Landmark High Court ruling on GDPR consent to profiling and targeting in RTM v Bonne Terre - Analysis

AR:0001
ARTICLE

Landmark High Court ruling on GDPR consent to profiling and targeting in RTM v Bonne Terre - Analysis

Landmark High Court ruling – Sky Betting & Gaming breached ex-online gambler’s rights

A recovering gambling addict, represented by AWO, won his case against Sky Betting & Gaming who unlawfully used his personal data for profiling and targeted marketing. Read on for our analysis of the judgment.

On 23 January 2025, the High Court ruled in favour of a reformed gambler who challenged Sky Betting & Gaming’s use of his personal data for profiling and targeted marketing. Sky Betting & Gaming (“SBG”) is one of the UK’s largest online gambling operators, running platforms like Sky Bet, Sky Casino or Sky Vegas – the Defendants in the case, Bonne Terre Limited and Hestview Limited, operate the SBG brands.

The groundbreaking ruling is a legal first for online marketing and the related legal principles, and could have major implications for the multi-billion-pound online gambling sector in the UK and the online advertising industry as a whole. It raises the prospect that not only SBG, but also other gambling companies, have been illegally profiling thousands – if not tens of thousands – of their vulnerable customers for years.

Background to the claim

The claimant had gambled with SBG for nearly 10 years, losing over £45,000 in the process. As part of his recovery from what he considered to be a gambling addiction, he made data subject access requests (“DSARs”) to a number of gambling operators. His DSAR to SBG led to further requests to other third parties, which produced a staggering amount of data of a very detailed and intimate nature. That data was however a small portion of what was disclosed to him in the course of legal proceedings. These disclosures made it clear that he had been extensively tracked and profiled as a prolific gambler of potentially high value to SBG’s business, which led to intensive marketing that fed his gambling addiction. His personal data was used to market to him in ways he did not know about and therefore could not consent to. He filed this claim to challenge that.

What did SBG do with its customers’ data?

Aside from using the basic data necessary to operate its services, SBG aggregates data on customers’ gambling and other online behaviour and generates its own ‘data points’ for each user, such as their favourite time of day for gambling or whether they are a “high value” customer. Evidence in the case showed that at any one time, each individual is assigned around 500 data points that are continuously updated by real-time data. These are in addition to data received from third parties like Signal (83 different data points) or Iovation (19,000 data points). These data points are then used by the business, in particular its marketing arm, to segment its customer base for marketing campaigns and to build “propensity models”, algorithmic models that predict users’ future behaviour. These data points are then used by the business, in particular its marketing arm, to segment its customer base for marketing campaigns and to build “propensity models”, algorithmic models that predict users’ future behaviour. SBG takes gambling behaviours and turns them into code. For example, one of the models disclosed in evidence would predict the likelihood that a customer who bets on sports outside of matches will also bet during matches – a model used by the marketing team to predict who in the customer pool will be more likely to be receptive to encouragement to do so. Other models would predict the propensity of a Bingo customer to play side games, or flag “abnormally high activity customers” in relation to a specific product or game to enhance offers to them.

Can gambling operators rely on “safer gambling” for all this data collection?

SBG sought to defend its extensive data processing, claiming it was required for operation of its “safer gambling” models. But as the evidence showed, and as the Court emphasised in its judgment, SBG continued to market to users who displayed signs of problem gambling but did not reach a sufficient risk level to end up on their “suppression” list (through which they would receive no marketing at all). It was a binary threshold, short of which “the marketing team will continue to market” [§95].

SBG’s own data science witness recognised that a data point showing regular play in the early morning hours can be a marker of harm, but that “short of suppression, the marketing model will interpret it as a cue that that is a particularly productive time to send marketing to that individual.” [§96] The Court found that “[t]he financial triggers for suppression were set at levels beyond the realistically possible reach of a man of the Claimant’s modest means, even when he was spending all the money he could get his hands on and more.” [§166]

Whilst safer gambling obligations will therefore justify data collection and processing, it is gambling operators’ purposes for processing that matter. The fact that they have data on hand purportedly as a result of their safer gambling objectives will not by itself justify the further use of that same data for other purposes such as marketing. AWO were also instructed on the leading case relating to purposes of processing, details of which can be found here.

What was the impact on the Claimant?

