Since our last article discussing the reprimand issued by the ICO to Sky Betting and Gaming for its unlawful processing and sharing of consumer data with third parties, Sky Betting and Gaming has come under fire again:

Sky Betting and Gaming – which operates the Sky Bet, Sky Casino, and Sky Vegas platforms – is in the limelight again in relation to its use of personalised, targeted direct marketing to an individual. This time it is in the context of ‘consenting behaviour’. In this article, we discuss the High Court’s recent judgment in RTM v Bonne Terre Ltd [2025] EWHC 111 (KB) and its relevance to businesses.

The recent case: RTM v Bonne Terre Ltd

On 23 January 2025, the High Court handed down its judgment in respect of a claim brought by an individual (RTM) against Bonne Terre Ltd, which operates as Sky Betting and Gaming (SBG).

Background and context

RTM used SBG’s gambling products over several years. He brought a privacy claim in relation to data protection and the misuse of his private information by SBG, alleging that SBG gathered and used extensive information, generated by his use of SBG’s platforms, unlawfully. RTM claimed SBG used cookies to harvest his transactional data and produce aggressive targeted and personalised marketing, and that he had not consented to direct marketing emails nor been given a compliant way of avoiding them.

SBG claimed that it had complied with all its legal obligations in respect of data protection, and that RTM consented to the use of his personal data.

The High Court judgment

The High Court found in favour of RTM. A Summary of the relevant parts of the judgment are set out below.

1.     Consent

SBG was required by the UK General Data Protection Regulations (UK GDPR) to ensure that individuals were provided with clear and comprehensive information about the purposes of use of personal information obtained using cookies. SBG was also required to ensure that any individual had given consent before it could obtain personal information from them.

2.     Nature of consent

(a)   A data subject’s ‘consenting behaviour’ must be of a relatively high quality. This is context-specific, but the individual’s subjective state of mind as to what they thought about, understood, and desired, and their autonomous choice about consent, must be considered. In addition, the evidential basis on which the data controller (in this case, SBG) relied in proceeding on the basis of the data subject’s consent is a relevant factor.

(b)   RTM was sustaining harm from gambling and was highly vulnerable in relation to his gambling behaviour. He had not considered the issue of cookies and had instead clicked through the relevant material (such as privacy notices) in order to start gambling quickly.

(c)   As RTM had not read the relevant material, he had limited insight into the fact that his online behaviour was being fed into a model by SBG to create and enhance direct marketing tailored to him.

Factual context

(a)   In 2018, SBG introduced consent mechanisms which were sufficient to provide a strong evidential basis that specific, autonomous consent had probably been given by users (when they clicked the relevant boxes on the website). However, data controllers must be able to demonstrate the existence of the consent it relies on in a particular case.

(b)   RTM’s engagement with the consent processes (which SBG relied on) could not be described as ‘free’, ‘specific’, and ‘informed’. Because of RTM’s gambling problem and associated vulnerability, the autonomous quality of his consenting behaviour was impaired and therefore lower than the standard required for the processing of personal data for the purposes of direct personalised marketing. SBG’s use of cookies to generate direct personalised marketing to RTM was, therefore, not considered to be ‘lawful processing’.

Summary and conclusions

It is worth noting that the specific context of this case was the use of personal data in relation to online gambling and problem gamblers. However, it highlights some important points that businesses should be aware of when it comes to processing personal data, particularly in terms of ‘consenting behaviour’.

Data controllers must:

1. Ensure that data subjects are provided with clear and comprehensive information about the purposes of the use of their personal data; and
2. Ensure that a data subject has given consent, before obtaining personal information from them.
3. A data subject’s ‘consenting behaviour’ must be of a relatively high quality.
4. A data controller will not always be able to rely on generic probabilities or risk control mechanisms. Instead, it must be able to demonstrate that the appropriate consent had been given in the particular case.
5. There is a risk that a data subject has not provided the required consent, even where they have legal capacity and have, for example, knowingly clicked the relevant buttons (as was the case with RTM). This risk in such cases lies with the data controller.

Should you have any queries in relation to data protection (including the UK GDPR) and/or your business’s obligations as a ‘data controller’, do not hesitate to contact our Commercial team who would be happy to assist.