Cookies: Consent, vulnerability – is the test subjective or objective?

24 April 2026 by

RTM v Bonne Terre Ltd & Hestview Ltd EWCA Civ 488 (21 April 2026)

This case concerned an online gambling operator’s use of cookies, personal data processing, and direct marketing in relation to a vulnerable gambler anonymised as RTM. The central holding by the Court of Appeal is that consent is assessed objectively by reference to the data subject’s outward indication, not by inquiry into their subjective state of mind or vulnerability.

First Instance

The judge approached the issue of consent in stages, addressing in turn “Consent – the evidential background” and then “The standards for legally operative consent”, before applying her legal analysis to the facts about RTM’s “consenting behaviour” as she found them to be. She found that RTM had not given legally operative consent because his gambling problem impaired his autonomy and subjective consent. She reviewed all the legislative provisions relevant to data protection, some decisions of the Court of Justice of the European Union (CJEU) and a decision of the Upper Tribunal, Administrative Appeals Chamber (UT) and concluded that consent, in this context, was a “rather complex” idea with “three distinct strands” or criteria: (1) good quality subjective consent, depending on the individual’s actual state of mind; or (2) absent that, a fully autonomous choice by the individual about the grant of consent; and (3) some minimum evidential standards for proof of consent.

As to the facts, the judge accepted that RTM had taken deliberate actions that indicated consent, but held that none of the three criteria she had identified had been met. Accepting RTM’s evidence about the impact on him of his gambling problem, she found that he “lacked subjective consent”; that “the autonomous quality of his consenting behaviour was impaired to a real degree”; and that on the evidence “the quality of this Claimant’s consenting was rather lower than the standard required”, and “insufficiently freely given”, the reasons being “his gambling condition and his associated vulnerability and compromised autonomy”.

The central question on appeal was what must be proved to show that consent was given for cookies, data processing. The appellants and the ICO (intervening) both accepted that a gambling problem or similar vulnerability on the part of a data subject may be relevant if the data controller knew or ought to have known of the vulnerability.

Court of Appeal

The judgment works through Article 4(11) GDPR, Article 7 GDPR, PECR regulations 6 and 22, and the predecessor DPA 1998/DP Directive regime. The court treated “consent” as having the same meaning across those instruments. It also noted the importance of Article 7(4) GDPR and recitals 32, 42, and 43, especially on freedom of choice and imbalance.

The Court of Appeal also relied on these authorities: Verbraucherzentralen Bundesverband e.V. v Planet 49 GmbH (Case C-673/17) [2020] 1 CMLR 25 (Planet 49), Orange Romania SA v ANSPDCP (Case C-61/19), and Meta Platforms Inc v Bundeskartellamt (Case C-252/21) [2023] 5 CMLR 22. The domestic cases are the decision of the UT in Leave.EU v Information Commissioner [2021] UKUT 26 (AAC) (Leave.EU), to which the first instance judge referred, and the Court of Appeal decision in Cooper v National Crime Agency [2019] EWCA Civ 16 (Cooper), to which the judge below did not refer, it not having been cited to her.

Those authorities were used to show that consent requires an active, contextual, outward manifestation of agreement, and that a pre-ticked box or passive acquiescence is not enough.

Warby LJ, giving the leading judgment, framed the issue as whether consent has a subjective aspect. He answered no: the question is whether the individual made a statement or clear affirmative action amounting to an indication of agreement, and whether that indication was freely given, specific, informed, and unambiguous.

The Court concluded, unanimously, that the data controller must show that the data subject had made an indication that signified agreement to the relevant activity of the data controller. And this was a purely objective question about the quality and significance of some identifiable communication by the data subject to data controller (such as ticking a box).

The judgment below was overturned because the Court of Appeal found that the relevant legislation did not require proof of the subject’s actual state of mind, nor an inquiry into whether vulnerability impaired his autonomy. The CA also rejected the suggested alternative route, advanced by SBG and the ICO, that the controller’s knowledge of vulnerability might matter to whether consent was given.

Comment

This is an important judgment for cookie compliance, direct marketing, and any online consent architecture. It makes clear that the legal focus is on the quality of the user’s interaction with the marketing and the context in which consent is obtained, not on a later inquiry into the individual’s internal psychology. For businesses, the decision strengthens the centrality of well-designed consent flows, clear disclosures, and records of affirmative action that can be properly audited.

The most significant point is the court’s insistence that “consent” is not a free-standing inquiry into autonomy in the abstract. Rather, autonomy operates through objective legal requirements: a clear affirmative indication, specific to the relevant processing, supported by adequate information, and not vitiated by structural pressure or obscurity in the controller’s design. That is why the court was unwilling to let a claimant’s vulnerability, even if real and serious, substitute for proof that the controller had failed to obtain consent in the legally required sense. In Warby LJ’s words

“consent is defined as an outward signal of the data subject’s inner sentiments. This, I would say, is plain from the language of Article 2(h) of the DP Directive. But the words added to the definition of consent in Article 4(11) of the GDPR underscore the point. So, consent for this purpose is an indication or communication of a specified kind. By the same token, without an “indication” of that kind consent cannot be established, whatever may be the actual state of mind of the data subject. So far there is nothing that calls for or even permits an enquiry into the data subject’s actual wishes, or the inner workings of the data subject’s mind.”

In his view, both the legislation and the European authorities indicate an objective test for consent.

The judgment is also noteworthy for its treatment of freedom and imbalance between controller and subject. The court did not deny that vulnerability can matter in some settings, but it declined to convert vulnerability into a subjective consent test. Instead, the analysis remains anchored to the controller’s processes and the objective circumstances of the communication, with Article 7(4) and recital 43 of the GDPR doing the necessary work where there is a clear imbalance or conditionality.

There was another reason why the judgement at first instance was overturned. The first instance judge’s conclusion rested on a line of reasoning that had not been fairly ventilated at trial, and the Court of Appeal treated that as an independent reason why the decision could not stand. In a case where liability turned on detailed facts about click-through journeys, account settings, and consent records, that fairness point is not merely procedural tidiness; it goes to whether a defendant had a proper chance to meet the case.

In essence, the likely practical effect of this case is to narrow significantly the route by which claimants can attack consent-based compliance by relying on their own undisclosed state of mind. Warby LJ highlights the “uncertainty that would result includes, critically in my view, the unsatisfactory and ultimately opaque nature of the test for legally effective consent which the [first instance] judge applied.”

For civil claims, the practical effect is that consent must be proved by an objective outward indication, not by a claimant’s later evidence that they did not really understand, intend, or internally choose to consent. That strengthens the position of defendants who can show a clear affirmative consent mechanism, and weakens arguments that rely on subjective vulnerability alone.
The judgment pushes consent analysis back to orthodox GDPR principles and those of its Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR): what was presented, what action was taken, and whether that action amounted to a free, specific, informed, and unambiguous indication of agreement. In other words, the evidential burden stays focused on the controller’s process and the claimant’s external conduct, not on a retrospective inquiry into private mental state

The message for practitioners is that consent disputes should be pleaded and proved in the conventional GDPR/PECR way: what was shown to the user, what action did the user take, what information was provided, and how clear was the transactional context. If the claimant’s argument depends on vulnerability or impaired autonomy, it will need to be translated into an objective legal defect in the consent mechanism, not left as a bare psychological proposition. That makes documentationand contemporaneous system records even more central to the preparation of a claim.

Leave a Reply

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:

Commissioning Editor:
Jasper Gold

Assistant Editor:
Allyna Ng

Editors:
Rosalind English
Angus McCullough KC
David Hart KC
Martin Downs
Jim Duffy
Jonathan Metzer

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories

Disclaimer

This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

Tags

A2P1 Aarhus Abortion Abu Qatada Abuse Access to justice administrative court adoption ALBA Allison Bailey Al Qaeda animal rights anonymity appeal Appeals Arrest Art 2 Article 1 Article 1 Protocol 1 Article 2 article 3 article 3 protocol 1 Article 4 article 5 Article 6 Article 7 Article 8 Article 9 article 10 Article 11 article 13 Article 14 Artificial Intelligence Asbestos Assisted Dying assisted suicide assumption of responsibility asylum Attorney General Australia autism benefits Best Interest Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery Business care orders Caster Semenya Catholicism Chagos Islanders charities Children children's rights children act China christianity citizenship civil liberties campaigners climate change clinical negligence Closed Material Proceedings Closed proceedings Coercion common law confidentiality consent conservation constitution contempt contempt of court Control orders Copyright coronavirus Coroners costs court of appeal Court of Arbitration for Sport Court of Protection covid crime Criminal Law Cybersecurity Damages Dartmoor data protection death penalty defamation deportation deprivation of liberty Detention diplomatic immunity disability discipline disclosure Discrimination disease divorce DNA domestic violence DPA drug policy DSD Regulations duty of candour duty of care ECHR ECtHR Education election Employment Employment Law Employment Tribunal enforcement Environment environmental rights Equality Act Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Court of Justice euthanasia evidence extradition extraordinary rendition Extraterritoriality Fair Trials Family family law Fertility FGM Finance findings of fact football foreign criminals foreign office Foster France freedom of assembly Freedom of Expression freedom of information freedom of speech Free Speech Gambling Gay marriage Gaza gender Gender Recognition Act genetics Germany gmc Google government Grenfell Hate Speech Health healthcare high court HIV home office Housing HRLA human rights Human Rights Act human rights news Huntington's Disease immigration immunity India Indonesia information injunction injunctions inquest Inquests international law internet interview Inuit Iran Iraq Ireland Islam Israel Italy IVF Jalla v Shell Japan Japanese Knotweed Journalism Judaism judicial review jury jury trial JUSTICE Justice and Security Bill Land Reform Law Pod UK legal aid legal ethics legality Leveson Inquiry LGBTQ Rights liability Libel Liberty Libya Lithuania local authorities marriage Maya Forstater mental capacity Mental Health mental health act military Ministry of Justice Mirror Principle modern slavery monitoring murder music Muslim nationality national security NHS Northern Ireland NRPF nuclear challenges nuisance Obituary open justice Osman v UK ouster clauses PACE parental responsibility parental rights Parliament parliamentary expenses scandal Parole patents Pensions Personal Data Personal Injury Piracy Plagiarism planning Poland Police Politics pollution press Prisoners Prisons privacy Private Property Procedural Fairness procedural safeguards Professional Discipline Property proportionality proscription Protection of Freedoms Bill Protest Protocols Public/Private public access public authorities public inquiries public law reasons regulatory Regulatory Proceedings rehabilitation Reith Lectures Religion Religious Freedom RightsInfo Right to assembly right to die Right to Education right to family life Right to life Right to Privacy Right to Roam right to swim riots Roma Romania Round Up Royals Russia S.31(2A) sanctions Saudi Arabia school Schools Scotland secrecy secret justice Section 55 separation of powers Sex sexual offence sexual orientation Sikhism Smoking social media Social Work South Africa Spain special advocates Sports Sports Law Standing statelessness Statutory Interpretation stop and search Strasbourg Strategic litigation suicide Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture Transgender travel travellers treaty tribunals TTIP Turkey UK UK Constitutional Law Blog Ukraine UK Supreme Court Ullah unduly harsh united nations unlawful detention USA US Supreme Court vicarious liability voting Wales war War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks Wild Camping wind farms WINDRUSH WomenInLaw World Athletics YearInReview Zimbabwe

