RTM v Bonne Terre Limited & Anor

The claimant, a private individual who described himself as a recovering online gambling addict, brought claims under data protection law (the Data Protection Act 1998 and the GDPR applicable to the period) and PECR and a claim in misuse of private information arising from the defendant online gambling operator's use of customer data. The court treated the central legal issue as whether the defendant had a lawful basis for the impugned processing used to deliver personalised, targeted direct marketing to the claimant.

The judge applied the statutory and regulatory framework (including the Gambling Act 2005 licensing objectives and codes of practice, the data protection principles and PECR Regulation 6 and Regulation 22) and the authorities on consent and privacy. Consent was held to require a relatively high quality (free, specific, informed and active) and the controller bears the evidential burden. The claimant's gambling history and evidence showed impaired autonomy and decision-making when engaging with the site, the cookie banners and the privacy/marketing preference steps.

On the facts the court found that the claimant had not given operative consent to (a) the use of cookies for the purposes of personalised direct marketing and (b) receiving targeted direct marketing by email. The profiling and propensity modelling used to personalise marketing was parasitic on those unlawful elements and therefore not independently lawful. The judge did not need to decide subsidiary issues (for example special category health data or other principle breaches) because the processing lacked a lawful basis.

Background and parties: The claimant was an online customer of the defendants operating under the Sky Betting & Gaming brand. He alleged the defendants harvested and profiled extensive transactional and behavioural data and used it, including by cookies and algorithmic profiling, to deliver personalised direct marketing which fed his compulsive gambling and caused harm. The defendants maintained they complied with their legal obligations, relied on consents and, for some in-house processing, on legitimate interests, and operated a separate safer gambling control framework including a suppression mechanism.

Nature of the claim and relief sought: This was a first instance claim seeking remedies under the Data Protection Act 1998 (and the GDPR obligations applicable from May 2018), PECR (cookies and direct marketing) and misuse of private information. The claimant sought compensation and other relief for unlawful processing, lack of transparency and misuse of private information arising from profiling and targeted marketing.

Issues framed:

• Whether the defendants obtained legally effective consent to use cookies and to send direct marketing to the claimant (PECR and data protection);
• Whether profiling and automated processing used for personalised marketing had a lawful basis (consent, contractual necessity, legitimate interests);
• Whether special-category (health) data issues, purpose limitation, data minimisation and retention principles were contravened;
• Whether the tort of misuse of private information added independent relief.

Evidence and factual findings: The judge received contemporaneous records and witness evidence about the defendants' data architecture: extensive transactional raw data, feature stores, propensity modelling used separately for marketing and for safer-gambling controls, and a single suppression link between the two. The claimant's uncontested gambling history showed compulsive, unaffordable and secretive gambling; he was found to be highly vulnerable and to have impaired autonomy in decisions relating to gambling. The court accepted that the defendants' consent mechanisms improved in the GDPR refresh of spring 2018, but found historical evidence that the claimant either clicked through cookie and privacy prompts without reading them or, to the extent he engaged, did so in the haze of compulsive gambling.

Court's reasoning and conclusion: Applying the statutory tests and the authorities (notably Planet49 and subsequent CJEU/tribunal decisions on consent), the judge explained consent must be demonstrably free, specific, informed and the controller must be able to show it. Context matters: personalised marketing to online gamblers raises particular risks because some customers will have compromised autonomy. On the balance of probabilities the court found the claimant lacked operative subjective consent and that his acts in clicking through were not sufficiently autonomous given his documented vulnerability. Consequently the use of cookies for personalised marketing and the direct targeted marketing to him were unlawful processing. Profiling for marketing was parasitic on that unlawful processing. The court therefore gave judgment for the claimant on those liabilities and deferred remedy for later submissions. The judge declined to make further findings on subsidiary data protection heads and on misuse of private information as unnecessary given the central holding.

First instance: judgment was given for the claimant on the key issues. The court held that the defendant’s use of cookies to obtain data for personalised direct marketing and its targeted direct marketing emails to the claimant were not lawful because the claimant had not given operative consent of the quality required by data protection law. The profiling used for marketing was therefore not independently lawful. The rationale was that consent must be free, specific, informed and active, the controller bears the evidential burden, and the claimant’s impaired autonomy as a problem gambler meant his consenting behaviour fell below the required standard.