Changeflow GovPing Courts & Legal RTM v Bonne Terre Limited - Cookie Consent Appeal
Priority review Enforcement Amended Final

RTM v Bonne Terre Limited - Cookie Consent Appeal

Favicon for caselaw.nationalarchives.gov.uk UK Court of Appeal Civil (Find Case Law)
Detected
Email

Summary

The Court of Appeal allowed SBG's appeal against Collins Rice J's decision that RTM had not given legally operative consent for cookies, data processing, and direct marketing. The trial judge had found consent invalid based on RTM's gambling addiction and reduced autonomy affecting his subjective state of mind. The Court of Appeal (Warby LJ) held this approach was legally wrong: consent is an entirely objective test. A data controller need not prove what was in the data subject's mind; it must only show an identifiable communication (such as ticking a box) that objectively signifies agreement, assessed against the four statutory criteria (freely given, specific, informed, unambiguous). The ICO intervened supporting SBG's position.

“To prove this, a data controller must show that the data subject made a statement or took some other clear affirmative action amounting to an "indication" of their wishes with respect to the processing or direct marketing in question that "signifies agreement" to the relevant activity of the data controller.”

Why this matters

Data controllers relying on consent as their lawful basis for cookies, marketing, or data processing should note this ruling confirms the test is objective and does not require proof of the data subject's actual mental state or vulnerability. Controllers should ensure their consent mechanisms produce an identifiable affirmative indication (e.g. an explicit opt-in action) and can demonstrate that indication met the four statutory criteria in its full context. While subjective vulnerability arguments by individuals are now foreclosed, controllers should still be able to evidence the objective quality of the consent interaction. The ICO's support for SBG's position signals regulatory alignment with this interpretation.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by EWCA Civ on caselaw.nationalarchives.gov.uk . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors UK Court of Appeal Civil (Find Case Law) for new courts & legal regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 3 changes logged to date.

View original document View source feed page

What changed

The Court of Appeal reversed the trial judge's finding that RTM lacked valid consent because his gambling addiction impaired his subjective consent and autonomous decision-making. The appellate court held that consent for data processing and direct marketing under GDPR Article 4(11), PECR, and the DPA 1998 is an entirely objective concept. A data controller must prove that the data subject made an identifiable statement or clear affirmative action signifying agreement, and that this indication met each of the four statutory criteria. Critically, the controller does not need to prove the data subject's actual mental state or explore vulnerabilities affecting autonomy. The court also noted procedural unfairness as SBG had no opportunity to address the judge's novel legal analysis before the draft judgment was circulated. The ICO, which intervened, agreed that the test is objective. Any organisation relying on consent as the lawful basis for cookies, personal data processing, or direct marketing communications should note this ruling clarifies the evidential standard required.

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

  1. You are in Find Case Law
  2. RTM v Bonne Terre Limited & Anor

RTM v Bonne Terre Limited & Anor

[2026] EWCA Civ 488

RTM v Bonne Terre Limited & Anor

[2026] EWCA Civ 488

LORD JUSTICE WARBY:

Introduction and summary

  1. The main question raised by this appeal is what must be proved to establish that consent was given for the placement of cookies, the processing of personal data, and the sending of unsolicited direct marketing communications? More specifically, the issue is whether the concept of consent for these purposes has a subjective aspect.
  1. The answer turns on the true interpretation of provisions about consent contained in the Data Protection Act 1998 (the DPA 1998) and its parent Directive 95/46EC (the DP Directive), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and its parent Directive 2002/58/EC (the PEC Directive), and the General Data Protection Regulation 2016/6479 (GDPR). However, as is common ground, consent has the same meaning in all these provisions.
  1. Consent is defined in Article 4(11) of the GDPR:

“For the purposes of this Regulation

...

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Article 7 of the GDPR provides that it is for the data controller to prove that these criteria are met. The standard is the balance of probabilities. This all reflects the law as it had developed under the DP Directive and the DPA 1998.

  1. The background facts are these. The appellants (SBG) operate an online betting and gaming business under the trading name “Sky Betting and Gaming”. The respondent (RTM) was a problem gambler, which is why he has been anonymised in these proceedings. By early 2019 he had overcome his problem. This case is concerned with events in a two year period before that (the relevant period). During the relevant period SBG placed cookies on RTM’s devices or his browser, processed his personal data, and sent him targeted direct marketing; and RTM used SBG’s services and lost sums of money. RTM later sued SBG for compensation and declarations, contending that he was a gambling addict; that SBG had acted unlawfully in its placement of cookies, its processing of his personal data, and its direct marketing communications; that this caused him to gamble more and to lose more than he would otherwise have done; and that he had thereby suffered financial loss and distress.
  1. At the trial, Collins Rice J, DBE (the judge) ruled that liability and remedies should be decided separately. She determined that the question at the heart of the issue of liability was whether RTM had given legally operative consent to the activities of which he complained. She held that he had not done so, and that all of SBG’s activities over the relevant period were therefore unlawful. SBG now appeals. The Information Commissioner (ICO) has intervened to assist the court.
  1. The judge’s approach to the issue of consent was as follows. She reviewed the legislative provisions I have mentioned, some decisions of the Court of Justice of the European Union (CJEU) and a decision of the Upper Tribunal, Administrative Appeals Chamber (UT), to which I shall come. She concluded that consent, in this context, was a “rather complex” idea with “three distinct strands” or criteria: (1) good quality subjective consent, depending on the individual’s actual state of mind; or (2) absent that, a fully autonomous choice by the individual about the grant of consent; and (3) some minimum evidential standards for proof of consent.
  1. As to the facts, the judge accepted that RTM had taken deliberate actions that indicated consent, but held that none of the three criteria she had identified was met. Accepting RTM’s evidence about the impact on him of his gambling problem, she found that he “lacked subjective consent”; that “the autonomous quality of his consenting behaviour was impaired to a real degree”; and that on the evidence “the quality of this Claimant’s consenting was rather lower than the standard required”, and “insufficiently freely given”, the reasons being “his gambling condition and his associated vulnerability and compromised autonomy”.
  1. This basis for finding in RTM’s favour was not one that he had put forward. It was not the subject of any real debate at the trial. SBG’s first ground of appeal is that it was procedurally wrong and unfair to decide the case on this basis. SBG’s second ground of appeal is that the judge’s analysis is legally wrong. The ICO agrees with that. SBG and the ICO both submit that the test for consent is essentially objective. They do however accept that a gambling problem or similar vulnerability on the part of a data subject may be relevant if the data controller knows or ought to know of the vulnerability. This too is a new legal analysis, not advanced by any party at the trial. RTM did not adopt it. His case is that, on a proper analysis of the law and the judgment, the judge’s overall conclusion in RTM’s favour is sufficiently supported by proper findings of objective fact.
  1. I have reached the following main conclusions:

(1) The question in all cases is whether the data subject has “given” consent to the processing or other activity. To prove this, a data controller must show that the data subject made a statement or took some other clear affirmative action amounting to an “indication” of their wishes with respect to the processing or direct marketing in question that “signifies agreement” to the relevant activity of the data controller. These are purely objective questions about the quality and significance of some identifiable communication by the data subject to the data controller. Typically, this will be by ticking a box or some similar act.

(2) The data controller must also prove to the necessary standard that the data subject’s “indication” met each of the four criteria prescribed by the legislation, namely that it was (i) freely given, (ii) specific, (iii) informed, and (iv) unambiguous. Each of these criteria is also objective in nature. A decision on whether the four criteria were probably satisfied will require an assessment of the data subject’s “indication” in its context including, in particular, the communications between the data subject and the data controller, and the structural character of the relationship between them.

(3) To prove consent, the data controller does not have to prove what was actually in the mind of the individual data subject at the time of the “indication”. It is neither necessary nor relevant for this purpose to explore whether the individual data subject was vulnerable, with an impaired ability to make fully autonomous decisions.

(4) It follows that I disagree with the judge’s legal analysis. I do not accept RTM’s submission that the judgment contains findings of objective fact that are sufficient to support the judge’s overall conclusion. I therefore conclude that the judge’s decision on liability is vitiated by error of law. The fact that SBG did not have a reasonable opportunity to address the judge’s legal analysis before the judgment was circulated in draft is a further reason why the decision cannot stand. I would allow the appeal on these two grounds.

(5) I am not persuaded by the submissions of SBG and the ICO, that the actual or constructive knowledge of the data controller about the personal circumstances or state of mind of the data subject has a bearing on whether consent is established. In my view, RTM was correct not to adopt that line of argument. I do not think it consistent with the language of the legislation or coherent to treat the data controller’s state of mind, actual or constructive, as a criterion for whether the data subject has given consent. For these reasons I would reject the suggestion made in SBG’s written submissions, that the issue of consent should be remitted to the High Court in order for findings of fact to be made on those further issues.

  1. SBG advances three other grounds of appeal. For the reasons given later, I would allow the appeal on those further grounds also, and invite submissions from the parties on what issues need to be remitted to the High Court and on other consequential orders.

