[co-author: Mateusz Wojcik]
In RTM v (1) Bonne Terre Limited (2) Hestview Limited,1 the English High Court found the Defendants, operating as Sky Bet (SBG), liable for breaches of data protection law. The claim raises important points of law for all organisations utilising cookies to target customers, particularly those in the gambling industry.
Background
The case revolved around validity of consent, with the Claimant (RTM), a reformed gambling addict, pursuing SBG for breaches of the General Data Protection Regulation2 (GDPR), the Privacy and Electronic Communications Regulations 2003 (PECR), and in the tort of misuse of private information. RTM alleged that SBG had harvested his personal data, collected via cookies placed on the devices he utilised to access his SBG account and gamble, to undertake profiling analytics and algorithmic predictions, to deploy personalised marketing encouraging him to gamble. There was little dispute that the marketing was successful, and RTM gambled (and lost) significant sums over a 9-year period.
RTM claimed that the marketing activities were carried out without his lawful consent, and that SBG’s actions had a detrimental impact on his gambling behaviour, causing him to continue gambling when he wished to stop.
Legal issues
Organisations must have a valid lawful basis to process personal data. Under English law, and much of Europe, there are six potential bases3: consent, contract, legal obligation, vital interests, public task, and legitimate interests. In RTM’s case, he had given his consent to receive marketing information. The primary issue for the Court was whether SBG had obtained valid consent from RTM for the use of cookies and the sending of email direct marketing. In assessing the validity of RTM’s consent, the court scrutinised the mechanisms through which consent had been obtained and the adequacy of the information provided to RTM.
Impact of RTM’s gambling addiction
The court considered the effect of RTM’s gambling addiction with respect to his ability to provide his valid consent. RTM argued that his addiction meant that he had not given valid consent, and that that the processing of his personal data (and marketing) was unlawful. RTM argued that this had exacerbated his gambling issues.
Judgment
Whilst RTM had selected “Accept” when faced with a cookie banner), this consent “proceeded directly from a damaged and defective condition of personal autonomy (ie, the Claimant’s gambling addiction)”4. That action was considered to have not met the high threshold for valid consent under the data protection legislation. SBG’s collection and processing of RTM’s personal data via cookies for profiling and marketing therefore had no lawful basis. The Judge emphasised the following points:
- Subjective state of mind: the subjective quality of RTM’s consent was “limited to clicking the buttons he was presented with”, and he was, therefore, unable to know “his online behaviour was being fed into modelling in order to create and enhance direct marketing to him”. RTM’s behaviour lacked subjective consent.
- Autonomy: The autonomous quality of RTM’s consent was impaired to a real degree by his gambling problem and associated vulnerability.
RTM therefore succeeded on liability: SBG had processed his personal data unlawfully. As to the damages that flow from that finding of liability, remedy was deferred. RTM will likely seek all his losses, however, the Judge noted5: “It is only the matters for which SBG has been adjudged to be legally liable, in the period in question, and which are demonstrably causative of identifiable and quantifiable loss or harm, for which financial compensation can be expected.”
Comment
Judgment follows the UK Information Commissioner’s Office issuing a reprimand to SBG in September 2024 for unlawfully processing gamblers’ data through advertising cookies without their consent6 (see here), and comes at a time of heightened focus on organisations’ use of personal data, particularly in the gambling sector. Whilst Collins Rice J noted that their finding was fact specific, it is likely that this case will be considered by claimant firms and funders and may result in “copy-cat” claims, either on an individual basis or by way of mass claim or class action litigation. It may also generate an increase in data subject access requests being made to gambling operators7.
The court’s decision underscores the importance of obtaining “free, specific and informed”, active and unambiguous consent for data processing activities, especially in context where a data subject’s consenting behaviour is expected to require a relatively high quality. This is especially so in the context whereby a data subject’s consenting behaviour is expected to require a relatively high quality. The judgment also highlights the need for companies to strictly adhere to the expectations drawn out by data protection laws and to ensure that their consent mechanisms are both clear and legally compliant. The judgment notes that, to do so, companies’ systems should8:
- “factor in decision points about consent which maximise the probability that everyone’s decision at these points is fully autonomously undertaken”; and/or
- “ensure that good quality, accessible, relevant and accurate information is provided about the consents engaged”; and/or
- “focus individuals’ minds soberly and separately on the privacy consenting decision (…) rather than distracting them with all the attractions conditional on that decision”.
This case serves as a crucial reminder of the legal obligations surrounding data protection and the significant consequences of failing to obtain valid consent, where that is the lawful basis relied upon.
1 (2025) EWHC 111 (KB)
2 The Claimant’s gambling activity spanned both the Data Protection Act 1998 and the introduction of the GDPR, and Data Protection Act 2018. For the purposes of this article no distinction is drawn between the applicable regimes as it is not material to the decision reached.
3 Article 6 GDPR/UK GDPR.
4 Paragraph 204 of the Judgment.
5 Paragraph 212 of the Judgment.
6 The reprimand was unrelated to the facts of this case.
7 RTM had made a data subject access request of SBG, which led to RTM identifying the root cause of the marketing emails being significant volumes of personal data that SBG had gathered on him through the use of cookies.
8 Paragraph 151 of the Judgment.
[View source.]
https://www.jdsupra.com/legalnews/uk-gambling-operator-held-liable-for-1447147/
