On 21 April 2026, the Court of Appeal in RTM v Bonne Terre Ltd & Anor ([2026] EWCA Civ 488) clarified the standard for consent under UK data protection law, overturning a previous High Court ruling that had applied a subjective test for valid consent.
The case concerned a former customer of Sky Betting & Gaming, anonymised as RTM, who alleged that the company had unlawfully processed his personal data and sent him targeted gambling marketing without valid consent while he suffered from a gambling addiction. The High Court had found that, despite the fact that RTM appeared to have consented, his addiction meant he had not truly "given his mind to the issue at all," and so had not provided valid consent under the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications Regulations (“PECR”).
The Court of Appeal, led by Lord Justice Warby, held that the standard for demonstrating consent is objective, not subjective. Controllers are simply required to show that the data subject gave a clear, affirmative indication of agreement to direct marketing (e.g. by ticking a box). Controllers do not need to prove the actual state of mind of the individual at the time of consent, nor do they need to investigate vulnerabilities unknown to them that could impair the ability of such individual to give consent that meets the requirements under UK GDPR (i.e. that it must be freely-given, specific, informed and unambiguous). The Court found no support in EU or UK law for a subjective approach and warned that such a standard would make it impossible for controllers to guarantee compliance.
The ruling brings welcome clarity for organisations obtaining consent at scale, confirming that consent is assessed by the quality of the indication and the context provided by the controller, not by the internal state of the data subject. While the judgment does not lower the bar for valid consent, it ensures that controllers are not exposed to insurmountable legal risk due to individual vulnerabilities unknown to them, provided their processes ensure that consent meets the specified criteria.
Overall, the Court of Appeal’s decision is a pragmatic and balanced clarification: it preserves the integrity of consent while ensuring that individuals retain meaningful control over their data, and avoids subjecting organisations to unworkable standards. This approach supports both privacy rights and the practical realities of modern data processing.
With thanks to Anastasios Proios Doukas for his contribution to this article.