The law

Legislation

  1. Data protection law regulates the “processing” by “data controllers” of “personal data”, which means data which relate to a living individual, or “data subject”. PECR regulates the use of electronic communications. It uses the terms “person”, “subscriber” and “user” rather than “data subject” and “data controller”. Although those terms do not mean exactly the same thing it is possible in this judgment, for simplicity, to treat them as interchangeable.
  1. For the first part of the relevant period domestic data protection law was set out in the DPA 1998. For the latter part, from 25 May 2018, the applicable law was contained in the GDPR. The regimes are not identical. But there are few differences that are material in this case. So I shall identify the key features that are relevant for present purposes mainly by reference to the GDPR, with some references to the predecessor regime.
  1. Article 5 of the GDPR sets out the data protection principles. The first is that “personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)” (cf. DPA 1998, Schedule 1 Part I para 1). Article 6(1) of the GDPR provides that processing “shall be lawful only if and to the extent that” it meets at least one of six listed criteria. These are commonly known as “lawful bases” for processing. The first lawful basis is that “(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes” (cf. DPA 1998, Schedule 2 para 1). The sixth lawful basis is that “(f) processing is necessary for the purposes of the legitimate interests pursued by the controller. ...” (cf DPA 1998, Schedule 2 para 6(1)).
  1. Consent is defined in Article 4(11) of the GDPR, which I have quoted in full at [3] above. The wording is materially identical to that of the predecessor regime, with the addition of the words “statement or a clear affirmative action”: cf Articles 2(h) and 7(a) of the Directive. Those additional words have no significance on the facts of this case.
  1. Article 7 of the GDPR contains further provision about “Conditions for consent”. Article 7(1) provides that Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” Articles 7(2) and (3) require clarity in requests for written consent and provide for a right to withdraw at any time. Article 7(4) provides that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
  1. Article 82 of the GDPR provides for compensation to be recoverable for material and non-material damage caused by an infringement of the Regulation (cf. s 13 DPA 1998). By Article 82(2), “any controller involved in processing shall be liable for the damage caused....”. Article 82(3) provides an exemption from such liability for a data controller that “proves that it is not in any way responsible for the event giving rise to the damage.”
  1. The recitals to the GDPR are a contextual aid to interpretation. Three of them refer to consent. So far as relevant, they state as follows:

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. ...

...

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. ... Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

  1. PECR was enacted some five years after the DPA 1998. It was in force throughout the relevant period and remains in force. Regulations 6 and 22 prohibit the use of cookies and the sending of direct marketing emails without consent.
  1. Regulation 6 prohibits a person from storing, or gaining access to information stored, in “the terminal equipment of a subscriber or user” unless that person “(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and (b) has given his or her consent.” Regulation 22 regulates “the transmission of unsolicited communications by means of electronic mail to individual subscribers”. Regulation 22(2) provides that (except in certain circumstances, not relevant to the present case) a person must not make or instigate such a transmission “for the purposes of direct marketing by means of electronic mail” unless the recipient “has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”
  1. Regulation 2 of PECR at all material times provided for the term “consent” to have the meaning given to it by the applicable data protection legislation (cf Article 2(f) of the PEC Directive).
  1. Regulation 30 of PECR provides that a person who suffers damage by reason of a contravention of PECR shall be entitled to bring proceedings for compensation. Regulation 30(2) provides that in any such proceedings “it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement”. A similar defence was provided for domestically by DPA 1998, s 13(3). There is no such defence in the GDPR or the post-GDPR domestic data protection regime.
  1. The judge also referred to the Gambling Act 2005. This governs online betting and gaming and establishes a licensing scheme overseen by the Gambling Commission, which has a duty to issue codes of practice “about the manner in which facilities for gambling are provided”. The judge noted that the statutory “licensing objectives”, and the purposes to be pursued by the codes of practice, include “ensuring that gambling is conducted in a fair and open way” and “protecting children and other vulnerable persons from being harmed or exploited by gambling”. Section 24(9) (b) of the 2005 Act requires a court to take a gambling code of practice into account in any case in which it appears to be relevant. I shall come back to the relevance of this regime.

Case law

  1. There are three decisions of the CJEU and two domestic cases that need to be considered. The CJEU cases are Verbraucherzentralen Bundesverband e.V. v Planet 49 GmbH (Case C-673/17) [2020] 1 CMLR 25 (Planet 49), Orange Romania SA v ANSPDCP (Case C-61/19) (Orange Romania), and Meta Platforms Inc v Bundeskartellamt (Case C-252/21) [2023] 5 CMLR 22 (Meta Platforms). All of these were decided before IP Completion Day, and all were referred to by the judge. The domestic cases are the decision of the UT in Leave.EU v Information Commissioner [2021] UKUT 26 (AAC) (Leave.EU), to which the judge referred, and the Court of Appeal decision in Cooper v National Crime Agency [2019] EWCA Civ 16 (Cooper), to which the judge did not refer, it not having been cited to her.
  1. Planet 49 was about an online lottery which used a pre-ticked box to obtain consent to the use of cookies to enable evaluation of participants’ online behaviour, and the provision of advertising based on their interests. Participants had to untick the box to opt out. If they did not, and participated in the lottery, they would be taken to have given consent to the use of cookies. The Grand Chamber held that these arrangements did not meet the legislative requirements for consent. The law required active consent, and failure to untick the box was passive behaviour that did not amount to an “indication” of the data subject’s wishes in respect of the use of their data. This was not “affirmative action” as required by the GDPR. The failure to untick the box was not “unambiguous” as to the data subject’s intentions, or “specific” to the purpose in question. The information provided by the service provider was not clear or detailed enough to ensure that any consent was “well informed”. To meet that requirement, the information had to be “clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed”: [74].
  1. Orange Romania was about the collection and storage of customers’ identity documents in connection with contracts for the provision of telecommunications services. The customers signed contracts with clauses stating that they had been provided with all the information necessary to enable “unvitiated, express, free and specific consent” to the contract, and that they had been informed of and consented to various kinds of processing of their personal data, including storage of identity documents. There was a box to be ticked, and the company’s procedures required refusal of consent to be set out in a specific form, signed by the customer, but the company entered into contracts where the box was not ticked and no form was signed and in some instances the box was ticked by the company’s own staff. The CJEU reiterated the principles identified in Planet 49 and held that a contract containing clauses of the kind in question was “not such as to demonstrate that that person has validly given his or her consent” where the box had been ticked before the contract was signed; or the terms of the contract were capable of misleading the data subject “as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data”; or where “the freedom to choose to object ... is unduly affected by that controller in requiring that the data subject, in order to refuse consent, must complete an additional form setting out that refusal”: [52].
  1. Meta Platforms was a Grand Chamber decision relating to decisions of the German competition authority, the Federal Cartel Office, about the social media network Facebook, and whether its operations complied with the GDPR. Among the many issues addressed by the court was the link if any, between the fact that an online social network operator held a dominant position in the market and the giving of consent by users of the network. The Grand Chamber held, at [147]-[149], that such a dominant market position “does not, as such, prevent the users ... from validly giving their consent ... within the meaning of Article 4(11) of the GDPR” but “must be taken into consideration in assessing whether the user ... has validly and, in particular, freely given consent”. That was because “that circumstance is liable to affect the freedom of choice of that user ...” and “the existence of such a dominant position may create a clear imbalance, within the meaning of recital 43 of the GDPR, between the data subject and the controller, that imbalance favouring, inter alia, the imposition of conditions that are not strictly necessary for the performance of the contract, which must be taken into account under Article 7(4)...”.
  1. In Leave.EU an organisation that published a pro-Brexit newsletter had elicited subscribers’ consent “to receive information that Leave.EU felt might interest them”. One issue was whether this amounted to “specific and informed” consent to the provision of unsolicited direct marketing promoting GoSkippy insurance products. The First-tier Tribunal held that it did not. The UT dismissed an appeal. The UT rejected an attempt to distinguish Planet 49 as a case concerned with consent to the installation of cookies, describing consent as “a generic concept within the arena of data protection”: [50]. The UT observed that Planet49 and Orange Romania were high authority which “set a relatively high bar to be met for a valid consent”: [51]. The criteria for “specific, informed” consent established by those authorities were not met. “There was no indication that subscribers were doing anything other than signing up for a Brexit newsletter”: [56]. The UT did not refer to Cooper, which does not appear to have been cited to it.
  1. Cooper arose from the claimant’s dismissal from his post at the Serious Organised Crime Agency (SOCA) over his off-duty behaviour outside a pub in Hove. The claimant alleged that SOCA had processed sensitive personal data relating to that incident in breach of the DPA 1998. The Court of Appeal upheld the decision of the Central London County Court to dismiss the claim on the basis, among others, that by clause 24.2 of his contract of employment the claimant had given consent to the processing complained of. At [101]-[102], Sales LJ (with whom Baker LJ and Sir Geoffrey Vos, C agreed) rejected a submission that the ICO’s guidance meant that if there was any ambiguity about whether consent had been given it must be resolved by finding that it had not, saying this:

The data controller needs to know what its obligations are under the DPA, so the notion of consent in condition 1 is an objective one, which depends on the outward manifestation of consent by the data subject. ... In any event, in the present case, I do not consider that there is any ambiguity or genuine uncertainty about the meaning of clause 24.2, when the full context is taken into account.

