RTM v Bonne Terre: The Court of Appeal Restores the Objective Consent Test — and Saves UK Direct Marketing From a Mind-Reading Standard

For roughly fifteen months, every UK marketer, gambling operator, and cookie-banner reviewer who paid attention to the RTM v Bonne Terre litigation has been quietly bracing for a problem that data protection law was never designed to solve: how do you get consent from someone whose state of mind you cannot see? On 21 April 2026, the Court of Appeal (Civil Division) finally answered that question — and the answer is that you do not have to. In RTM v Bonne Terre Ltd [2026] EWCA Civ 488, the court overturned a High Court judgment that had quietly redrawn the consent test around the inner life of the data subject, and put the law back where the GDPR, the Data Protection Act 2018, and PECR have always located it: in what the controller and the individual actually said and did.

This is one of the most consequential UK consent rulings since Lloyd v Google, and it deserves a careful read. Below we unpack the dispute, why the High Court’s “subjective” framing was so destabilising, what the Court of Appeal actually held, and the practical compliance posture that should follow.

The Short Version

• The Court of Appeal confirmed that consent under UK data protection and ePrivacy law is assessed objectively — by reference to the communications between the controller and the individual, not the individual’s hidden mental state.
• The High Court’s three-strand test — which had injected a “subjective consent” element tied to a person’s psychological condition or vulnerability — was rejected.
• Controllers prove consent by showing a statement or clear affirmative action (typically a tick box or equivalent), in circumstances where consent was freely given, specific, informed, and unambiguous.
• A controller does not need to know — and is not expected to detect — whether a particular individual is suffering from an addiction, disorder, or other private vulnerability, in order to rely on their consent.
• Other fairness, lawfulness, and sector-specific obligations (notably the Gambling Commission’s LCCP) still apply. The case was remitted to the High Court so RTM’s surviving claims around fairness and other DP principles can be tried.

A Two-Year Window and a Difficult Set of Facts

The claimant, anonymised as RTM, was a customer of Sky Betting and Gaming (the trading name of Bonne Terre Ltd and an associated company). RTM described himself as a problem gambler during a roughly two-year period leading up to 2019, after which he says he overcame the addiction. His claim concerned that earlier window: SBG, he alleged, had set cookies on his devices, processed his personal data, and sent him targeted direct marketing — and had done all of this without lawful consent.

His theory of harm was that those marketing communications and personalized experiences contributed to his continuing to gamble, and to gamble more heavily, than he otherwise would have. He sought damages for financial loss and distress.

This is a sympathetic set of facts. It is also, legally, an unusually demanding one — because to succeed, RTM had to argue that the consents he had clicked through during that period were not, in law, consents at all.

The High Court Decision That Set Off the Alarm Bells

In RTM v Bonne Terre Ltd [2025] EWHC 111 (KB), the High Court held that the proper question was whether RTM had given “legally operative consent” — and that he had not. To get there, the trial judge constructed a three-strand test, drawing selectively from EU and UK case law:

1. “Good quality subjective consent,” depending on the individual’s actual state of mind;
2. Failing that, a “fully autonomous choice” by the individual to grant consent;
3. Some minimum evidential standards for proof of consent.

The judge concluded that RTM’s gambling addiction had “diminished” and “impaired” his ability to give consent freely, so the first strand failed; and that, given his condition, he had not made a fully autonomous choice, so the second strand failed too. The downstream consequence was that SBG’s cookie-setting, profiling, and direct marketing during the period were unlawful.

For practitioners, the unsettling part was not the outcome on RTM’s individual facts — it was the test. The High Court’s framing meant that whether a consent was valid depended, in part, on facts the controller could never see: the data subject’s mental state, the depth of any addiction or disorder, and whether their decision to click “agree” was truly autonomous in some philosophically demanding sense. As the Court of Appeal would later put it, on that approach “even the best processes will leave the [controller] exposed to legal risk.”

That is the precise opposite of what the GDPR and PECR are built to do. The statutory consent definition — freely given, specific, informed, unambiguous, and signalled by a statement or clear affirmative action — was deliberately drafted so that controllers can engineer compliant flows and produce records that prove compliance. A standard that turns on the subject’s hidden psychology cannot be engineered around. It can only be litigated.

SBG appealed. The Information Commissioner intervened to assist the court on the proper interpretation of consent.

The Court of Appeal Judgment: Consent Is What You Can See

The Court of Appeal allowed SBG’s appeal on all five grounds and set aside the first-instance judgment. The most important ground — and the one that matters for everyone outside the courtroom — was the consent test itself.

The court held that to prove an individual has “given” consent, a controller must establish two objectively assessable things.

First, a statement or clear affirmative action. This, the court said, is a “purely objective question” — typically a tick of a box, or an equivalent unambiguous act. Either the individual did the thing, or they did not. There is no inquiry into whether they meant it in some deeper sense.

Second, that the action was freely given, specific, informed, and unambiguous — each of these elements assessed objectively, by reference to the communications between the controller and the individual and the structural relationship between them. Examples the court highlighted include the wording and design of opt-in tick boxes, and the availability and operation of withdrawal mechanisms such as “unsubscribe” links in marketing messages.

