The Court of Appeal has handed down its much anticipated judgment in RTM v Bonne Terre Limited [2026] EWCA Civ 488, overturning the High Court's ruling in January 2025 that consent obtained by Sky Betting and Gaming (SBG) from RTM (a reformed gambling addict) for the use of cookies and direct marketing activities was invalid under UK data protection law, including the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR).  

In what will come as a relief to SBG and data controllers across the UK, the decision clarifies a fundamental question about the nature of consent under UK data protection law: the test is objective, not subjective. However, the Court's obiter remarks may have opened the door to a different line of argument that organisations should be watching closely. 

Background: High Court proceedings

RTM sued SBG for financial loss that he suffered as a result of SBG's non-compliance with consent requirements, arguing that, due to his gambling addiction, he had never validly consented to the placement of cookies on his devices, the processing of his personal data, or the receipt of targeted direct marketing.

He contended that his gambling addiction meant his decision-making was materially compromised, and that as a result his consent was not "freely given" as required by data protection law. 

At first instance, Collins Rice J agreed. She devised a three-part test for consent, focusing on a subjective element that examined RTM's actual state of mind, the "autonomous quality" of his decision making, and certain evidential standards [54]-[81]. She found that RTM's gambling condition compromised his autonomy to such a degree that his consent did not meet the "relatively high" standard required by data protection law. 

The High Court's approach was novel and, if upheld, had potential for far reaching consequences for data controllers across the UK. If consent required proof of genuine subjective agreement or truly autonomous decision making, no data controller could ever guarantee compliance, leaving organisations questioning the robustness of their consent mechanisms and exposed to legal risk from any individual whose subjective state of mind might later be called into question.

The Court of Appeal's ruling: consent is an objective test

The standard of consent

The Court of Appeal unanimously allowed SBG's appeal. Lord Justice Warby, giving the lead judgment, held that the test for consent is essentially objective. Consent is constituted by an action (a "clear affirmative act" such as ticking a box), not by the data subject's subjective state of mind [54]. The right to data protection, the Court emphasised, "is not an absolute right" and must be balanced against other fundamental rights, including the "freedom to conduct a business" [67]. The balance struck must be "pragmatic" and "workable", and the Court should not interpret the legislation in a way that has consequences that are "impractical" and which the legislature is "unlikely to have intended" [67].

To establish consent, a data controller must show that the data subject made a statement or took a clear affirmative action amounting to an "indication" of their wishes that "signifies agreement" to the relevant activity. It must then show that indication was freely given, specific, informed, and unambiguous. Crucially, each of these four criteria is also objective in nature, assessed by reference to the communications between the parties and the structural character of their relationship, not by reference to the individual's inner thoughts. 

The Court found the High Court judge's three-part subjective test to be legally wrong, novel and ultimately unworkable. If consent required proof of genuine subjective agreement or truly autonomous decision making, no data controller could ever guarantee compliance – an outcome the legislature could not have intended [70]. Significantly, the Court stressed that "legal and practical certainty" is an express objective of the GDPR (Recital 7), and the judge's analysis would have favoured data subject control at the expense of that certainty [71].

The relevance of vulnerability - the fairness principle to the rescue?

Does this mean that data controllers can completely disregard any vulnerability on the part of the data subject? From a consent perspective, almost: the Court considered, and rejected, an argument advanced by SBG and the ICO (who intervened in the proceedings) that the objective test for consent should be qualified by a data controller's actual or constructive knowledge of an individual data subject's vulnerability [82]. However, the Court did note obiter that if a data subject "makes it known to the data controller that he suffers some affliction that casts real doubt on his ability to make free choices, any indication of his wishes might not count as "unambiguous"" [83]. Such a qualification based on the data controller's knowledge would reintroduce subjective complexity through the back door and was impractical. 

However, Lord Justice Warby remarked obiter that the fairness principle should not be forgotten, saying that "it might be argued that the processing of personal data would not be 'fair' if undertaken at a time when the data controller knew or should have known that the data subject was suffering from some disability or external factor that overbore their will or compromised their ability to choose." The Judge also noted that any code of practice issued by the Gambling Commission aimed at protecting "vulnerable persons" from harm or exploitation may be relevant in future cases. 

This is significant. While the Court closed the door on a subjective reading of consent, it may have opened a window through the fairness principle under Article 5(1)(a) GDPR. A fairness-based challenge would not require rewriting the definition of consent. It would instead focus on whether the data controller's processing was conducted "fairly" in circumstances where it knew, or ought to have known, of a data subject's vulnerability. 

In addition, the remarks about actual (but not constructive) knowledge of an affliction undermining the "unambiguous" quality of consent could also give claimants a route back into the consent framework itself, but the reading of this case is clear – this will be assessed through an objective lens and clearly requires the controller to have been put on notice of a data subject's condition.

What does this mean in practice?

For gambling operators and others processing vulnerable persons data: The decision provides reassurance that consent mechanisms will be assessed through an objective lens and, if designed well, will be sufficient to demonstrate lawful consent. Organisations do not need to investigate the subjective mental state of each individual data subject that interacts with their consent mechanisms. This objective standard applies consistently across all sectors, not just gambling, and will guide assessments of consent in other contexts involving other compulsions or vulnerabilities such as alcohol, social media or online shopping.

However, the comfort is not absolute. The Court's comments on fairness signal that where an operator knows or has reason to know a customer is vulnerable, for example, through behavioural indicators of problem gambling, continuing to process that individual's data for marketing purposes could be challenged as unfair processing, even if consent was technically obtained. 

For data controllers more broadly: Organisations should ensure their consent mechanisms are robust and well documented but should also be alive to the possibility that fairness arguments may be raised where they hold information suggesting a user is particularly vulnerable. This is a different legal basis for a claim and one that future claimants across sectors may explore. 

Whatever your sector, now would be a good time to:

1. Review consent mechanisms. Ensure that consent flows involve clear affirmative actions, that information provided is accessible and specific, and that consent is not bundled with other terms. The Court confirmed that these objective features are what matter.
2. Assess fairness obligations separately. Do not treat a valid consent as the end of the compliance story. Where your organisation holds data suggesting a customer may be vulnerable, consider whether continued processing, particularly for marketing, could be challenged as unfair under Article 5(1)(a) GDPR. The fairness argument the Court flagged turns on the data controller's actual or constructive knowledge. Organisations that identify vulnerability indicators should document their response. Doing nothing with that knowledge could prove problematic. 

And finally: Watch this space. The case has been remitted to the High Court, and RTM's separate claims regarding unfair processing and other data protection principles remain to be decided [98]. Those claims could provide further judicial guidance on where the line falls between valid consent and unfair processing.