The Court of Appeal has rejected attempts to introduce subjectivity into the test for consent under GDPR and PECR, reinforcing the predictability and operability of consent mechanisms. This article overviews the Court of Appeal's reasoning and the key takeaways for businesses.

High Court background and judgment

The claim in RTM v Bonne Terre Ltd and Hestview Ltd [2026] EWCA Civ 488 arose from allegations that Sky Betting & Gaming (SBG) unlawfully processed personal data, deployed cookies, and sent personalised direct marketing to an individual claimant (RTM), contrary to the GDPR (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).

At first instance, the High Court found in favour of RTM. Central to its reasoning was a novel, three‑limbed approach to consent which incorporated: (i) the claimant’s subjective mental state, (ii) issues of autonomy (including impairment caused by gambling addiction), and (iii) the evidential quality of the data controller’s processes.

Applying that framework, the court held that RTM’s gambling addiction undermined his ability to provide valid consent. As a result, the consent relied upon by SBG, relevant to cookies, data processing and direct marketing, was deemed invalid. The judgment represented a significant departure from previous interpretations of consent under the GDPR, introducing a subjective and individualised assessment of whether consent was “freely given”.

The decision generated considerable uncertainty for data controllers, particularly those operating in regulated or “vulnerability‑sensitive” sectors (such as gambling, financial services, and online platforms), as it suggested that consent might be retrospectively challenged based on a data subject’s personal circumstances and psychological vulnerabilities.

The UK's Information Commissioner (ICO) intervened in the appeal in favour of an objective test for consent.

The Court of Appeal decision (21 April 2026)

The Court of Appeal allowed SBG’s appeal in full (and remitted the case to the High Court to address outstanding factual issues).

Procedural unfairness

The Court of Appeal first held that the High Court had acted procedurally unfairly by deciding the case on the basis of a subjective test for consent that had not been pleaded or argued by the parties. The introduction of a three‑part “subjective consent” analysis, devised entirely by the judge, deprived SBG of a fair opportunity to respond, contrary to fundamental procedural principles.

The correct legal test: consent is objective

The central and most significant aspect of the judgment concerns the nature of consent under GDPR and PECR. The Court of Appeal held that:

• Consent is constituted by a clear affirmative action amounting to an indication of wishes (e.g. ticking a box), and a controller does not have to prove what was actually in the data subject’s mind at the time – i.e. the test for consent is objective in nature.
• The four GDPR criteria for consent (freely given, specific, informed, unambiguous) are objective standards, assessed by reference to communications and the relationship between the parties.
• It is neither necessary nor relevant to enquire into individual vulnerability, impaired autonomy, or subjective understanding.

In rejecting the High Court’s approach, the Court of Appeal emphasised that introducing subjectivity would generate unacceptable uncertainty and undermine the GDPR’s objective of legal and practical certainty for economic operators.

The Court of Appeal also rejected attempts (including from the ICO) to qualify the test by reference to whether a controller knew or ought to have known of a data subject’s vulnerability, on the basis that this is not consistent with the language of the legislation and that such a qualification would reintroduce subjectivity and render the test unworkable.

Marketing opt‑in evidence

The Court of Appeal further found that the High Court had erred in concluding that RTM had not opted into direct marketing. On the evidence as found, the most likely explanation was that RTM had in fact ticked an opt‑in box. Absolute certainty as to the precise mechanism was not required.

Cookies and personalised marketing

The Court of Appeal rejected the High Court’s finding that cookies enabled the personalised marketing at the heart of RTM's claim. There was no evidential basis linking RTM's cookie‑derived data to the emails, calls, or website offers RTM received.

Legitimate interests

Finally, the Court of Appeal held that the High Court had erred in concluding that SBG could not rely on legitimate interests for certain profiling activities. That finding was predicated on the flawed consent analysis and mischaracterised SBG’s concessions. SBG had only accepted that legitimate interests could not be relied upon if it knew the customer was a problem gambler, which was not found on the facts.

Key takeaways

The Court of Appeal’s decision provides significant clarification and comfort for data controllers, particularly those operating in highly regulated or consumer‑facing sectors:

Reaffirmation of an objective consent standard

• Controllers are not required to assess (or investigate) the subjective mental state of individual users.
• Valid consent hinges on the design and delivery of consent mechanisms, rather than retrospective assessments of a user's psychological state.

Reduced exposure to hindsight challenges

• The judgment materially limits the ability of claimants to challenge consent on the basis of personal vulnerability or impaired autonomy.
• This is particularly relevant in sectors where users may display potentially compulsive or addictive behaviours (e.g. gambling, social media, e‑commerce).

Increased emphasis on process and documentation

• While the test is objective, controllers must still ensure that consent mechanisms are robust: clear disclosures, properly structured opt‑ins, and appropriately recorded evidence of user choices.

Conclusion

The Court of Appeal’s judgment represents an authoritative restatement of the law on consent, firmly rejecting attempts to introduce subjectivity into the GDPR framework. By restoring an objective standard, the Court of Appeal has reinforced both the predictability and operability of the consent regime and highlighted already established precedents deriving from the Court of Justice of the European Union (CJEU), such as Verbraucherzentralen Bundesverband eV v Planet 49 GmbH (Case C-673/17) (Planet 49), Orange Romania SA v ANSPDCP (Case C-61/19) (Orange Romania) and Meta Platforms Inc v Bundeskartellamt (Case C-252/21) (Meta Platforms), which were all cited in the Court of Appeal's judgment.

No permission for appeal to the Supreme Court has been filed at this time.

It is worth noting the Court of Appeal recognised that known vulnerabilities of the data subject (such as a gambling addiction) might be relevant through the lens of other data protection principles, such as that of fairness (Article 5(1)(a) of the GDPR) or other sector-specific regulations or codes (for example, the Gambling Commission's codes of conduct). However, the Court of Appeal rejected the general idea that data protection law must step in to address any shortcomings in the ability of regulatory or commercial measures to safeguard problem gamblers, considering that the concept of consent should not be shaped and moulded with a view to filling this gap.