Gambling with Consent: Free, Specific, and Informed Consent in Data Protection Law
5 March 2025
Background
In RTM v Bonne Terre Ltd [2025] EWHC 111 (KB), the High Court considered claims brought in data protection and the tort of misuse of private information. The Claimant described himself as a “recovering online gambling addict” [1]. He sought damages for harm, distress and financial loss, and a declaration that his rights under data protection legislation had been infringed, from the Defendant, who operate Sky Betting and Gaming (SBG). The relevant period of the Claimant’s gambling for the claim against SBG (restricted by limitation periods) was 2017 until the end of 2018 or the start of 2019 [15].
The Claimant’s case was that SBG harvested his data using cookies without his consent. SBG the processed his personal data for marketing purposes without lawful basis, and targeted him through direct marketing emails (also without his consent) sent on average twice a day [68]. Consequently, he alleged he suffered substantial losses.
Despite the claim having started in an almost inquisitorial fashion, with the Claimant undertaking a broad investigation into gambling laws when recovering from his addiction, the narrow issue at trial was “what, if anything, [the Claimant] consented to in the marketing part of the operation” [77].
Legal Framework
Collins Rice J began by setting out the relevant statutory framework. In RTM, this was the Data Protection Act 1998 (DPA) until 24 May 2018 and the General Data Protection Regulation (GDPR), codified in the Data Protection Act 2018, thereafter [15]. Also applicable was the Privacy and Electronic Regulations 2003 (PECR) [47]. PECR Regs. 6 and 22 require data subject consent to cookies and direct marketing respectively.
Collins Rice J recognised that, at a high level, data law strikes a complex balance between “the freedom and flourishing of public life and modern business and trade… and, on the other hand, the rights of individuals to privacy, ultimately derived from Art. 8 ECHR” [100].
At a more forensic level, Schedule 2 of the DPA states that, for a data controller to process data lawfully, they must ensure that the data subject has given his consent to the processing or that it is otherwise necessary. Similarly, the relevant requirement in Article 6 of the GDPR is that the “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” The same standard applies under the PECR.
A Claimant has a statutory right to bring a private law claim where their data has been processed unlawfully under s.13 DPA and Art. 82 GDPR. They also have a right to bring a claim for non-compliance with PECR under Reg. 30 [32]-[35], [50].
In relation to the quality of consent, the legislation and authorities set a relatively high threshold. Art. 4(11) GDPR, as well as the CJEU authorities, Planet 49 [2020] 1 CMLR 25 and Orange Romania (EU:C:2020:901), and the domestic interpretation of them in Leave.EU v Information Commissioner [2021] UKUT 26 (AAC) “set a relatively high bar to be met for a valid consent” [145].
Unpacking the authorities, Collins Rice J stated [147]:
