In RTM v Bonne Terre Ltd and Another [2025] EWHC 111 (KB), the High Court examined the validity of consent in data protection law, particularly regarding the use of personal data for targeted marketing.

Background

The claimant, RTM, a reformed gambling addict, brought a claim against Bonne Terre Ltd, which operates as Sky Betting & Gaming (SBG). RTM alleged that SBG unlawfully processed his personal data for profiling and direct marketing by collecting and misusing data generated through his use of SBG’s platforms. He claimed that SBG used cookies to harvest his transactional data, enabling aggressive, targeted marketing. Furthermore, he asserted that he had neither consented to direct marketing emails nor been provided with a compliant way to opt out.

Key Findings

The court assessed consent under the Data Protection Act 2018, UK GDPR, and the Privacy and Electronic Communications Regulations 2003 (PECR). It ruled that SBG had failed to obtain valid consent from RTM for the use of cookies and for sending direct marketing emails. The judgment reinforced that consent must be:

1. Subjective – Reflecting the individual’s genuine state of mind.
2. Autonomous – Given freely, without undue influence or coercion.
3. Evidential – Capable of being demonstrated and documented.

The court noted that a data subject’s ‘consenting behaviour’ must be of a high quality, considering their understanding, intent, and freedom of choice. Additionally, the evidential basis on which a data controller relies to demonstrate consent is a crucial factor.

Notably, the court found that RTM’s compulsive gambling behaviour impaired his ability to provide autonomous consent, rendering any consent obtained by SBG invalid.

Implications for Organisations

This ruling underscores the need for organisations to ensure consent is freely given, properly documented, and considers the individual’s circumstances. Businesses engaging in targeted marketing must be especially cautious when obtaining and relying on consent.

Key Takeaways for Data Controllers

• Ensure that data subjects receive clear and comprehensive information about how their personal data will be used.
• Obtain explicit consent before processing personal data, particularly for marketing purposes.
• Recognise that a data subject’s ‘consenting behaviour’ must be of a high quality and not assumed based on standard actions (e.g., pre-ticked boxes).
• Consent must be demonstrable – data controllers cannot solely rely on generalised risk controls but must provide case-specific evidence.
• Even where a data subject has legal capacity and appears to have knowingly consented (e.g., by clicking consent boxes), this does not automatically guarantee valid consent. The risk of invalid consent ultimately lies with the data controller.

If you have any questions regarding your data protection processes or would like to discuss how this ruling may affect your business, please contact our commercial team.