RTM’s claims and the issues in the case

  1. RTM’s case is that SBG gathered data relating to him, including by the use of cookies, and then processed it to analyse and profile him, and to generate personalised and targeted direct marketing which fed his compulsive gambling behaviour, causing the further gambling and the consequent harm that I have mentioned. RTM contends that these activities were undertaken in ways that were contrary to PECR, and also contravened the DPA and GDPR, because SBG did not obtain his consent as defined in the legislation and had no other lawful basis for processing his personal data. RTM also alleges that SBG’s processing of his personal data infringed his data protection rights because it was neither transparent nor fair, and because it contravened the data protection principles known as “purpose limitation”, “data minimisation” and “storage retention”. In addition, RTM contends that the data collected revealed a gambling addiction or at least problem gambling with mental health implications, and to that extent were “special category” data, the processing of which is subject to additional conditions, which were not satisfied here.
  1. It is unnecessary to say any more about most of these claims. It is however essential to set out the nature of RTM’s case, and SBG’s defence, on the key issue of consent. It will also be helpful to outline the rival cases about fairness.

Consent

  1. RTM pleaded that he “did not consent to [SBG’s] marketing and/or there was no valid consent given within the meaning of Article 4(11) and Article 7 GDPR/UK GDPR and Schedule 2, paragraph 1, DPA 1998 ”. In support of this plea RTM relied on a detailed critique of the way in which SBG constructed a user profile of him (paragraph 26 of the RAPoC). This alleged that SBG had observed and recorded his actions on its sites, used cookies to track his browsing and email activity, shared such information with other websites and organisations, and thereby built up a detailed profile of him. RTM pleaded that he “did not give his consent to the placement and use of cookies” because the SBG websites displayed only an “accept and close” dialogue box in relation to the cookies, allowing no opportunity for rejection or active behaviour to give consent. He alleged that he had opted out from receipt of direct marketing communications from SBG when he opened his account and “never subsequently opted in to receive marketing communications”, but that he had regularly been sent direct marketing, nevertheless.
  1. SBG accepted that it undertook the activities regulated by Articles 6 and 22 of PECR, that it was a data controller in respect of personal data of which RTM was the data subject, and that the activities of which he complained involved or included the “processing” of those data. SBG’s case was that it had “always adopted an approach whereby customers (including [RTM]) have always been able to exercise a choice as to whether or not to participate in SBG’s marketing”. It was said that “the claimant’s consent was obtained for the use of cookies, in accordance with the prevailing norms ... at the relevant time”. The lawful basis for direct marketing and marketing profiling was said to be “consent”. SBG also contended that its legitimate interests provided another lawful basis for profiling.
  1. In his Reply, RTM complained that SBG had failed to particularise how consent was in practice obtained from a user, what information was provided to a user when seeking consent, “the method or modality through which purported consent was obtained” from him, and how he consented to marketing profiling. His case was that he believed he had set his marketing preferences to “off”, that he could not recall providing his consent, and that SBG’s case was “too vague and unparticularised to enable the court to assess whether consent met the applicable legal standards.”

Fairness

  1. RTM made two complaints of unfairness. Both relied on the content of SBG’s privacy notices. First, it was said that as the privacy notices always stated that the lawful basis for SBG’s marketing and profiling was consent, any processing in the absence of consent would be unfair. Secondly, processing was said to be unfair because the privacy notices did not make SBG’s multiple purposes clear.

The judge’s analysis

  1. The judge approached the issue of consent in stages, addressing in turn “Consent – the evidential background” and then “The standards for legally operative consent”, before applying her legal analysis to the facts about RTM’s “consenting behaviour” as she found them to be.

The evidential background

  1. The relevant period fell into two parts, because in March 2018 SBG conducted a “GDPR refresh” of its practices which called for customers to engage in “re-consent”. The judge addressed these separately.
  1. In relation to the first part of the relevant period, the judge (at [109]-[124]) set out extracts from SBG’s documentation and recorded the following:

(1) Upon activating his SBG account in April 2017 RTM had encountered a cookie banner stating that “by visiting or using” the website he consented to the use of cookies; and that he had clicked on an “accept and close” button to indicate his consent. The banner contained a hyperlink allowing customers to view SBG’s cookies policy. RTM said he had not clicked on that hyperlink. There was no evidence that he had.

(2) There was a dispute about consent to direct marketing. SBG’s privacy notice told customers that “unless you’ve asked us not to” it would send them direct marketing communications and use information it held about them to provide them with tailored advertising. A section headed “your preferences” enabled customers to choose not to receive direct marketing by adjusting their preferences via their SBG account or in other ways. RTM did not receive direct marketing from the time he activated his SBG account in April 2017. That was either because he opted out or because he did not opt in. But on 28 July 2017 SBG began to send RTM direct marketing, and it continued to do so thereafter without objection from RTM.

(3) SBG’s case was that this was because RTM had opted in on 26 July 2017 by changing his marketing preferences. SBG relied on a customer spreadsheet record that was said to record a marketing opt-in. RTM did not recall opting in and disputed the adequacy of SBG’s evidence. The judge found that it was “plain that SBG recorded, and activated, a change in the Claimant’s consent to direct marketing at this time”; that it was “improbable” that this resulted from a spontaneous and isolated systems malfunction; and that “it may well be more probable than not that the commencement of direct marketing was a response to something the Claimant did”. But at [124] the judge said there was a “paucity of evidence” as to what that something was, which led her to “hesitate … to accept that I must proceed on an assumption that all possibilities other than proactive choice are eliminable.” Exactly what RTM did was “largely a matter of speculation”.

  1. In relation to the second part of the relevant period, the judge (at [125]-[134]) described SBG’s “re-consent” process – setting out extensive extracts from the documentation – and summarised the evidence about RTM’s response to it.

(1) Customers had to scroll through a new set of terms and conditions and tick two boxes to indicate that these had been read and understood, and that they had been accepted. SBG’s records indicated that on 6 April 2018, RTM ticked both boxes. His evidence was that he had no recollection of doing so.

(2) Ticking these boxes at the end of the terms and conditions brought up a revised privacy and cookies notice which customers, again, had to scroll through before ticking two boxes to indicate that they had read, understood and accepted what was said. SBG’s records indicated that RTM ticked both boxes. His evidence was that he did not read the policy and if he did anything he would have ticked the boxes to make the material go away.

(3) The final step was to present customers with a choice about direct marketing. This was presented differently according to whether the customer was already opted in or opted out. As SBG had recorded RTM as an already opted-in customer, he was given a choice to opt out or to “continue with my current preferences”. SBG’s records indicated that he had taken the latter option. RTM’s evidence was that he had no memory of any of this.

The law on consent

  1. At [135]-[154], under the heading “The standards for legally operative consent”, the judge took “a closer look” at what the legislation and the cases said about “the nature of the requirement for consent in the PECR and data protection regimes”. She noted that there was no material difference between the two regimes in this respect. She set out Article 2(h) of the DP Directive, Articles 4(11) and 7 and Recital 43 of the GDPR. She referred to Planet 49, Orange Romania, Meta Platforms and Leave.EU. She went on to draw from these materials the three-part test to which I have referred in paragraph [6] of this judgment.
  1. The judge’s reasoning is refined. It is necessary to set it out fully.
  1. The relevant legislation, and these authorities I was shown on the quality of consent required to render data processing lawful, need some unpacking. The language of and relating to the legislation, and the rhetoric of the judgments, is in terms which suggest a bar which is indeed ‘ relatively high ’ – consent must be free, specific and informed, it must be separate from the activity to which it stands as a threshold requirement, it must be active and unambiguous. This qualifying language is referable to the origins of data protection law in Art.8 ECHR and its underlying understanding of privacy as implying individual autonomy, including the genuinely autonomous control of personal data. But there are three distinct strands perceptible in this rather complex idea.
  1. First, there is the subjective element of the individual’s state of mind – what they actually thought about, understood and desired. This actual and high quality, individuated, consent has a palpable presence in the authorities as at least an aspirational standard. But on closer examination it may be that this element alone is not after all set at a particularly high minimum requirement in data protection law, and does not need to be, because it has to be understood alongside the second element – what might be described as the autonomous choice of the individual about consent. The authorities do not speak in entirely subjective terms in setting their ‘ relatively high ’ standard. They do speak about consent being specific, which implies some basic threshold of subjective understanding that consent is being given, and to what it is being given. But they also speak about individuals being ‘ in a position ’ to be able to determine the consequences of giving or withholding consent, including by being well-informed – that is, ‘ provided with ’ full and clear information. These expressions emphasise less an individual’s subjective state of mind, and more the external circumstances of their choices.
  1. The requirements for consent in data protection law have deep roots in the protection of the autonomy of the individual. That extends not only to the subject matter of the consent – the freedom to choose or not to choose to have one’s personal data processed in certain ways and with certain consequences, with specificity about what those are – but also to the process of consenting itself. If an individual makes a fully autonomous choice to limit the quality of their own consent – for example by choosing not to engage with information which is readily available and accessible – and so executes a permission which is subjectively ill-informed and misunderstood, there is no inevitable compromise of their autonomy in attaching legal effect to that choice.
  1. The balance between these first two elements which is struck in the authorities appears to set a relatively low threshold for the presence of good-quality subjective consent but a relatively high threshold for establishing that any deficiency of subjective consent is itself autonomously chosen. That is unsurprising; it is a position which is both principled and pragmatic. It is principled because it respects the personal autonomy which it is the purpose of these consent provisions to safeguard. Some processing of personal data is sufficiently invasive (cookies are a form of surveillance of personal activity) or intrusive (direct marketing imposes itself on personal attention) to be unlawful without an individual’s autonomous submission to the compromises of personal autonomy which they intrinsically involve. But individuals’ freedom to make that autonomous submission, and decide how to make it, must itself be respected.
  1. And it is pragmatic because the balance it strikes between commercial freedom and individual privacy has to be a workable one. Commercial freedom is a collective good. Businesses cannot operate the data systems on which they rely, to provide the goods and services we want at a cost we can tolerate, at the level of inquiring into every individual customer’s subjective state of mind. But they can ensure that their systems factor in decision points about consent which maximise the probability that everyone’s decision at these points is fully autonomously undertaken. They can ensure that good quality, accessible, relevant and accurate information is provided about the consents engaged, they can take steps to guide the decision-making processes towards or through that information, and they can take steps to focus individuals’ minds soberly and separately on the privacy consenting decision in its own right rather than distracting them with all the attractions conditional on that decision.
  1. That takes us to the third strand – the evidential element. If the authorities set only a modest standard for subjective consent, but a relatively high standard for the quality and autonomy of decisions about consent, they further provide some minimum evidential standards for establishing it. Not unticking a box will not do: it is too evidentially ambiguous, because it is entirely consistent with both a complete lack of subjective consent and a complete lack of any autonomous choice having been exercised – the individual may simply not have noticed the box at all. But a positive and separate act of ticking a box which cannot be reached without scrolling through relevant text, and which is separate from a confirmation that the text has been read, is a piece of evidence which makes it ‘ far more probable ’ that an individual’s decision about consent will be of the relevant quality. The authorities do not say it constitutes that consent. And of course it is evidence which is still consistent with a complete lack of subjective consent. It does nevertheless have a number of features capable of evidencing an autonomous exercise of choice about consent, including the autonomous choice, either way, about taking advantage of the information resources made available. It cannot, however, guarantee any quality of autonomy. The boxes might, for example, have been ticked by a third party, or by an individual under a temporary or permanent incapacity, or under a positive misapprehension, or indeed in any number of circumstances in which no fully autonomous decision by the data subject has been taken.
  1. And the authorities do emphasise the fact-sensitivity of the requirement for consent – in all its aspects. Where consent is disputed, the relevant factual matrix is likely to include all three elements: an individual’s subjective consent, the quality of autonomy in any decisions they made about consent, and the evidential basis on which a data controller relied in proceeding on the basis of consent.
  1. I cannot ignore either what is said in the authorities about the potential significance of marketing to online gambling customers, where that appears as part of the factual matrix of consent in any disputed case. …

