ARTICLE
25 May 2026

Court Of Appeal Confirms Objective Test For Consent Under Data Protection Legislation

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
The decision provides helpful clarity on what a data controller must prove to establish that “consent” has been obtained for the purposes of data protection and ePrivacy law.
United Kingdom Privacy
Miriam Everett,Angela Liu,Tracey Lattimer
+2 Authors
 Your Author LinkedIn Connections
Miriam Everett’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Healthcare and Construction & Engineering industries

The Court of Appeal has confirmed that the concept of consent under data protection is to be assessed objectively without any reference to the actual state of mind of the data subject:: RTM v Bonne Terre [2026] EWCA Civ 488. 

The Court of Appeal held that the High Court had erred in law by concluding that the concept of consent contains a subjective element which depends on the individual's actual state of mind. The Court of Appeal held that, in order to establish whether a data subject has given consent to processing or some other activity, a data controller must show: (a) that the data subject took some clear affirmative action amounting to an “indication” of their wishes that “signifies agreement” to the relevant activity (e.g. by ticking a box); and (b) that such indication meets each of the four criteria prescribed by the legislation, namely that it was freely given, specific, informed, and unambiguous (each of which involves an objective test). The data controller does not have to prove what was actually in the mind of the individual data subject at the time.

At first instance, the judge acknowledged that her decision would create “an ultimately ineradicable risk” for companies who process data of vulnerable individuals. The Court of Appeal's decision confirms that such a risk is not what privacy law demands, and importantly restores legal and practical certainty for data controllers as to their reliance on user consent to cookies, direct electronic marketing and other data processing activities.

Background

The appellant (SBG) operated an online betting and gaming business. The respondent (RTM) was an individual who used SBG’s platform and who suffered from a gambling disorder. RTM alleged that SBG unlawfully gathered data relating to him, including via cookies, and then processed it to analyse and profile him and send him targeted direct marketing, which in turn exacerbated his compulsive gambling and caused him loss and distress. RTM alleged that these activities were carried out without his consent, which he could not recall having provided, and without any other lawful basis. The Information Commissioner’s Office (ICO) intervened in support of the appeal.

Under the UK General Data Protection Regulation, personal data must be processed lawfully, meaning that controllers must rely on one of a number of lawful bases for each processing activity undertaken. One such lawful basis is where the data subject has consented to the specific processing in question. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) also prohibit the use of cookies and the sending of direct marketing emails without consent. “Consent” is defined in Article 4(11) of the UK GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

At first instance, the High Court held that the definition of “consent” contains three distinct strands: (a) good quality subjective consent, depending on the individual’s actual state of mind, ie what they actually thought about, understood, and desired; or (b) absent that, a fully autonomous choice by the individual about the grant of consent; and (c) some minimum evidential standards for proof of consent. 

Applying this test to the facts, the court concluded that RTM was a vulnerable individual who did not apply his mind to what he was consenting to and whose decision-making about matters to do with gambling was materially compromised. Consequently, when evaluated in the round, RTM's consenting behaviour relied on by SBG was not of the necessary quality required for lawful processing.

SBG appealed on a number of grounds, including that the court took the wrong approach in law to the core issue of what amounts to legally valid consent.

Decision

The Court of Appeal allowed the appeal on all grounds. Warby LJ gave the lead judgment, with which Dame Victoria Sharp and Lewison LJ agreed. 

On the core issue of the correct legal test for consent, the Court of Appeal noted that this was a question of construing the relevant legal provisions. The court must look for an interpretation that reflects the legislative language, read as a whole and in context; that takes account of its identifiable purposes; and that does not have consequences that are unworkable or otherwise unlikely to have been intended. The interpretation must also be autonomous in two respects: (a) it cannot be tied to the legal notions or provisions of an individual state but must have equal effect throughout the jurisdictions in which it applies; and (b) it cannot be one that depends on the circumstances of a particular case or category of case.

As to the specific legislative language under consideration, the Court of Appeal observed that it identifies “consent” as something constituted by an action, not a subjective state of mind. The first lawful basis for processing is that the data subject has "given their consent", and that requires a "clear affirmative act” — ie an indication or communication.

Moreover, the four specified criteria for valid consent focus on objectively ascertainable qualities or characteristics of that indication or communication: “specific” and “unambiguous” depend on the nature and quality of the indication itself; “informed” depends on the nature and quality of prior communications from the data controller to the data subject; and “freely given” turns on the actions of the parties considered in the context of the relationship between them.

The Court of Appeal considered that such an interpretation was supported by several CJEU authorities, as well as by guidance issued by the European Data Protection Board and its predecessor, the Article 29 Working Party.

The Court of Appeal also considered that the subjective test put forward by the High Court would not strike a proportionate balance between the right to protection of personal data and the right to commercial freedom. A subjective test would prevent data controllers such as SBG from ever being able to demonstrate compliance with the consent requirements since there would always be the possibility that an individual, such as RTM, suffers from an a gambling addiction of which the data controller does not and cannot know, which impairs their ability to give subjective consent or compromises their genuine autonomy or both. Such consequences would not be confined to the gambling industry but could expose other commercial entities in different sectors to similar legal risk. In the Court of Appeal's view, the legislature could not have intended to create a regime for consent with which it would be impossible for data controllers to comply, and to expose them to such legal risk.

The Court of Appeal therefore allowed the appeal on this ground, concluding that the High Court's decision was wrong because of a legally mistaken approach to the issue of what needs to be proved to establish that the data subject "gave consent" with the specified characteristics.

The Court of Appeal also allowed the appeal on all other grounds and remitted the case to the High Court.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Miriam Everett
Miriam Everett
Photo of Angela Liu
Angela Liu
Photo of Claire Wiseman
Claire Wiseman
Photo of Tracey Lattimer
Tracey Lattimer
Photo of Dasha Nastasiy
Dasha Nastasiy
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More