The Court of Appeal has handed down a landmark ruling on the legal meaning of consent under data protection law and PECR, overturning a High Court judgment that had introduced a subjective, individualised test and left serious questions about whether any data controller could reliably demonstrate valid consent.
The case, RTM v Bonne Terre Limited and Hestview Limited [2026] EWCA Civ 488, concerned Sky Betting and Gaming (SBG), which operates online gambling services. The respondent, anonymised as RTM, was a problem gambler who claimed that SBG had unlawfully placed cookies on his devices, processed his personal data, and sent him targeted direct marketing during a two-year period prior to 2019. He argued that he had not given valid consent to any of these activities.
At first instance, Mrs Justice Collins Rice found in RTM's favour. She held that consent comprised three distinct strands: the individual's actual subjective state of mind; the autonomous quality of their decision-making; and minimum evidential standards. Applying this framework, she found that RTM's gambling disorder had so compromised his autonomy that his apparent acts of consent - ticking boxes, clicking banners, adjusting preferences - were insufficiently freely given to be legally operative.
SBG appealed, with the Information Commissioner intervening in support of SBG's position that the correct test for consent is essentially objective.
Lord Justice Warby, with whom Lord Justice Lewison and Dame Victoria Sharp agreed, allowed the appeal on all five grounds.
The court held that the question in every case is whether the data subject has “given” consent - an objective inquiry into whether they made a statement or took a clear affirmative action that constitutes an "indication" of their wishes signifying agreement.
The four criteria prescribed by UK GDPR Article 4(11) – that consent is freely given, specific, informed, and unambiguous - are each also objective in character. A data controller is not required to prove what was actually in the data subject's mind, and the data subject's vulnerability or impaired autonomy is not a relevant consideration in determining whether consent was given.
The court held that the High Court’s three-part test, though carefully reasoned, was wrong in law. Applying it would mean that no data controller could ever be certain of having obtained valid consent, because any individual data subject might later establish that some unknown personal condition had undermined their subjective willingness or autonomous decision-making at the time. Lord Justice Warby observed that such a regime would "create considerable legal and practical uncertainty for economic operators" and "for at least some public authorities”.
Lord Justice Warby confirmed that a data controller can "engineer" its systems so as to be able to demonstrate that, considered objectively and as a matter of general probability, a data subject's indication of their wishes is freely given, specific, informed and unambiguous. If a public body does legitimately rely on consent (for example in relation to optional services, research participation, or marketing communications where genuine choice exists) the obligation is to design those consent mechanisms properly, not to conduct post-hoc psychological assessment of individual data subjects.
The court endorsed, as the baseline evidential standard, the Planet 49 principle: a positive, separate act of ticking a box that cannot be reached without engaging with relevant information is meaningfully different from passive acceptance or failure to opt out. Pre-ticked boxes, bundled consents, and mechanisms that do not allow genuine refusal remain unlawful.
But a well-engineered consent process, clearly distinguishing consent to data processing from other transactional steps, and using plain language appropriate to the audience, will in principle satisfy the objective requirements even if a particular individual later claims they did not read the notice.
The court allowed the appeal on all five grounds, including the finding that SBG's use of cookies had been parasitic on valid consent for direct marketing, and that the profiling was improperly characterised as necessarily unlawful. RTM's remaining claims - that processing was unfair and infringed other data protection principles - are to be remitted to the High Court.
Although RTM v Bonne Terre arose from commercial data processing in the gambling sector, it addresses consent as a generic concept that has uniform meaning across PECR and the data protection framework. Several aspects of the judgment are directly relevant to public authorities.
The court's analysis confirmed and clarified the effect of Recital 43 (https://gdpr-info.eu/recitals/) to the UK GDPR, which states that where the controller is a public authority there is often a clear imbalance of power in the relationship with the data subject, making it unlikely that consent was freely given. The court quoted the European Data Protection Board’s (EDPB) Guidelines on consent, which state that "it is unlikely that public authorities can rely on consent for processing as whenever the controller is a public authority, there is often a clear imbalance of power."
The ICO's own guidance, also cited, advises that consent "will not be the appropriate basis for processing" where the controller is "in a position of power over the individual, for example, if you are a public authority or an employer processing employee data."
The Court of Appeal confirmed that this imbalance is to be assessed structurally, by reference to the status of the parties and the general characteristics of the relationship rather than the individualised, case-by-case basis that the High Court had adopted. Recital 43 operates as a structural presumption, not a flexible sliding scale to be calibrated to the circumstances of particular data subjects.
ICO guidance discourages public authorities from relying on consent as their primary lawful basis for processing, and underlines that doing so will be difficult to justify unless the data subject genuinely has a free and uncoerced choice that carries no adverse consequence if refused. Where a public body acts as a provider of services for which there is no meaningful alternative, such as social care assessments, benefits processing or regulatory licensing, consent is unlikely to be freely given in any scenario, and another lawful basis will be required.
An ICO spokesperson said: “We welcome the Court’s confirmation that, when deciding whether consent is a valid legal basis for processing personal information, all elements of consent must be considered objectively. Consent must be specific, informed, freely given and clearly show a person’s wishes. Organisations must also consider whether their processing is fair, including taking account of any individual vulnerability.”