Tags

A2P1 Aarhus Abortion Abu Qatada Abuse Access to justice administrative court adoption ALBA Allison Bailey Al Qaeda animal rights anonymity appeal Appeals Arrest Art 2 Article 1 Article 1 Protocol 1 Article 2 article 3 article 3 protocol 1 Article 4 article 5 Article 6 Article 7 Article 8 Article 9 article 10 Article 11 article 13 Article 14 Artificial Intelligence Asbestos Assisted Dying assisted suicide assumption of responsibility asylum Attorney General Australia autism benefits Best Interest Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery Business care orders Caster Semenya Catholicism Chagos Islanders charities Children children's rights children act China christianity citizenship civil liberties campaigners climate change clinical negligence Closed Material Proceedings Closed proceedings Coercion common law confidentiality consent conservation constitution contempt contempt of court Control orders Copyright coronavirus Coroners costs court of appeal Court of Arbitration for Sport Court of Protection covid crime Criminal Law Cybersecurity Damages Dartmoor data protection death penalty defamation deportation deprivation of liberty Detention diplomatic immunity disability discipline disclosure Discrimination disease divorce DNA domestic violence DPA drug policy DSD Regulations duty of candour duty of care ECHR ECtHR Education election Employment Employment Law Employment Tribunal enforcement Environment environmental rights Equality Act Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Court of Justice euthanasia evidence extradition extraordinary rendition Extraterritoriality Fair Trials Family family law Fertility FGM Finance findings of fact football foreign criminals foreign office Foster France freedom of assembly Freedom of Expression freedom of information freedom of speech Free Speech Gambling Gay marriage Gaza gender Gender Recognition Act genetics Germany gmc Google government Grenfell Hate Speech Health healthcare high court HIV home office Housing HRLA human rights Human Rights Act human rights news Huntington's Disease immigration immunity India Indonesia information injunction injunctions inquest Inquests international law internet interview Inuit Iran Iraq Ireland Islam Israel Italy IVF Jalla v Shell Japan Japanese Knotweed Journalism Judaism judicial review jury jury trial JUSTICE Justice and Security Bill Land Reform Law Pod UK legal aid legal ethics legality Leveson Inquiry LGBTQ Rights liability Libel Liberty Libya Lithuania local authorities marriage Maya Forstater mental capacity Mental Health mental health act military Ministry of Justice Mirror Principle modern slavery monitoring murder music Muslim nationality national security NHS Northern Ireland NRPF nuclear challenges nuisance Obituary open justice Osman v UK ouster clauses PACE parental responsibility parental rights Parliament parliamentary expenses scandal Parole patents Pensions Personal Data Personal Injury Piracy Plagiarism planning Poland Police Politics pollution press Prisoners Prisons privacy Private Property Procedural Fairness procedural safeguards Professional Discipline Property proportionality proscription Protection of Freedoms Bill Protest Protocols Public/Private public access public authorities public inquiries public law reasons regulatory Regulatory Proceedings rehabilitation Reith Lectures Religion Religious Freedom RightsInfo Right to assembly right to die Right to Education right to family life Right to life Right to Privacy Right to Roam right to swim riots Roma Romania Round Up Royals Russia S.31(2A) sanctions Saudi Arabia school Schools Scotland secrecy secret justice Section 55 separation of powers Sex sexual offence sexual orientation Sikhism Smoking social media Social Work South Africa Spain special advocates Sports Sports Law Standing statelessness Statutory Interpretation stop and search Strasbourg Strategic litigation suicide Supreme Court Supreme Court of Canada surrogacy surveillance Syria Tax technology Terrorism tort Torture Transgender travel travellers treaty tribunals TTIP Turkey UK UK Constitutional Law Blog Ukraine UK Supreme Court Ullah unduly harsh united nations unlawful detention USA US Supreme Court vicarious liability voting Wales war War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks Wild Camping wind farms WINDRUSH WomenInLaw World Athletics YearInReview Zimbabwe

Discover more from UK Human Rights Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading