Who: The Court of Appeal
Where: United Kingdom
When: 21 April 2026
Law stated as at: 14 May 2026
What happened
Every day, millions of users click “accept” on cookie banners and marketing opt-ins to consent to the processing of their personal data. But what happens when a user later claims that, because of a particular vulnerability, that consent is not valid? And what does that mean for the businesses that relied on that click? The Court of Appeal’s decision in RTM v Bonne Terre Ltd [2026] confronts precisely these questions, delivering a ruling on the test for establishing consent under the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
Former problem gambler challenges validity of consent
The claimant, RTM, described himself as a reformed problem gambler. Before overcoming his addiction, he had used Sky Betting and Gaming (SBG)’s online platform. When activating his account, he had clicked “accept and close” on a cookie banner. SBG had then placed cookies on RTM’s devices and browsers, processed his personal data and sent him targeted direct marketing material. RTM argued that these activities had fed his compulsive gambling and caused him to suffer significant financial loss. RTM issued proceedings against SBG, claiming that his consent to the processing of his personal data was never legally valid.
The High Court agreed. Analysing the concept of consent, it identified three elements to be considered: the subjective state of mind of the data subject; the degree of autonomy of the individual in relation to the grant of consent; and minimum evidential standards to be met by the data controller. The High Court held that none of these three criteria were met: RTM “lacked subjective consent”; his gambling behaviour impaired his autonomy in granting consent “to a real degree”; and the quality of his consenting was lower than the standard required. Overall, his gambling condition, associated vulnerability and compromised autonomy, was such that his consent had not been “freely given”. SBG appealed.
Objective or subjective?
The central question before the Court of Appeal was what must be proved to establish that consent was given for the placement of cookies, the processing of personal data and the sending of unsolicited direct marketing communications. In particular, the court considered whether the concept of consent, as a whole, has a subjective aspect.
Court of Appeal draws the line
The Court of Appeal allowed the appeal and remitted the case to the High Court.
The Court of Appeal found that the criteria to be met for consent to be valid are all objective in nature and that consent is constituted by an act, not a state of mind. After all, the first lawful basis for processing is that the data subject has “given” their consent. Therefore, the data subject must have taken some clear affirmative action.
Further, as the legislation states, consent means an “indication” of the data subject’s wishes that “signifies agreement” to that processing. In the Court of Appeal’s view, this shows that consent is defined as an outward signal of the data subject’s inner sentiments and without that outward signal, whatever the state of mind of the data subject, consent cannot be established. The question of whether consent has been “given” is therefore purely objective.
The Court of Appeal also noted that, under the GDPR, the indication of consent must also be “freely given, specific, informed and unambiguous”. It said that these are also all objective in nature and whether they are satisfied is assessed by reference to the data subject’s “indication” of consent and its context, including communications between the data subject and the data controller and the structural character of the relationship between them. Therefore, the Court of Appeal said, nowhere in the legislation or case law does it state that to prove consent, the data controller must show what was in the mind of the data subject at the time. The law also does not provide that the data controller must consider whether the data subject was vulnerable such that they were unable to make a fully autonomous decision.
The Court of Appeal also rejected arguments advanced by both SBG and the Information Commissioner’s Office that the data controller’s actual or constructive knowledge of a user’s personal circumstances or state of mind is relevant to whether consent is established. Such an approach was not consistent with the language of the legislation.
Having rejected the High Court’s notion that there is a subjective element to the question of consent, the Court of Appeal also noted that the effect of the first-instance judgment would be that a data controller, such as SBG, could never guarantee compliance: there would always be the possibility that a user suffered from a gambling addiction or other vulnerability (unknown to the data controller) which impaired the user’s ability to give consent. These consequences could, in fact, extend well beyond gambling to other sectors, such as the sale of alcohol, and the legislature was unlikely to have intended such a result.
The Court of Appeal also observed that the High Court’s introduction of a subjective test for the issue of consent was legally novel and its precise nature elusive. To hold that decisions deliberately made by an individual with capacity may be vitiated for lack of consent was not consistent with the general principle that unwise or even irrational decisions made by individuals with capacity are considered legally binding.
Why this matters
This ruling provides legal certainty for businesses that rely on consent-based processing of personal data. The Court of Appeal has confirmed that the test for consent is a purely objective one. This means that where a controller has implemented a compliant consent mechanism and obtained a clear affirmative act from an individual with capacity, that consent should be valid, regardless of the individual’s undisclosed subjective state of mind or particular vulnerability at the time.
The implications of this judgment extend well beyond the gambling sector. Any industry in which users may be considered vulnerable, such as alcohol, financial services, social media and online retail, would have been exposed to similar challenges had the subjective test for consent under data protection laws stood.
However, controllers operating in sectors with vulnerable users may still face regulatory scrutiny under other legal and regulatory frameworks, including gambling licence requirements and broader consumer protection legislation.
