5 March 2025 by Matthew Leitch

Background

In RTM v Bonne Terre Ltd [2025] EWHC 111 (KB), the High Court considered claims brought in data protection and the tort of misuse of private information. The Claimant described himself as a “recovering online gambling addict” [1]. He sought damages for harm, distress and financial loss, and a declaration that his rights under data protection legislation had been infringed, from the Defendant, who operate Sky Betting and Gaming (SBG). The relevant period of the Claimant’s gambling for the claim against SBG (restricted by limitation periods) was 2017 until the end of 2018 or the start of 2019 [15].

The Claimant’s case was that SBG harvested his data using cookies without his consent. SBG the processed his personal data for marketing purposes without lawful basis, and targeted him through direct marketing emails (also without his consent) sent on average twice a day [68]. Consequently, he alleged he suffered substantial losses.

Despite the claim having started in an almost inquisitorial fashion, with the Claimant undertaking a broad investigation into gambling laws when recovering from his addiction, the narrow issue at trial was “what, if anything, [the Claimant] consented to in the marketing part of the operation” [77].

Legal Framework

Collins Rice J began by setting out the relevant statutory framework. In RTM, this was the Data Protection Act 1998 (DPA) until 24 May 2018 and the General Data Protection Regulation (GDPR), codified in the Data Protection Act 2018, thereafter [15]. Also applicable was the Privacy and Electronic Regulations 2003 (PECR) [47]. PECR Regs. 6 and 22 require data subject consent to cookies and direct marketing respectively.

Collins Rice J recognised that, at a high level, data law strikes a complex balance between “the freedom and flourishing of public life and modern business and trade… and, on the other hand, the rights of individuals to privacy, ultimately derived from Art. 8 ECHR” [100].

At a more forensic level, Schedule 2 of the DPA states that, for a data controller to process data lawfully, they must ensure that the data subject has given his consent to the processing or that it is otherwise necessary. Similarly, the relevant requirement in Article 6 of the GDPR is that the “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” The same standard applies under the PECR.

A Claimant has a statutory right to bring a private law claim where their data has been processed unlawfully under s.13 DPA and Art. 82 GDPR. They also have a right to bring a claim for non-compliance with PECR under Reg. 30 [32]-[35], [50].

In relation to the quality of consent, the legislation and authorities set a relatively high threshold. Art. 4(11) GDPR, as well as the CJEU authorities, Planet 49 [2020] 1 CMLR 25 and Orange Romania (EU:C:2020:901), and the domestic interpretation of them in Leave.EU v Information Commissioner [2021] UKUT 26 (AAC) “set a relatively high bar to be met for a valid consent” [145].

Unpacking the authorities, Collins Rice J stated [147]:

“the language of and relating to the legislation, and the rhetoric of the judgments, is in terms which suggest a bar which is indeed ‘relatively high’ – consent must be free, specific and informed, it must be separate from the activity to which it stands as a threshold requirement, it must be active and unambiguous. This qualifying language is referable to the origins of data protection law in A8 ECHR and its underlying understanding of privacy as implying individual autonomy, including the genuinely autonomous control of personal data. But there are three distinct strands perceptible in this rather complex idea.”

Within the “relatively high” threshold for consent, the High Court outlined three applicable strands [147].

• First, the subjective quality of the Claimant’s consents [148].
• Secondly, the autonomous quality of the Claimant’s decisions about consent [148]-[151].
• Thirdly, the evidential element – the extent to which the Defendant (who bears the burden of proof) can demonstrate the Claimant’s consent [152].

In considering these strands, Collins Rice J emphasised that the court’s analysis is highly fact-specific and context dependent [153].

Judgment

Collins Rice J allowed the claim.

First, she held that the Claimant lacked subjective consent. In the relevant period, the Claimant clicked on ‘accept and close’ and GDPR refresh buttons without thinking about what he was doing. He did not read the related terms. Therefore, he did not understand that his data was being used by SBG to target direct marketing at him. He may well simply have been “so preoccupied with his compulsion that he engaged with the issue to the minimum degree necessary to get on with gambling”, though the absence of specific evidence of what he had done made this difficult to determine.

Also relevant was the Claimant’s impulsivity and problem gambling. Whilst this did not affect his capacity, it did diminish the subjective quality of his consents. [155]-[167]. As Collins Rice J strikingly put it (at [167]):

“[the Claimant’s] online behaviour was being fed into modelling in order to create and enhance direct marketing to him tailored accordingly… his entertainment of, engagement with and responsiveness to direct marketing were themselves intimately bound up with his own problematic gambling behaviour, and partook of its qualities.”

Secondly, the autonomous nature of the Claimant’s consents was impaired to a real degree [203].  It is important to note that this was a claim in data protection (not negligence). Therefore, when analysing the autonomy of the Claimant’s consents, any defence of contributory negligence did not arise, although the Claimant’s decision not to engage with the information provided by the Defendant was relevant to the contextual analysis [169]. Nevertheless, considering the Claimant’s vulnerability, the court held that the Claimant’s consent was not sufficiently free. In the context of problem gambling, and the Defendant’s obligation to demonstrate the Claimant’s consents, SBG’s systems during the relevant period were insufficient [195]-[197], [204].  

Therefore, Collins Rice J held that the use of cookies for direct marketing without the Claimant’s legally valid consent, and the subsequent direct marketing, amounted to unlawful data processing [205].

In relation to the claim in misuse of private information, Collins Rice J explained that [208]:

“data protection law is at root a detailed statutory articulation of the balance the law strikes between individual privacy and the commercial freedoms to operate personal data dependent on businesses. It would be unexpected to find that starting at the higher level of generality would lead to a different place from starting at the more detailed level the statutory code has provided, as I have done.”

The question of what remedy should follow, and how any damages should be quantified, was left to be determined at a further hearing if not agreed between the parties [212].

Comment