In RTM v Bonne Terre, a compulsive gambler (RTM) sought compensation from an online betting company.
The company sent RTM targeted advertising, relying on the lawful basis of consent.
They had a process in place to secure consent for targeted advertising, and RTM had completed that process. In the company’s eyes, this meant that they had fulfilled their legal obligations.
RTM saw things differently. He pursued a claim against the company in the High Court. The essence of RTM’s argument was this:
Despite the fact he had completed the company’s consent process and ticked the relevant boxes, his gambling addiction rendered him incapable of consenting to targeted ads for online betting.
The High Court sided with RTM. At the risk of oversimplifying, their reason for doing so was that RTM “lacked subjective consent.”
This posed a problem for businesses processing personal data relying on the lawful basis of consent (particularly those whose customers might plausibly describe themselves as addicts). It suggested that there would be some situations where (as the High Court put it) “even the best processes and the most robust evidential provisions” would not be sufficient to establish consent as a lawful basis.
This problem has been resolved for the foreseeable future, as the Court of Appeal overturned the High Court decision in a ruling on 23 April 2026. They found that the High Court “took the wrong approach in law to the core issue of what amounts to legally valid consent” under UK data protection and ePrivacy law.
In a comprehensive and painstaking judgment, Lord Justice Warby commented that he did “not consider it likely that the legislature intended to create a regime for consent with which it would be impossible for data controllers to comply.”
Unless RTM attempts an appeal to The Supreme Court, The Court of Appeal ruling confirms that:
- Establishing whether a data subject has consented to data processing does not require the data controller “to prove what was actually in the mind of the individual data subject at the time”.
- There is “an objective test for consent” under UK data protection and ePrivacy law.
Comment
The definition of consent, as set out in the UK GDPR says that it “means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
While this case went the way of the data controller, it is a reminder of the potential complications associated with consent as a legal basis for data processing. It is always worth giving some thought to the most appropriate legal basis for your data processing. When you do choose to rely on consent, it is important to approach the task of obtaining and proving consent with care to ensure legal compliance.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.