Crucially, the objective test still has room for context. Whether consent is “freely given” can take into account structural imbalances of power — for instance, where the controller is the individual’s employer, or a public authority, or holds a dominant market position. Those are factors visible from the outside. What it does not require is that the controller anticipate, detect, or factor in personal vulnerabilities — a private addiction, a mental health condition, or any other internal state — that the controller has no realistic way of knowing.

Both SBG and the ICO had floated a possible middle path: that the test could be qualified where the controller had “actual or constructive knowledge” of, for example, a gambling disorder. The Court of Appeal declined that invitation. Importing such a qualifier would reintroduce, through the back door, the very uncertainty the objective test exists to remove. Controllers are not equipped to assess individual mental capacity or vulnerability at the point of consent, and the law does not ask them to.

The court was careful to note that this is not a free pass. RTM’s case is being remitted to the High Court because he still has live arguments that SBG’s processing breached other data protection principles — fairness, in particular — and may have run up against sector-specific rules. Those are different questions, with different evidence, and they are not foreclosed by today’s ruling on consent.

Why This Matters Beyond Gambling

It would be a mistake to read RTM as a gambling-sector case. The consent test the Court of Appeal restored is the same test that governs:

• Cookie banners and any non-essential tracking under PECR, including analytics, advertising, and personalization pixels.
• Email and SMS direct marketing under PECR Regulations 22 and 23, where soft opt-in does not apply.
• Special category processing under Article 9(2)(a) of the UK GDPR.
• International transfer consents under Article 49(1)(a).
• Any other use case where consent is the lawful basis being relied on.

If the High Court’s subjective overlay had survived, every one of those workflows would have inherited a new, unknowable failure mode. A perfectly designed cookie banner, ticked by a perfectly informed user, could still have been struck down years later on the basis that the user had been in a state — depression, mania, intoxication, addiction, distress — that “impaired” their autonomy. There is no consent management platform on the market that can audit for that. The Court of Appeal’s ruling means none has to.

What Compliance Teams Should Actually Do

The instinct after a favourable appellate judgment is to relax. That would be the wrong reading here. RTM restores the legal test to its pre-existing form; it does not raise the bar, but it also does not lower it. The practical work is the same work the regulators and the case law have been pointing to all along — and the facts of this case are a useful prompt to check whether it is really being done.

A short, honest checklist:

• Audit the affirmative action. Pre-ticked boxes, “by continuing you consent” banners, and bundled “accept all” mechanics are still not consent. The Court of Appeal’s reaffirmation of the objective test makes the affirmative-action requirement more important, not less, because it is now explicitly the load-bearing element.
• Check the granularity. “Specific” means specific. A single tick that authorizes cookies, marketing emails, third-party data sharing, and profiling is not specific consent — it is one consent doing four jobs poorly.
• Make withdrawal genuinely as easy as giving. Unsubscribe links must work, preference centers must reflect actual changes, and cookie controls must allow withdrawal with the same friction as the original opt-in. The Court of Appeal explicitly cited the unsubscribe mechanism as part of the objective evidence of valid consent — which means a broken one is part of the objective evidence against it.
• Document the record. The court emphasized “minimum evidential standards.” Consent logs should capture what was shown, when, on which version of the notice, and what action the user took. If you cannot reconstruct the exact prompt a user saw on the date they consented, you do not have a defensible record.
• Map structural imbalances. Employment, public authority, and dominant-position contexts genuinely do affect “freely given.” If you operate in any of those, consider whether consent is the right basis at all, or whether another lawful basis (or a redesign of the choice architecture) is more honest.
• Treat fairness as a separate problem. RTM is being sent back to the High Court precisely because consent is not the only principle in play. Fairness, transparency, purpose limitation, and data minimisation are independent obligations. A valid consent does not insulate unfair processing.

The Sector-Specific Postscript

For UK-licensed gambling operators specifically, none of this should be read as the all-clear. The Gambling Commission’s License Conditions and Codes of Practice impose marketing and customer-protection duties that are stricter, in many cases, than general data protection law — including Social Responsibility Code provisions 3.4.3, 3.5, 5.1.11 and 5.1.12, which directly govern the protection of vulnerable customers and the conduct of direct marketing. The Court of Appeal flagged, without deciding, that processing which clears the consent hurdle could still fall foul of those rules, and of broader fairness obligations under data protection law itself.

For everyone else — retailers, publishers, ad-tech platforms, SaaS vendors, charities — the takeaway is cleaner. If your consent flows are genuinely freely given, specific, informed, unambiguous, and supported by clear affirmative action, with proper records and a working withdrawal path, you can rely on them. That is what the law was always meant to require, and as of last week, that is what it requires again.

Consent Test From The High Court

The High Court’s subjective consent test was an attempt to do something humane — to protect a vulnerable individual from harms that the marketing he received plausibly contributed to. The Court of Appeal’s correction is not a rejection of that humane impulse; it is a recognition that the consent doctrine is the wrong instrument to carry it. Vulnerability protection in the UK lives in the LCCP, in the fairness principle, in the Consumer Duty, in mental capacity law, and in sector-specific codes. Consent lives in tick boxes, banners, and the records that show what a person was shown and what they did about it. RTM v Bonne Terre puts each of those things back in its proper place — and gives compliance teams a stable target to aim at again.