Consent under the spotlight: why the Court of Appeal has just made life (slightly) easier for data controllers

Kevin Modiri

If you work in digital marketing, online platforms or any business that relies on cookies and user data, the recent Court of Appeal decision in RTM v Bonne Terre Ltd is one you cannot afford to ignore.

At first glance, this looked like a difficult case for data controllers: a vulnerable individual, a history of problem gambling and targeted marketing that allegedly exacerbated harm. The High Court found against the operator in the first instance on the basis that the claimant’s consent wasn’t of sufficiently good quality, subjective consent.

But the Court of Appeal has now stepped in and its judgment is both reassuring and instructive for organisations grappling with GDPR and PECR compliance.

Let’s unpack what actually matters.

The core issue: what is “consent”, really?

The central question was deceptively simple:

Do you need to prove what a user actually thought when they clicked “accept”?

The High Court effectively said yes, introducing a layered test that looked at:

  • the user’s subjective state of mind;
  • whether their decision was truly autonomous; and
  • whether there was sufficient evidence of consent.

That approach created a serious problem: how can any business realistically assess what is going on inside a user’s head?

The Court of Appeal rejected that approach in clear terms.

Consent under the spotlight: why the Court of Appeal has just made life (slightly) easier for data controllers

The Court held that consent is about what the user does, not what they secretly think.

In practical terms:

  • Did the user take a clear affirmative action (e.g. ticking a box)?
  • Was that action freely given, specific, informed and unambiguous?
  • Can the organisation prove it?

That’s it.

There is no requirement to prove:

  • the user’s internal mindset; or
  • whether they were psychologically “fully autonomous” at the time.

This is a crucial clarification.

Why this matters for your business

The High Court’s approach, if left standing, would have created an almost impossible standard.

Imagine this scenario:

  • A user clicks “accept cookies”;
  • Later, they argue they were distracted, vulnerable or not thinking clearly; and as a result
  • Your entire consent framework is suddenly called into question.

The Court of Appeal recognised the danger:

A system that depends on analysing each individual’s mental state would be unworkable and create unacceptable legal uncertainty.

In other words, compliance must be achievable in the real world. The judge in the Court of Appeal found that there was no evidence in the legislation or in case law to there being a subjective test in respect of consent.

But don’t relax just yet…

This is not a free pass.

The judgment reinforces that:

  • Consent must still meet a high standard;
  • The burden of proof remains firmly on the data controller; and
  • Poorly designed systems will still fail.

Think:

  • pre-ticked boxes
  • vague marketing opt-ins
  • bundled or hidden consent

The Court repeatedly emphasised that consent must be:

  • clear;
  • separate;
  • specific to the activity that the data subject is consenting to; and
  • properly explained.

What about vulnerable users?

One of the more interesting aspects of the case was the claimant’s gambling addiction.

The High Court treated this as central, essentially saying it undermined consent entirely.

The Court of Appeal disagreed.

It held that:

  • individual vulnerability does not automatically invalidate consent; and
  • the test remains objective, not personalised.

That said, vulnerability isn’t irrelevant in every context. It may still feature in:

  • fairness assessments;
  • regulatory scrutiny;
  • sector-specific obligations (e.g. gambling, health, finance); and
  • obligations pursuant to other legislation, such as the Equality Act.

But it is not part of the legal definition of consent itself.

Key takeaway: design, don’t guess

If there’s one practical lesson from this case, it’s this:

You don’t need to read minds, you need to design better systems.

Focus on:

  • clear consent journeys;
  • genuine choice (opt-in, not opt-out);
  • accessible information; and
  • audit trails and evidence.

If your systems are robust, the law is now firmly on your side.

How can we help?Contentious Probate Case Management

Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.

If you want to discuss GDPR consent or something similar, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

Contact us
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.

If this article relates to a specific case/cases, please note that the facts of this case/cases are correct at the time of writing.
Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us