High Court rules against Sky Betting’s targeted marketing

The question

What constitutes valid consent under UK data protection law, particularly in the context of targeted marketing to vulnerable individuals?

The key takeaway

The High Court’s decision emphasises that organisations must take into account a data subject’s circumstances and vulnerabilities when seeking consent to process personal data for marketing purposes.

The background

In January 2025, the High Court handed down a judgment in the case of RTM v Bonne Terre Ltd & Hestview Ltd [2025] EWHC 111 (KB). The claimant, a reformed problem gambler, alleged that Sky Betting & Gaming (SBG) had violated UK data protection laws by collecting his data without proper consent and using it for unlawful targeted marketing between 2017 and 2019.

The development

The court ruled in favour of the claimant, holding that SBG’s use of cookies for the purposes of marketing to the problem gambler and SBG’s direct marketing to the problem gambler were not lawful processing under data protection laws. The court emphasised that consent for problem gamblers under UK data protection law must be “free, unambiguous, informed, specific, or distinct from the uncontrolled craving to gamble.” Given the claimant’s vulnerable state, the court found that his ability to provide genuine consent was impaired and that additional safeguards should have been implemented.

In reaching its decision, the court also made broader observations about the online gambling industry, noting that there is an inherent risk that consent obtained from problem gamblers may not meet legal standards due to their addiction. This could have wider implications for other industries associated with addictive behaviour, such as online gaming and social media.

It is important to note that SBG is currently considering an appeal.

Why is this important?

This ruling should be considered in light of previous guidance the ICO has produced around direct marketing. In its Direct Marketing Code, the ICO states that direct marketing based on automated profiling could fall within the prohibition under Article 22 of the GDPR if it targets “known problem gamblers with adverts for betting websites” and therefore would require explicit consent. The ruling, however, serves as a reminder that it may not ever be possible to obtain valid consent (explicit or otherwise) from certain data subjects when you take into account the circumstances of the data subject’s consenting behaviour and their vulnerabilities.

Any practical tips?

Organisations must consider the nature of their data subjects and whether there are any circumstances that could prevent them from being able to provide valid consent under the law. These could be due to addictive behaviour or other vulnerabilities known about in the particular industry. In this case, organisations should consider implementing systems that can identify such individuals at which point the organisations should consider whether the individual should be excluded entirely from direct marketing.

Spring 2025