechanism of consent in other parts of the data protection framework such as fairness. Organisations should remain focussed on getting the mechanism right so that there are clear choices and records of opt-in within the context of the sectors they operate.
If you have any queries about data protection law and how it might impact your business, want support with updating your data protection and privacy documentation or would like a tailored training session, please contact our Commercial, IP & Technology Team at: [email protected] or visit our group page.