(The emphases in these passages and others I shall quote later are those of the judge).

The legal analysis applied to the facts

  1. At [155]-[200], the judge proceeded to apply her three-part test to the facts. She began with a section headed, “The subjective quality of the Claimant’s consents”. She accepted RTM’s evidence “of his subjective experience of gambling and of its effects on him and his wellbeing”. When he gave signs of consenting to cookies he had “not in fact given his mind to the issue at all”. As for direct marketing, it was more likely than not that he did something to trigger this, but his engagement with the issue may have been “to the minimum degree necessary to get on with gambling” and the judge could not make speculative assumptions.
  1. Overall, the judge held that RTM was a vulnerable individual. She found that “the subjective quality of the Claimant’s consents” was that (1) his consent to the use of cookies was “limited to clicking the buttons he was presented with … without giving his mind to the matter…”; (2) “not having read the material, he had limited, if any, insight into the system” by which his online behaviour was being fed into modelling so as to target marketing at him; and (3) his engagement with and responsiveness to direct marketing were “intimately bound up with his own problematic gambling behaviour and partook of its qualities.”
  1. The next section of the judgment addressed “The autonomous quality of the Claimant’s decisions about consent”. The judge rejected a submission that RTM’s conduct in ticking all the boxes he was provided with whilst failing to read any of the privacy notices was fatal to his claim. She held that “the context in which the boxes were ticked – both immediate and wider – is part of the relevant factual matrix within which I have to judge the autonomous quality of the Claimant’s decisions about signifying consent.” The judge dealt with the relevant period in two parts.
  1. In relation to the first part of the period, the judge held that SBG’s “positive, non-ignorable box-ticking exercise” was “baseline Planet 49 qualifying evidence”. However, the privacy notice lacked clear separation between consent to cookies and engagement with SBG’s services; the privacy policy had “limitations”; it was “an entirely ignorable part” of the process. She held that “as a matter of evidence of autonomous choice having been made by the Claimant, the first part of the relevant period is not unambiguous ”, because the process was “consistent with the claimant being unaware of … the substance of the privacy terms and conditions”. The privacy information available provided “limited support for conscious, autonomous decision-making”.
  1. The judge held that the GDPR refresh represented “a distinct upgrade in the quality of the decision-making context it provided”. The privacy notice had “many good qualities”. There were some “evidential weaknesses” in the cookie consent process. Nevertheless:

178 …. The engineering of the consent mechanisms in the GDPR refresh was sufficient to provide a reasonably robust evidential basis for SBG to rely on its being probable that, where the relevant boxes had been ticked, a specific autonomous choice had been taken about consenting – either to give fully subjective consent or to choose to forego fully subjective consent in the knowledge of the nature and consequence of that choice and proceed on that basis. Customers had been provided with clear, accessible and relevant information, made available to them and drawn to their attention on a literally line by line basis as they scrolled through. They had been taken to separate decision points …

  1. The judge held, however, that this was not enough. At [179]-[181] she said that whilst “the authorities … address the relationship between a consenting process … and the probability that a data subject has autonomously consented” a data controller choosing to process data in a way that demands consent “cannot ultimately rely absolutely on generic probabilities”. If challenged, the data controller had to “be able to demonstrate the consenting it relies on in a particular case.” In the “overwhelming majority of cases” where the data controller “equipped” data subjects to make autonomous choices there would be no challenge. But

181 … all of that is consistent with an ineradicable minimum of cases where the best processes and the most robust evidential provisions do not, in fact, establish the necessary presence of autonomous decision-making, because there is specific evidence to the contrary. There is an irreducible minimum risk that, even where an individual data subject with legal capacity has clicked on the buttons, they have not done so as part of an autonomous decision-making process such as privacy law demands.

  1. At [182]-[185], the judge accepted RTM’s submission that the court needed to look beyond “the risks in the system and the general probabilities” and “focus on him as an individual”. She accepted his evidence that “his decision-making about matters to do with gambling was materially compromised throughout the relevant period”. She identified the question on which the case might turn as whether the evidence made it more probable than not that the “absence of consent of the relevant quality” was “the product of sufficiently autonomous decision-making” by RTM. That had to be considered in the full relevant factual matrix, which involved “revisiting SBG’s business model and what the authorities say about marketing to gamblers.”
  1. A section followed under the heading “Marketing gambling to problem gamblers”. Between paragraphs [186] and [200], the judge examined the “special issues” raised by the direct marketing of gambling to online gamblers and their relevance to the issues before her. She noted the existence of a small minority of online gamblers for whom such marketing “can … fairly be described as dangerous”. She referred to relevant regulatory standards and controls, and to SBG’s own policies. She took into account - as part of the “overall factual matrix” - the “regulatory recognition of the position of vulnerable individuals within the industry”, and the “fact that SBG was demonstrably carrying a substantial risk of marketing gambling to problem gamblers…”. She held that this was “not just an ethical or regulatory but a legal risk”. That was because of the legal onus on the data controller in every case to demonstrate “subjective consent of … quality” or “autonomous decision-making of the ‘relatively high standard’ envisaged by data protection law.” This could not always be guaranteed by systems; there was “an ultimately ineradicable risk in relying on them.”
  1. At [199] the judge referred to what Recital 43 to the GDPR says about when consent is “freely given”. The judge took into account, as “part of the relevant factual matrix for the consenting behaviour in this case”, that where gambling is sold to someone “whose autonomous ability to resist that selling is substantially diminished” there is “an obvious and fundamental” and “clear imbalance” between the parties.
  1. The final section of the judgment was headed “Summary and Conclusions”. I have quoted parts of this at [7] above. It is appropriate to set it out more fully here:-
  1. My analysis is as follows. The relevant legislation and authorities, both European and domestic, indicate that in order to provide a lawful basis for direct marketing, and for the underlying use of cookies for that purpose, a data subject’s consenting behaviour has to be of a ‘ relatively high ’ quality. That quality is expressed by reference to individual qualities such as ‘ free ’, ‘ active ’, ‘ informed ’, ‘ unambiguous ’, and ‘ specific ’ or ‘ distinct ’. What that means in practice is highly context-specific.
  1. There are measures indicated by and under the relevant statutory regimes to assist data controllers in the online gambling sector to obtain, and evidence, consenting behaviour of the necessary quality. The sector is such, however, as to carry a real rather than theoretical risk that, occasionally, those measures will not in fact succeed in producing consenting behaviour of the necessary quality, and that the evidence of it will not be reliable. That is because it carries a known and ultimately ineradicable risk that the autonomy of the consenting behaviour in question is vitiated to some degree by problem gambling, so falls short of the relatively high quality required in law. It will be consenting behaviour which is too overborne, passive, unfocused and ambiguous, and too bound up with the craving or compulsion to access gambling, to which the consenting is experienced as a condition to be overcome, to meet the necessary legal standard.
  1. In any individual case of challenge, a court needs to consider, on the evidence, and in its full context, whether or not the consenting behaviour relied on is of the necessary quality. That is clearly a highly evaluative matter. I have only the present case before me. I have accepted the Claimant’s evidence of the nature and extent of his decision making, and looked at all the evidence of the nature and context of his consenting behaviour towards SBG. I have found he lacked subjective consent. I am also satisfied that the autonomous quality of his consenting behaviour was impaired to a real degree. I have no doubt at the same time it is possible to imagine even worse cases of problem gambling, and even worse cases of impaired consent. Nevertheless the standard looked for is relatively elevated. On balance – and it may be a fine balance – my conclusion is that, on the particular evidence and facts of this case, the quality of this Claimant’s consenting was rather lower than the standard required where processing personal data for the purposes of direct personalised marketing is concerned, throughout the relevant period, because of his gambling problem and his associated vulnerability and compromised autonomy.
  1. It was insufficiently freely given, in particular. The Claimant’s consenting behaviours proceeded directly from a damaged and defective condition of personal autonomy with which the acts of consenting were inextricably and intimately bound up. The circumstances of his consenting behaviour are not recognisable as amounting to free, unambiguous, informed, specific, or distinct from the uncontrolled craving to gamble. Standards of consent set in data protection law are not insensitive to that sort of context. On the contrary, they can be recognised as requiring a ‘relatively high’ and context-specific standard of consent precisely because of the need for it to be especially incontrovertible before it can be relied on, when the processing of personal data not only invades privacy and compromises autonomy but proceeds from compromised autonomy of the very same nature.
  1. It follows that I am required to hold that, in this particular case, (a) SBG’s use of cookies for the purposes of personalised direct marketing to the Claimant and (b) SBG’s direct marketing to the Claimant were not lawful processing. In those circumstances, I do not need to give distinct consideration to the question of the distinct lawful basis for profiling the Claimant for the purposes of direct marketing. The profiling was parasitic on the obtaining of the data and the ultimate delivery of the marketing, and had no other standalone purpose so far as he was concerned; it necessarily discloses no distinct basis for lawful processing.

The appeal: grounds 1 and 2

  1. SBG’s first two grounds of appeal are that the judge’s decision was wrong because:-

(1) The judge erred in deciding the issue of whether RTM had validly consented to receive direct marketing from SBG based on a case which RTM himself never put before the court. RTM had never claimed that his (alleged) status as a gambling addict meant that his consent to direct marketing was legally ineffective. It was impermissible to proceed on the basis that the gambling addiction was not only relevant to but determinative of the consent issue.

(2) The judge took the wrong approach in law to the core issue of what amounts to legally valid consent for the purposes of PECR and the data protection legislation. The judge’s focus on the impact of RTM’s problem gambling on his decision-making ability cannot be reconciled with legal principle and leads to extreme results which the legislators cannot have intended. The judge’s approach suggests that it is impossible for online gambling service providers and others to design systems that are comprehensively compliant with the data protection legislation and PECR.

  1. It is convenient to take these issues in the reverse order.

Ground 2: the correct approach to consent

  1. This is a question of construing the relevant legislative provisions. The court must look for an interpretation that reflects the legislative language, read as a whole and in context; that takes account of its identifiable purposes; and that does not have consequences that are unworkable or otherwise unlikely to have been intended. The interpretation must be autonomous in two senses. First, it must be autonomous in the sense – conventional in this context – that it is not tied to the legal notions or legal provisions of an individual state but has equal effect throughout the jurisdictions in which it applies: SM v Entry Clearance Officer, UK Visa Section (Case C-129/18), [2019] 3 C.M.L.R. 16 [50]; Planet 49 [47]. Secondly, the interpretation cannot be one that depends on the circumstances of a particular case or category of case. The application of the concept of consent may depend on the context. For instance, a statement that would be “unambiguous” when made to an adult audience might not have that quality when made to children. But the concept of consent must be uniform for all purposes, regardless of the particular factual matrix of the individual case, or the business or other context in which the question is raised.

The language of the legislation

  1. There are two general observations to be made about the legislative language under consideration. The first is that it identifies consent as something constituted by an action, not a subjective state of mind. The first lawful basis for processing is that the data subject has “ given their consent”. Recital 32 tells us that consent “should be given by a clear affirmative act ”. And the definitions go further, telling us that consent of the data subject “ means … any … indication of the data subject’s wishes … which … signifies agreement …” The words I have emphasised highlight that consent is defined as an outward signal of the data subject’s inner sentiments. This, I would say, is plain from the language of Article 2(h) of the DP Directive. But the words added to the definition of consent in Article 4(11) of the GDPR underscore the point. So, consent for this purpose is an indication or communication of a specified kind. By the same token, without an “indication” of that kind consent cannot be established, whatever may be the actual state of mind of the data subject. So far there is nothing that calls for or even permits an enquiry into the data subject’s actual wishes, or the inner workings of the data subject’s mind. To this extent I disagree with paragraph [152] of the judgment below. The legislation does say that an action “constitutes consent”.
  1. It is not enough, of course, that there is an indication of wishes that signifies agreement. To qualify, the indication must also meet each of the four specified criteria: it must be freely given, specific, informed and unambiguous. But my second general observation is that these four criteria all involve and - I would say - focus on objectively ascertainable qualities or characteristics of the communications between the parties. Putting “freely given” to one side for the moment, on the face of the legislative language a decision on whether an indication is “specific” and “unambiguous” should depend on the nature and quality of the indication itself; a decision on whether it is “informed” should depend on the nature and quality of the prior communications from the data controller to the data subject. All these terms direct attention to aspects of the relationship between the parties. None of them directs attention to the actual state of mind of the data subject. The application of orthodox interpretative principles would seem to dictate a similar approach to the further question of whether an indication is “freely given”: the answer should turn on the actions of the parties considered in the context of the relationship between them rather than on individual, subjective, considerations.

The case law

  1. In my judgment, the CJEU case law supports this approach. In Planet 49, the CJEU held that “the wording of [Article 5(3) of the PEC Directive] ‘given his or her consent’ does … lend itself to a literal interpretation according to which action is required on the part of the user”: Planet 49 [49]. The court went on to hold that the requirement that consent be given “unambiguously” can only be satisfied by “ active behaviour on the part of the data subject”: ibid., [54]. Significantly, the CJEU added: “In that regard, it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent … by not deselecting a pre-ticked checkbox…”, rather than actively selecting and ticking a box: ibid., [55]. (The emphasis in all these quotations is mine).
  1. Similarly, the CJEU has held that “the indication of the data subject’s wishes … must be ‘specific’ in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes”; so, ticking a box to take part in the lottery was not enough to show that the user “validly gave his or her consent to the storage of cookies”: Planet 49, [58]-[59].
  1. The requirement that consent be “informed” requires that the user has “ been provided with clear and comprehensive information... about the purposes of the processing …” which is “clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed”: Planet 49 [46], [74]. Again, the focus here is on the data controller providing information with particular qualities which will “enable” the data subject to understand the purposes for which their data are to be processed. The words I have emphasised refer to and highlight what the judge at [148] described as “external circumstances” as opposed to the data subject’s state of mind.
  1. There is nothing in the later CJEU cases to cast doubt on any of these points. To the contrary, the reasoning of the Grand Chamber in Planet 49 was followed and applied by the Second Chamber in Orange Romania, which added (at [39]-[40]) that for consent to be “specific”, the “request for consent is to be presented in a manner which is clearly distinguishable from other matters” and “using clear and plain language, allowing the data subject to be aware of” what was to be done by whom and for what purposes. All of this, again, emphasises what the actions of the data controller have enabled a data subject to do rather than the actual state of mind of an individual data subject. These issues did not arise for determination in Meta Platforms.
  1. The legislative requirement for consent to be “freely given” was not raised and therefore not considered in Planet 49 (see paragraph [64]). It did arise for consideration in the later cases. In both, the court adopted what I would interpret as an objective approach. In Orange Romania the context was contractual terms which, it was suggested, may have led data subjects to think that they could only enter into a telecoms contract if they also consented to the processing of their identity documents. The court held that “in order to ensure that the data subject enjoys genuine freedom of choice, the contractual terms must not mislead him or her … Without information of that kind, the data subject’s consent … cannot be regarded as having been given freely …”: [41]. The company’s policy of requiring a separate declaration that they did not consent to collection or storage of their identity documents was, said the Court, “ liable to affect unduly the freedom to choose”: [50]. In Meta Platforms the Grand Chamber also referred to the power imbalance between the parties as a circumstance “liable to affect … freedom”: see [26] above.
  1. For these reasons, I read both the legislation and the European authorities as indicating an objective test for consent. At one point in her judgment, the judge appears to have reached the same conclusion. At [179] she said that the authorities “only go so far as to address the relationship between a consenting process (and its associated information provision) and the probability that a data subject has autonomously consented”. I have not been able to detect in the authorities the requirement for high-quality, individuated subjective consent to which the judge referred at [148] and elsewhere. Subjective consent is not mentioned, nor is there reference to autonomous decision-making about consent, in the European authorities.
  1. As for the domestic authorities, Leave.EU is a case in which the UT took the standards identified in the CJEU authorities and applied them to the somewhat stark factual situation before it; the UT’s reference to a “relatively high bar” for valid consent was no more than a description of the principles I have summarised above. And in Cooper, to which the judge was not referred, this court expressly held that the notion of consent is “an objective one, which depends on the outward manifestation of consent by the data subject”. It is fair to say, as Mr Knight has pointed out on behalf of RTM, that the ratio decidendi of this aspect of Cooper is that consent was given unambiguously by contract. It does not appear that the issue now before us was argued. The decision may not be binding authority on that issue. But in my judgment the court’s analysis was correct. It is also consistent with authoritative guidance and with the stated purposes of the legislation.

