RTM v Bonne Terre: Objectively sound direct marketing

On 21 April 2026, the U.K. Court of Appeal (Civil Division) handed down a welcome judgment in RTM v Bonne Terre Ltd [2026] EWCA Civ 488, and confirmed that the test for consent, in the context of data protection and ePrivacy law, is an objective one. The court confirmed that consent validity is not assessed on the basis of subjective elements, like an individual's state of mind or potential vulnerability at the time of giving consent. Instead, and consistent with prior case law, consent must be assessed on an objective, uniform basis across different fact patterns and contexts. 

Background 

The case concerns RTM, a problem gambler who overcame this problem by 2019, and the two-year period prior to his overcoming this issue by 2019. RTM stated that during this period, Sky Betting and Gaming placed cookies on his devices or browsers, processed his personal data, and sent him targeted direct marketing. RTM sued SBG, contending that SBG had acted unlawfully when doing those things, causing him to gamble more and lose more money than he otherwise would have, and accordingly that he had suffered financial loss and distress. 

Initial High Court judgment

The initial High Court judgment (RTM v Bonne Terre Ltd [2025] EWHC 111 (KB))held that the question was whether RTM had given "legally operative consent;" that he had not done so, and SBG's activities over the relevant period were therefore unlawful. The judge devised a novel, three-strand test based on relevant EU and U.K. case law, which comprised: "(1) good quality subjective consent, depending on the individual's actual state of mind; or (2) absent that, a fully autonomous choice by the individual about the grant of consent; and (3) some minimum evidential standards for proof of consent."

This subjective approach departed from the test for consent set out in data protection law at the time, i.e. that consent must be freely given, specific, informed, unambiguous and indicated by some clear, affirmative action. 

The judge considered that RTM's gambling addiction "diminished" and "impaired" his ability to freely give consent. This leads to clear evidentiary issues for organizations collecting consent, as organizations would not know nor be able to demonstrate an individual's ability to give consent, even where every other element for valid consent is clearly met. As the Court of Appeal judgment goes on to state, if the test for valid consent is subjective, then "even the best processes will leave the (controller) exposed to legal risk."

SBG appealed on several grounds, including that the test for consent in the initial judgment was legally wrong. This article focuses on that appeal ground. The U.K. Information Commissioner intervened to assist on the interpretation of consent.

Court of Appeal judgment 

The Court of Appeal allowed the appeal on all five grounds and set aside the first-instance judgment in favor of RTM. In particular, the Court of Appeal was asked to determine what must be proved to establish that consent was given for cookies and for sending direct marketing — including whether the concept of consent has a subjective aspect.

While the High Court departed from the objective, action-focused approach intended in the law. The Court of Appeal recognized the myriad issues with the High Court approach, and confirmed that consent follows the objective test set out in data protection law — during the relevant period, the Data Protection Act 1998, and the General Data Protection Regulation 2016/679 and Data Protection Act 2018, noting this has not materially changed under the U.K. General Data Protection Regulation post-Brexit.  

The Court of Appeals held that, to prove that an individual has "given" consent, a controller must show that the individual made a statement or took a clear affirmative action indicating their agreement to the relevant processing, highlighting that these are "purely objective questions … typically ticking a box or a similar act."  

A controller must also demonstrate this statement or action is freely given, specific, informed, and unambiguous — each objectively based on the communications between the individual and the controller, e.g. ticking any boxes to opt-in to direct marketing, or withdrawing consent by clicking "unsubscribe" in any direct marketing messages, and the structural relationship between them. 

This objective standard reasonably takes into account any structural imbalances of power which could impact whether consent is freely given — for example, where the controller is an employer or public authority — and does not require a controller to guess at the specific circumstances or characteristics of individuals which may arguably lead to some imbalance of power, or otherwise suggest that consent was not freely given. 

This objective test does not need to be qualified by a controller's "actual or constructive knowledge of an individual's gambling disorder or similar condition," as contemplated by both SBG and the Information Commissioner's Office. Controllers cannot be expected to know an individual's state of mind when consenting, nor if a particular individual was vulnerable, for example, due to a gambling or other addiction, and therefore the consent was not freely given or was generally unfair.

The judgment concludes that the case must be remitted to the High Court, noting that RTM still has live claims that SBG's processing was unfair and infringed other data protection principles. 

Further commentary

This judgment will be a relief not just for gambling operators but for any business which engages in direct marketing: it is now possible for businesses once again to rely with certainty on marketing consents which have been objectively given by data subjects. 

It is worth noting that both SBG and the ICO noted that there could be contexts where a data controller might reasonably be aware of circumstances which would make the processing unfair. The judgment noted that such issues might, in theory, be a breach of the Gambling Commission's Licence Conditions and Codes of Practice, which aim to protect vulnerable persons from harm or exploitation, although it did not suggest that was the case here. British-licensed gambling operators sending direct marketing must comply with the LCCP's specific rules on direct marketing under Social Responsibility Code 3.5, 5.1.11 and 5.1.12, which already impose much stricter obligations on them than businesses in other sectors, in addition to broader LCCP obligations to protect vulnerable customers, for example, Social Responsibility Code 3.4.3, and the general data protection and ePrivacy regimes.