The claim
The judgment concerns SBG’s reliance on the lawful basis of consent to process personal data as required under the UK Data Protection Act 1998, the GDPR and for the purposes of using cookies, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Specifically, SBG relied on consent to collect RTM’s personal data through the use of cookies for the purposes of profiling him and subsequently targeting him with personalised direct marketing. RTM, a recovering gambling addict, claimed that, during a period from early 2017 to the end of 2018 (both before and after GDPR entered into force), SBG had not obtained his valid consent and had therefore unlawfully processed his personal data.
SBG acknowledged that it used cookies in order to collect personal data about customer engagement with its services (and marketing efforts). SBG also confirmed that it processed extensive amounts of personal data including to profile individuals and to carry out personalised direct marketing. However, it asserted that valid consent had been provided by RTM through use of the SBG consent mechanisms (various accept and tick boxes alongside privacy policy and cookies information). SBG made reference to its cookie acceptance and direct marketing records noting this engagement, though RTM had no recollection of the same.
Scenario specific analysis
The Judge was at pains to point out that she was considering a very fact specific scenario, single data subject at a single phase of time. As such her critique of policies and consent mechanisms were made in that context and she was not concerned with “broader questions about best practice at the time, or with the wisdom of relying on this evidential base in general for the presence of the consents in turn relied on for the lawfulness of the processing undertaken”. This may go some way to explaining the lengthy and complex nature of the judgment.The decision
In summary, the Judge found that, despite SBG records suggesting that consent had been provided by RTM, with the various tick boxes having been ticked, in this particular context, valid consent had not in fact been given and the personal data processing was therefore unlawful.
GDPR standard of consent
The Judge set out the definition of consent as articulated under the GDPR ie consent is freely given, unambiguous, specific and informed indication of a data subject’s wishes which, by clear affirmative action, signifies agreement to personal data processing.
The further conditions for valid consent were also flagged (eg controller can demonstrate consent; request for consent should be distinguishable, intelligible and clear; consent must be as easy to withdraw as it is to give; and service provision should not be conditional upon consent to process personal data where that processing is not necessary for contract performance).
Valid consent?
However, in considering the context in which RTM had given consent and whether it was valid, the Judge viewed the quality and “relatively high bar” of consent through three strands. She looked at:
- The subjective element of the individual’s state of mind (what did they actually understand and desire),
- The autonomous nature of the consent (whether the individual was in a position to autonomously choose to engage with the consent process and decide whether to consent eg through having sufficient accurate and relevant information), and
- The evidential standard (how consent is obtained so as to demonstrate consent and mitigate against ambiguity).
We touch on some of the issues considered.
Inability to provide “subjective consent”
In this case, the Judge determined that the vulnerable state of RTM (suffering gambling harms at the time) meant that he had not focused on the cookie consent options he was presented with - he just wanted to gamble and therefore did not take note of the information provided and simply clicked through to ensure rapid access.
With regards to his understanding of SBG’s direct marketing approach, although SBG claimed that it should have been obvious to RTM that the marketing material was highly tailored (and therefore presumably based on sophisticated processing of personal data), the Judge recalled Recital 58 GDPR.
Recital 58 recognises the importance of meeting transparency standards when “situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising”. In fact, the Judge concluded that RTM had limited insight into the system and processing of his personal data for targeted direct marketing.
Further, whilst RTM was aware of the marketing content he was receiving, was “highly responsive” to it and, in the Judge’s view, wanted to receive it, she determined that his decisions regarding direct marketing were “bound up with his own problematic gambling behaviour…”.
Inability to provide autonomous consent
In contrast to SBG’s proposal, the Judge did not agree that RTM had undermined his claim by ticking the consent boxes (despite the fact he may not have read the privacy notices). She considered the context in which the boxes were ticked “as part of the factual matrix in which I have to judge the autonomous quality of [RTM’s] decisions about signifying consent, and the power of the evidence for it on which SBG relied”.
In particular, the Judge looked at the nature of the policy information that SBG provided and mechanisms it used, drawing attention to potential flaws, for example: language linking cookie consent with use of the website; ambiguity as to the extent of cookies use; in some cases use of passive opt-out language regarding direct marketing; and the fact that some information was ignorable (eg RTM didn’t have to scroll through it). In the pre-GDPR period, given the nature of the consent mechanisms, the Judge determined that the evidence of an autonomous choice was “not unambiguous”, that RTM was playing a passive role in consenting and that he could have been unaware of the substance of the terms and conditions with respect to which he was giving consent.
The SBG approach to consent improved post-GDPR, with RTM required to scroll through information and with separate tick boxes provided where appropriate, none of which could be ignored. Although the privacy notice was not entirely neutral, the direct marketing consent process encouraged inertia and there were some weaknesses in the cookies consent process, the Judge determined that autonomous decision making regarding consent was still possible-the approach was sufficient to provide a basis for SBG to rely on consent as being autonomous.
However, the Judge noted that there may be evidence, based on the individual rather than generalities, to suggest that necessary autonomous decision making has not taken place. In this case, the Judge stated that RTM simply had to gamble regardless of the consequences and so was not able to make an autonomous decision as to the processing of his personal data. The Judge concluded that RTM’s consent did not constitute free, unambiguous, informed or specific consent and was not distinct from his need to gamble.
More broadly, the Judge considered that a business may carry the risk that, in this scenario, consent obtained from problem gamblers in relation to cookies and direct marketing could not be relied upon because the data subjects may not be able to give subjective consent. Further any failure to engage with the consent mechanism and privacy information provided may not have been made autonomously but as a result of their compromised position.
Minimise risk
Helpfully the Judge did not suggest that a data controller could or should establish beyond doubt that any one individual has given valid consent at the outset but she did indicate the need to bear in mind the potential risks of reliance on consent. This decision highlights that consent must be an active and conscious decision made by the data subject, not merely a passive act.
The Judge noted that “a data controller who chooses to process personal data in a way which demands consent…cannot ultimately rely absolutely on generic probabilities and risk control mechanisms, or the fact that nearly everyone who has been through the consenting process will have either subjectively consented, or taken an autonomous decision (to the requisite standard) to shortcut the opportunities given to do so.”
She warned that, “If challenged by an individual data subject, a data controller has to be able to demonstrate the consenting it relies on in a particular case. And if that challenge is put in front of a court, a court must decide on the balance of probabilities, and within the full factual matrix placed before it, whether the data controller had a lawful consent basis for processing the data in question or not.” Indeed, she highlights that courts have recognised that direct marketing in the online gambling industry, for example, does raise special issues related to the particular risk of harm and vulnerable nature of individuals.
As such, whilst this case and the decision is particular to RTM’s circumstances, organisations should continue to ensure their consent processes are robust. This will help to mitigate the risk that an individual proves, in fact, to be unaware of the nature of the consent they are providing and unable to make an autonomous decision regarding consent or indeed that any positive consent given remains ambiguous. It may be impractical to tailor the consent process to each individual. However, organisations would be wise to carefully consider the nature of the cohorts from whom the obtain consent. Are they particularly vulnerable? Are there any specific adjustments that should be made to the consent process to account for concerns? Would it be prudent to re-consent at intervals? Accountability is key so demonstrating consideration of these issues and documenting decision making may assist when responding to any future challenge.
Issues not addressed by the judge
Beyond the issue of valid consent, RTM also claimed that reliance on legitimate interest lawful bases for the purposes of direct marketing was unlawful, failure to adequately respond to his “right to object” to processing request, breach of legislative requirements regarding purpose limitation, data minimisation and storage of data as well as misuse of private information. Counsel for the defendant did acknowledge that it was not possible for SBG to rely on legitimate interests as a basis for processing personal data, including profiling, for the purposes of personalised direct marketing, to “problem gamblers”. However, given her judgment regarding consent, the Judge declined to consider these points further.
Remedy and next steps
RTM claimed compensation for harm, distress and loss but remedies are yet to be determined. The Judge did note that in addressing any financial remedy, causation will be considered and compensation can only be expected in relation to issues for which the defendant has been held liable.
ICO reprimand and continued improvement
This High Court judgment comes a matter of months after the UK Information Commissioner issued a reprimand to Bonne Terre Limited, trading as Sky Betting and Gaming, for unlawfully processing data through advertising cookies without consent, during the period of 10 January to 3 March 2023. Personal information was processed and shared with ad tech companies as soon as the SkyBet platform was accessed and before consent could be effectively given. Changes have subsequently been made by the platform so that individuals can reject cookies before their personal information is used for targeted advertising.
The judgment is available here. The ICO reprimand is available here.