The guidance

  1. The EU data protection legislation establishes bodies with the remit of ensuring consistent application of the law. Under the DP Directive this body was known as the Article 29 Working Party (WP29). Under the GDPR it is the European Data Protection Board (EDPB). These bodies are comprised of representatives from the supervisory authorities of the EU jurisdictions. Their responsibilities include the issue of guidelines, which are an aid to construction. Domestic law confers similar responsibilities on the ICO. This material did not feature in the judgment below. We have however been referred to a number of passages from the guidelines.
  1. Generally, the guidelines address separately the individual components of the legislative definition, examining what is meant by “informed”, “specific”, “unambiguous” and “freely given”. The following passages, concerned with that last requirement, are in my opinion the most helpful for present purposes.

(1) “... consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (eg substantial extra costs) if he/she does not consent.” : WP29 Guidelines 10 April 2018, ⁋3.1.1.

(2) “Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered ... The element ‘free’ implies real choice and control for data subjects.”: EDPB Guidelines 05/2020 on consent under [the GDPR] version 1.1, ⁋⁋3, 13.

(3) “Recital 43 clearly indicates that it is unlikely that public authorities can rely on consent for processing as whenever the controller is a public authority, there is often a clear imbalance of power in the relationship between the controller and the data subject.... Imbalances of power ... may also occur in other situations ... Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will”: EDPB Guidelines (above) ⁋⁋16, 24.

(4) “When is consent inappropriate? ... if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be the appropriate basis for processing. This may be the case if, for example ... you are in a position of power over the individual – for example, if you are a public authority or an employer processing employee data”: the ICO’s guidance on Consent v 1.0.36, 17 October 2022, p11.

(5) “What is ‘freely given’? Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid ...”: the ICO’s Guidance (above) p 21.

(6) “What do you mean by power ‘imbalance’? Power imbalance refers to the nature of the relationship between an organisation and the people whose personal information they are processing. ... Where there is a clear power imbalance, people may not have a realistic choice about consenting to personalised advertising to access a product or service ... A clear power imbalance can arise from a variety of different factors that affect the relationship between you and the people whose personal information you process ... Some groups of people may be in a more vulnerable position ... ”: the ICO’s guidance on Consent or Pay, v 1.0.4, 21 January 2025, pp 19-20.

  1. These passages indicate that whether consent is freely given within the meaning of the legislation depends on objectively ascertainable features of the relative positions of the data controller and data subject, and the dealings between them. Data controllers are responsible for offering data subjects a choice that is not deceptive and which can be exercised freely without compulsion, oppression, or pressure arising from the nature of the relationship between them. The “nature” of the relationship is defined for this purpose by the status of the parties, or the general characteristics of a group to which they belong, rather than the specific circumstances or attributes of individual persons. There is no reference in the guidance to subjective consent or to autonomous decision-making. There are some words here, and in some other passages to which Mr Knight referred us, that are consistent with consent having a subjective aspect. That may be because the issue we are considering was not at the forefront of the authors’ minds. I am satisfied that the thrust of the guidance is firmly in favour of an objective approach.

Purposes and Recitals

  1. A data controller can “engineer” its systems in such a way that it will be able to demonstrate that, considered objectively and as a matter of general probability, any data subject’s “indication” that they wish their data to be processed for certain purposes is one that is freely given, specific, informed and unambiguous. If the test for consent is subjective or requires proof that the individual data subject made an autonomous decision not to give subjective consent, even the best processes will leave the data controller exposed to legal risk. The judge recognised these points at [178], when assessing the mechanisms put in place by SBG in its GDPR refresh, and at [181], when she identified the “irreducible minimum risk” which, in her judgment, “the law places … on the data controller.” The judge reasoned that this is what privacy law demands. I disagree.
  1. There is no doubt that one aim of the data protection regime is to protect the fundamental rights of natural persons, among them the right to data protection guaranteed by Article 8 of the EU Charter of Fundamental Rights. Recitals (1), (2) and (4) to the GDPR make this clear. But Recital (4) explains that “The right to protection of personal data is not an absolute right; it must be considered in relation to its function in society and balanced against other fundamental rights ….” which include “freedom to conduct a business”. The balance is to be struck “in accordance with the principle of proportionality”. So, as the judge said at various points in her judgment, the legal regime is one that seeks to strike a balance between commercial freedom and individual rights. But as she also noted at [151] the balance struck must be a “pragmatic” and “workable” one. The court should not interpret the legislation in a way that has consequences that are impractical and which the legislature is unlikely to have intended.
  1. An inevitable corollary of the judge’s analysis is, as she rightly saw, that a data controller such as SBG could not guarantee its ability to “demonstrate” conformity with the consent requirements of data protection law and PECR. No system for obtaining consent could achieve that. There would always be the possibility that an individual user, such as RTM, suffers from a gambling addiction, of which the data controller does not and cannot know, which impairs the user’s ability to give subjective consent or compromises his genuine autonomy or both. In any such case the data controller’s conduct would be contrary to PECR. Absent another lawful basis, the data controller’s processing would also be unlawful. Compensation would probably be recoverable.
  1. The consequences would not be confined to the gambling industry but would go further. Other commercial entities, operating in quite different sectors, would be exposed to similar legal risk. Perhaps the most obvious examples are those sectors in which compulsions and addictions are a known feature, such as the sale of alcohol. I do not, however, see the presence or absence of addiction as affording a principled boundary to the subjective approach. Subjective consent or true autonomy might on a given occasion be absent because of other vulnerabilities, or other conditions or circumstances, unknowable by the data controller, that disable the individual data subject from making a free choice. Examples given during argument on this appeal included a third party blackmailing the data subject, putting a gun to their head, or subjecting them to other coercive and controlling behaviour.
  1. I do not consider it likely that the legislature intended to create a regime for consent with which it would be impossible for data controllers to comply, and to expose them to this legal risk. Such a regime would provide a strong incentive for data controllers to invest in enhancing their systems. In the specific context of protecting problem gamblers, that might be seen as desirable. But as I have noted, a data controller such as SBG could never be sure of achieving subjective consent or a truly autonomous choice to agree regardless. Moreover, as the test must be uniform for all purposes governed by PECR and data protection law, it is hard to see this as a proportionate balance to strike.

Legal and practical certainty

  1. Recital (7) to the GDPR identifies two objectives for the new data protection framework: “Natural persons should have control of their own personal data” and “Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.” The judge’s analysis would favour the first of these aims at the expense of the second. It would create considerable legal and practical uncertainty for economic operators. It would also create uncertainty for at least some public authorities (Recital 43 does not say or mean that all operations of public authorities involve a clear imbalance of power: see ⁋14 of the EDPB Guidelines, above.)
  1. The uncertainty that would result includes, critically in my view, the unsatisfactory and ultimately opaque nature of the test for legally effective consent which the judge applied. For SBG, Ms Proops KC submitted that, upon close examination, the judge’s three-stranded test collapses into a single subjective test. I think that is correct. The second strand, although labelled autonomy, is a subjective test of a different kind. The question raised by the third strand is, in substance, whether the evidence establishes the probable existence of subjective consent of the first or the second kind.
  1. I also accept Ms Proops’ further submissions, that the test applied below is novel and its precise nature elusive. The judge accepted that RTM possessed legal capacity to consent. She found that he performed deliberate acts which indicated a wish to do so and – as I read the judgment – that he did in fact subjectively desire to consent, so that he could continue gambling. She accepted that RTM “wanted the direct marketing material – even perhaps craved it”. And yet she found there was no “freely given” consent and hence none that was legally effective. That conclusion did not flow from any finding of deception, oppression, or the like on the part of SBG. It was based on RTM’s state of mind, variously described as involving compromised or impaired decision-making and autonomy.
  1. The principle that decisions deliberately made by a capacitous individual may nonetheless be vitiated for lack of consent is legally novel. In general, unwise or even irrational decisions made by individuals with capacity are considered legally binding. The contours of this novel principle are not clear to me. The suggestion appears to be that, in the present context, consent may be lacking where the data subject “does not turn his mind to” the issue, or where there are deficiencies in the “rationality of ... decision-making”. That would seem to cut across established rules, and to my mind lacks appropriate precision. Reference to the “quality” of RTM’s consent, and findings that it was “vitiated to some degree” and “insufficiently freely given”, imply the existence of some kind of scale. There is a finding that consent in this case fell short. But neither the units of measurement nor the threshold can be clearly identified.
  1. It appears that, in assessing the quality of RTM’s consent, the judge took account of her findings about the quality of SBG’s consenting mechanisms; but this seems to have been a multi-factorial approach. The findings do not include any clear conclusion that the consent given fell short of any of the other specified criteria - save perhaps for what was said about consent to cookies in the first part of the relevant period. It appears to me that the judge’s approach brought together the four criteria as strands of a single overarching evaluative test. I would readily accept that they are inter-related, but in my judgment the legislative language and the authorities show that they are distinct criteria to be assessed and evaluated individually.

The regulation of online gambling

  1. The judge identified “SBG’s business model and what the authorities say about marketing to gamblers” as a relevant part of the factual matrix in which she had to determine whether RTM gave consent that was legally effective. At a general level, I agree with that. The authorities indicate that the purposes for which consent is sought, how that is done, and the context in which it is done, must all feed into an assessment of whether, considered objectively, the resulting indication of the data subject’s wishes probably was freely given, informed, specific and unambiguous. The regulatory environment in which the data controller is operating, the kinds of people with whom the data controller is dealing, and the risks of the particular kind of business, are aspects of the factual picture that may be relevant for these reasons. They could, for instance, dictate the use of especially simple and clear language. Beyond this, however, I do not agree with the judge’s approach to this part of the case.
  1. At the risk of failing to do justice to the judge’s reasoning, I would summarise it as follows. There was a clear and obvious risk that SBG would market gambling services to individuals who, because of a diagnosed gambling addiction or other related condition, would be vulnerable to gambling-related harm and could not give “consenting … of the standard required”. That risk could be addressed through regulatory measures imposed by the Gambling Commission and by the ICO, and via SBG’s own systems, policies, and processes; but none of these was effective to eliminate, or even capable of eliminating the risk and amounting to “a complete insurance policy”. SBG was well-equipped to minimise the risk and had a “reasonable care” defence available to it under PECR 30(2). Having regard to the provisions of Recital 43, there was a “clear imbalance” between SBG and RTM, who was a problem gambler with a “need” for SBG’s services, and marketing was not a “necessary” part of providing online gambling services. Taking all these matters into account, the conclusion was that consent of the necessary quality had not been obtained.
  1. I have a number of reservations about this approach.

(1) The judge’s starting point was a finding that there are inescapable shortcomings in the ability of regulatory or commercial measures to safeguard problem gamblers. That may be so. It does not follow, however, that data protection law must step in. I can certainly see the force of SBG’s contention that the concept of consent should not be shaped and moulded with a view to filling this gap, thereby affording the customer the “complete insurance policy” to which the judge referred. That would involve trespass into a field that properly belongs to the legislature.

(2) I do not believe that Regulation 30(2) of PECR has any bearing on the question at issue. First, Regulation 30(2) provides a defence to compensation but no answer to liability. Secondly, Regulation 30(2), like s 13(3) of the DPA 1998, is a purely domestic provision. Neither has any equivalent in its parent Directive. There is no such defence in the GDPR; Article 82 is quite different and far more limited, on any view. The meaning given to consent in EU data protection law cannot be determined by individual domestic provisions; it must be autonomous. Indeed, the concept must have the same meaning in domestic data protection law which gives effect to EU legislation, or is intended to do so. So the fact that SBG might have a reasonable care defence to a compensation claim under the DPA 1998 or PECR could not affect the answer to the question we are considering.

(3) The judge’s approach to Recital (43) of the GDPR was, in my opinion, flawed. She did not directly apply the language of the recital but used elements of it as factors in her reasoning. On the issue of “clear imbalance” she took an individualised, case-specific approach, reliant on the circumstances of RTM. As I have indicated, I do not agree with that interpretation of the legislation. The judge did not find, and I do not believe, that there was a “clear imbalance” in the structural relationship between SBG and its customers generally. As for the second part of Recital (43), I am not persuaded that this - or the related provisions of Article 7(4) - can be applied to the facts as found in this case. SBG accepts that its methods of obtaining consent to cookies in the first part of the relevant period were inadequate. But this was not a case in which the performance of a contract for gambling services was made “dependent on” consent to marketing.

RTM’s analysis of the judgment

  1. For RTM, Mr Knight submitted that the judge was not wrong to identify subjective aspects within the test for consent. He characterised the approach of SBG and ICO as “reductive”, “compartmentalised”, and insufficiently nuanced. He pointed to some passages in the Guidelines to support a contention that subjective considerations can play a part. For the reasons already given, I have taken a different view.
  1. Anyway, in the end, Mr Knight did not seek to support the judge’s decision on the basis of the three-stranded legal test I have so far been addressing. He submitted that the judge’s reasoning did not rest exclusively on that analysis. Her approach, he said, was a holistic one that “treats subjective and objective consent as alternative bases for consent”, subjective consent being an aspirational standard which can suffice but is not necessary. Mr Knight argued that the judge did apply an objective framework and that her findings, read as a whole, were fatal to SBG’s appeal. He referred in particular to paragraphs [148], [150], [152] and the judge’s detailed analysis of SBG’s policies and practices.
  1. This was an elegant and skilful argument, to which I would wish to pay tribute. It was not however, enough to persuade me that the judge’s decision can be upheld. Having reviewed the judgment under appeal with the utmost care, I find myself unable to locate findings of objective fact sufficient to support the overall conclusion at which the court arrived. On the contrary, the judge did not see a need to reach hard-edged conclusions on whether RTM’s indications of his wishes satisfied each of the individual legislative criteria, and she did not do so.

The relevance of the data controller’s state of mind

  1. SBG and the ICO each submitted that the objective test for consent for which they contended need not involve an “absolutist” approach. It could and should be qualified by reference to the data controller’s actual or constructive knowledge of an individual data subject’s gambling disorder or similar condition. It was submitted that if the data controller knew or ought to know that a data subject was vulnerable due to gambling addiction or the like that could create the “clear imbalance of power” referred to in Recital 43, thus making it “unlikely” (absent further enquiries) that the data controller would be able to demonstrate that consent was freely given. This is an argument that was not addressed below. As I have noted, it has not been adopted by Mr Knight on behalf of RTM. I have not been able to accept it, for multiple reasons.

(1) This analysis adopts the individualised approach to the “clear imbalance of power” criterion with which I have already expressed my disagreement.

(2) Relatedly, this argument places a lot of weight on the notion that an imbalance of power is “clear” if it is manifest to the data controller in the context of the specific relationship with an individual data subject. I do not think that is what the objective approach requires.

(3) Any such qualification would significantly undermine the objective approach. It would also be impractical. This approach would involve the introduction of not just one but two subjective tests. The court or other decision-maker considering whether the necessary consent was present would need to determine (a) whether the data subject (i) had a gambling disorder or other condition that (ii) materially impaired their ability to give consent, and (b) whether the data controller knew this to be so. This is a complex set of questions.

(4) The burden of proof would mean that – at least if the data subject raised the issue – the data controller would bear the onus of establishing negatives: that the data subject’s decision-making ability was not impaired or, if it was, that the data controller neither knew nor ought to have known this was the case.

(5) This approach would seem to carry with it most if not all of the problems of legal and practical uncertainty to which I have referred above.

(6) The legislative context tends to count against this analysis. Besides the points already made, there is Article 8 of the GDPR. This makes specific provision for the marketing of information society services to children. For those under 16, or such lower age as is specified in domestic legislation, a data controller can rely on consent as a lawful basis for such marketing “only if consent is given or authorised by the holder of parental responsibility” and the data controller must “make reasonable efforts to verify” that this has been done. The implication is that such efforts would not otherwise be required.

(7) Finally, I am not convinced that the suggested departure from the objective approach is necessary or warranted in order to address the concerns that evidently underlie this aspect of the submissions for SBG and the ICO.

  1. If the concerns I have mentioned were not clear in the written submissions, they became plain at the hearing. They are, in summary, to ensure that the regime is interpreted and applied in a way that affords the rights of vulnerable gamblers, and those of data subjects generally, the greatest degree of protection consistent with the competing commercial imperatives recognised in the Recitals to the GDPR. Those are legitimate aims. But I do not consider them sufficient to justify an interpretative approach that is unsatisfactory for the reasons I have given. And I think it likely in any event that these concerns could be accommodated in other ways. RTM has not put his case this way but, for instance, if the data subject makes it known to the data controller that he suffers from some affliction that casts real doubt on his ability to make free choices, any indication of his wishes might not count as “unambiguous”. Or it might be argued that the processing of personal data would not be “fair” if undertaken at a time when the data controller knew or should have known that the data subject was suffering from some disability or external factor that overbore their will or compromised their ability to choose. If such an issue arose, the court could consider whether there was a breach of a code of conduct promulgated by the Gambling Commission for the purpose of protecting “vulnerable persons” from harm or exploitation.

Conclusion on Ground 2

  1. For all these reasons I would allow the appeal on ground 2. In short, the judge’s decision that RTM did not give consent to the provision of marketing and the processing of his data by SBG was wrong because of a legally mistaken approach to the issue of what needs to be proved to establish that the data subject “gave consent” with the specified characteristics.

Ground 1: Procedural fairness

  1. The conclusions I have just identified make this issue academic in one sense: the appeal against the judge’s decision on consent must succeed. I shall nonetheless set out briefly my conclusions and reasoning on ground 1, because the issue is distinct, we heard full argument upon it, and the outcome could have an impact on disposal or at least on costs. My conclusion is that the judge erred in deciding the case on the basis that she did, because SBG had not had an adequate chance to address that way of viewing the issues.
  1. Several decisions on this issue have been cited to us. They include Satyam Enterprises Ltd v Burton [2021] EWCA Civ 287 [36] and Al-Medenni v Mars UK Ltd [2005] EWCA Civ 1041 [21]. For present purposes it is not necessary to undertake any elaborate analysis of the jurisprudence. It is enough to say that an issue ought not to be decided against a party unless they have had a fair opportunity to address the court’s reasons for reaching that decision. Whether that has been done will be an intensely fact-specific question.
  1. In this case, the decisive analysis involved the application of the three-part subjective test. That was no part of RTM’s case, which I have outlined above. Nor, with respect to the argument advanced by Ms MacLeod (who addressed us for RTM on this part of the case), did SBG’s case raise the issue of whether RTM gave subjective consent. The furthest SBG went in the direction of raising RTM’s state of mind as an issue was by cross-examining him and advancing submissions in closing to the effect that he “wanted” the direct marketing that SBG provided. But this was aimed at rebutting RTM’s factual case that, whatever SBG’s records might suggest, he had done nothing to indicate his consent to such marketing. SBG did not advocate a subjective test of consent. The three-part subjective analysis was entirely of the judge’s own devising.
  1. There is nothing inherently wrong with that. But this approach to the issues was only alluded to in part, and then only briefly and belatedly, in the course of the trial. Towards the end of the closing submissions for SBG the judge asked Counsel, “Can the ‘consent’ of a compulsive gambler to the marketing to him of gambling opportunities be freely given?”. Counsel replied that for an operator such as SBG the starting point had to be that, in the absence of a positive reason to think otherwise, the data subject’s ability to give consent was not in doubt. The judge’s response came in paragraph [194] of her judgment, where she held that the issue of whether the data subject had provided subjective consent of the “relatively high quality” required would always be potentially in issue, and that it was for the data controller to demonstrate its presence. I would accept SBG’s submission that it was not given a sufficient opportunity to address those points, and related propositions that featured in the decisive reasoning of the judge.

Ground 3: consent to direct marketing

  1. SBG’s third ground of appeal raises two issues about whether on 26 July 2017 RTM gave consent to receiving direct marketing communications. The first issue is whether the judge found that he did or that he did not give such consent. If the judge found that he did, this ground falls away. If the judge found that “factual consent” was lacking, the second issue arises: was that a conclusion that was open to the court on the evidence, applying the relevant standard of proof? SBG’s case is that this conclusion was not open to the court, and it points to the word “eliminable” in the judge’s paragraph [124] in support of a submission that she applied an elevated standard of proof.
  1. I am not sure the two issues I have mentioned are entirely separate. At any rate, my conclusion is that on a proper application of the law it follows from the judge’s factual findings that RTM did give “factual consent” in the way alleged by SBG. I have set out or summarised the judge’s reasoning at [38] and [42] above. She found as a fact that RTM gave SBG an indication of his wishes that signified his agreement to direct marketing. She could not definitively state how he gave that indication. But certainty was not required. The answer was not speculative. On the evidence the obvious, or at least the most likely, way in which RTM indicated his wishes was by ticking a box to opt in. The evidence and argument disclosed no other way in which he might have done so. The judge should have found that this is what he did.

Grounds 4 and 5: cookies, profiling and causation

  1. SBG’s Grounds 4 and 5 are both concerned with paragraph [205] of the judgment, which I have quoted at paragraph [50] above.
  1. By Ground 4, SBG contends that it was not open to the Court to find that it used cookies to enable it to send RTM personalised direct marketing communications. The effect of the relevant evidence was that SBG did not use cookies or cookie-derived data to create or deliver the particular personalised direct marketing communications which it sent to RTM and about which he complains.
  1. By Ground 5, SBG contends that the judge was wrong to conclude that its profiling of RTM for direct marketing purposes was necessarily unlawful. It is said that those findings were parasitic on the court’s erroneous conclusions on the issue of consent (Grounds 1 and 2), on the relevance of cookie placement to the personalisation of direct marketing (Ground 4), and on a misunderstanding of the concession made by SBG as to the circumstances in which it could rely on legitimate interests as a lawful basis for profiling its users for marketing purposes.
  1. I would uphold both these grounds of appeal. The evidence adduced by SBG was that it used information from cookies to provide users with personalised forms of social media and digital display marketing on third-party websites and social media platforms, but that these were not methods of “direct marketing”. In any event, RTM did not complain of marketing of this kind. His complaints about marketing related to “direct marketing communications by email and telephone” (RAPoC paragraph 27.1) and “targeted special offers through direct marketing and on the [SBG] websites” (paragraph 27.2). The submissions at trial were to similar effect. There was no evidence that information derived from cookies was used for these purposes. The evidence was that SBG’s user profiles were constructed in other ways, mainly based on data derived from the user’s transactions.
  1. The finding that SBG’s profiling for direct marketing was unlawful was, as Ms Proops submitted, parasitic on other conclusions, which I have found to be erroneous. For what it is worth, I also agree that paragraphs [200] and [205] mis-stated the concession made by SBG. What Mr Hopkins had accepted was that a company providing gambling services could not rely on its own “legitimate interests” as a lawful basis for marketing to someone who was a problem gambler if it had “grounds to know that to be the case.” The judge made no finding that SBG had such grounds.

Conclusions

  1. I would allow the appeal on all five grounds and set aside the judge’s decision and order entering judgment on liability in favour of RTM. On any view, the case must be remitted to the High Court. I do think, however, that the scope of the remission required will need to be the subject of further submissions.
  1. Generally, the role of this court is to review the decisions of others, not to make findings of fact. And it would be wrong for us to reach a different decision on the issue of whether consent was given without affording both sides a chance to make relevant submissions. But we have had very full documentation and two full days of argument on this appeal. If the other members of the court agree, we have now identified the legal test for consent. RTM’s gambling addiction, and what if anything SBG knew or should have known about it, are not relevant for that purpose. I think it arguable that we could, using the judge’s findings and the undisputed facts, decide the issues with which SBG’s grounds 2, 3, 4 and 5 are concerned.
  1. It cannot be said that decisions on those issues would bring the case to an end. Even if SBG were to prevail on all of them, RTM still has claims that SBG’s processing of his data was unfair, and infringed other data protection principles, that remain to be resolved. But it might be said that the overriding objective is in favour of us deciding such issues as we fairly can.
  1. The draft of this judgment that was circulated to the parties addressed two issues which I then thought fell into that category, and set out my then views upon them. The two issues are (1) whether, if the judge’s legal analysis is put to one side and the issue is approached objectively, it is more likely than not that the indication of wishes that RTM gave on 26 July 2017 was “informed, specific, unambiguous and freely given”; and (2) whether paragraph [178] of the judgment should be viewed as a finding that, objectively viewed, it was probable that SBG’s practices following the GDPR refresh would mean that indications of consent given by data subjects were legally effective. In the light of the parties’ submissions since circulation of the draft I shall reserve my judgment on these points, and which court should decide them, until after further argument.

LORD JUSTICE LEWISON:

  1. I agree.

DAME VICTORIA SHARP, P:

  1. I also agree.

End of document

Document download options

Download PDF (565.6 KB) The original format of the judgment as handed down by the court, for printing and downloading.

Download XML The judgment in machine-readable LegalDocML format for developers, data scientists and researchers.

Help us improve this service

Take a short survey

Named provisions

Article 4(11) GDPR - Definition of Consent Article 7 GDPR - Conditions for Consent

Mentioned entities

General Data Protection Regulation

Parties

RTM SBG Bonne Terre Limited Sky Betting and Gaming

Related changes

Favicon for caselaw.nationalarchives.gov.uk Sharon O'Brien v HM Assistant Coroner - Coronial Scope Decision
Priority review Apr 23, 2026 UK Court of Appeal Civil (Find Case Law) Courts & Legal
Favicon for caselaw.nationalarchives.gov.uk Ocean One Hundred Ltd v New Forest National Park Authority CLEUD Revocation Appeal
Priority review Apr 23, 2026 UK Court of Appeal Civil (Find Case Law) Courts & Legal
Favicon for www.gov.uk Precautionary Recall of Napralief 250mg, 3 Batches, Missing Patient Safety Information
Urgent Apr 23, 2026 MHRA Guidance & Safety Pharma & Drug Safety

Get daily alerts for UK Court of Appeal Civil (Find Case Law)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for caselaw.nationalarchives.gov.uk
UK Court of Appeal Civil (Find Case Law) caselaw.nationalarchives.gov.uk/atom.xml?court=ewca%2Fciv&per_page=50
Courts & Legal

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from EWCA Civ.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
EWCA Civ
Instrument
Enforcement
Branch
Judicial
Legal weight
Binding
Stage
Final
Change scope
Substantive
Document ID
[2026] EWCA Civ 488

Who this affects

Applies to
Technology companies Data controllers Consumers
Industry sector
5112 Software & Technology 4541 E-Commerce 4811 Air Transportation
Activity scope
Cookie consent Direct marketing Data processing
Geographic scope
United Kingdom GB

Taxonomy

Primary area
Data Privacy
Operational domain
Legal
Compliance frameworks
GDPR CCPA/CPRA
Topics
Consumer Protection Artificial Intelligence

Browse Categories

Agriculture & Food Safety 83 AI Regulation 3 Banking & Finance 516 Consumer Protection 147 Courts & Legal 552 Data Privacy & Cybersecurity 157 Defense & National Security 53 Education 64 Energy 141 Environment 173 Gaming 2 Government & Legislation 535 Healthcare 15 Healthcare & Life Sciences 409 Immigration 11 Insurance 92 Labor & Employment 199 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 75 Securities & Markets 176 Tax 124 Telecom & Technology 58 Trade & Sanctions 171 Transportation 132

Get alerts for this source

We'll email you when UK Court of Appeal Civil (Find Case Law) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!