As a result of SBG’s profiling and targeted marketing campaigns, the claimant received a flood of marketing emails enticing him with bonuses, offers to try new products, or reminders of how much he could (but did not) win. His intense gambling, as the Court recognised, fed this marketing like a self-fulfilling prophecy:

“The more he responded – trying new things, accepting bonuses, going up a level – the more the marketing models responded with more, and more tailored or directed, marketing. That is exactly what they were designed to do. The Claimant was gambling in what might reasonably be called a fast-moving marketing-saturated environment, one in which rich information provided by his own online behaviour was being played back to him in real time with tailored enticements and inducements to play more and play bigger.” [§166]

The Court found the claimant to be “a straightforward witness of honesty, integrity and insight; answering clearly, concisely and respectfully under cross-examination; and if anything given to understatement rather than overstatement of his evidence.” [§159] He described in his testimony the shock and bafflement at the nature and extent of the use of his personal data, which he discovered after receiving initial results of requests for access to his data from SBG. This compounded his feelings of “deep shame, both then and now, at the extent to which his gambling behaviour diminished him, and indeed his integrity, at the time.” [§159]

The judge in her ruling recognised that online gambling is a particularly risky environment in which users’ discernment and autonomy can be impaired, such that companies have heightened obligations to ensure that valid consent to this intrusive processing has been provided. This is a powerful reminder to all data controllers that the key attributes of consent under the UK GDPR – “freely given”, “specific”, “informed” and “unambiguous” – set a high standard, and that the context in which consent to data processing is sought is important.

“Standards of consent set in data protection law are not insensitive to that sort of context. On the contrary, they can be recognised as requiring a ‘relatively high’ and context-specific standard of consent precisely because of the need for it to be especially incontrovertible before it can be relied on, when the processing of personal data not only invades privacy and compromises autonomy but proceeds from compromised autonomy of the very same nature.” [§205]

In essence, the Court found that (i) what was happening behind the scenes to encourage the claimant to gamble more, and (ii) the results of the defendants’ processing, were not things he properly consented to. This was because what the judge called the subjective quality (the claimant’s attitude towards the decision-making) and the autonomous quality (his ability to make a free and informed choice as shaped by SBG’s cookies and privacy policies and consent mechanisms) of his decision-making were both compromised by his problem gambling.

The Court found it “obvious” that SBG was carrying a risk of marketing to problem gamblers whose consenting was not of the standard required to be relied on for lawful processing [§195]. In response to SBG’s submissions that the Court must calibrate its decision against “business reality”, it highlighted that it is precisely a business’ responsibility to do what it can to guard against this risk materialising:

“The carriage of that legal risk is a matter for the business. (That might be considered implicit in the ‘reasonable care’ defence provided by PECR Regulation 30(2)). It has choices to make about cookies and direct marketing and about the people on the other end of them whose personal information it uses. It has many resources available to assist it in doing so. It has regulatory standards and guidance to help it set up and operate consenting processes, including high-quality privacy information, which can then yield strong evidence of consenting of the necessary quality. In the overwhelming majority of cases, that evidence is likely to be unanswerable. It also has regulatory standards and guidance – and rich data resources relating to individuals – to help inform safer gambling mechanisms to suppress or modify its marketing or its consent mechanisms at a more granular, or individuated, level should it choose to do so. Of course, all of these represent business overheads, and there are business choices to be made about how far to invest in managing and minimising the carriage of the risk of absent or defective consenting.” [§197]

SBG ought to have known that there was a risk that some of its users were not properly consenting in this way (a risk clearly heightened in the online gambling sector). This was a risk of doing business that they would end up liable for if challenged by a specific individual. That is, SBG could not rely on their general risk management processes as a defence to a claim from a specific individual that valid consent had not been provided in his case.

What about other lawful bases for processing? Can gambling operators simply switch to legitimate interests following this ruling?

At certain points in the claim period, SBG attempted to rely on its legitimate interests to profile customers for marketing purposes (despite claiming in its privacy policy that it did so on the basis of customers’ consent) [§178]. The judgment emphasises that all lawful bases have a default requirement for the processing to have a justification [§106].

While the Court ruled primarily on the issue of consent, the judgment provides powerful obiter that seems to rule out the possibility for controllers in the gambling industry to switch from consent to the legitimate interests lawful basis for profiling for marketing purposes. At paragraphs 199 to 201 the judgment carries out something of a balancing exercise that can be applied to legitimate interests. It first found a high risk of harm resulting from marketing in the gambling industry:

“It will include instances of selling gambling to some people whose autonomous ability to resist that selling is substantially diminished. It will include selling a product which, for some people, will harm them and further diminish the autonomous control they have over their private lives. And where it is personalised, that may at the same time both represent the obtaining and use of very personal information about their disordered behaviour, and its processing to make the marketing even more intrusive and hard to resist.” [§109]

This risk means that there was “an obvious and fundamental imbalance in the rights and interests of the respective parties in such cases”. It then found that “it is not necessary for online gambling providers to market to their customers in order to allow them to gamble. It is something they choose to do.” The judgment concludes by recording the acceptance by SBG’s counsel that “absent operative consent, SBG has no legitimate interest in processing personal data, including profiling, for the purposes of personalised direct marketing to problem gamblers” [§201].

What does this mean for the AdTech industry?

The proceedings confirmed and further revealed the extent of sharing of personal data between online gambling operators and a wide range of third parties through the AdTech ecosystem. A report by Cracked Labs documenting the sharing of personal data by SBG with dozens of companies in the AdTech industry was provided in evidence and confirmed as accurate by SBG’s witnesses.

The high standard of consent required by the Court in this case ought to warn the online advertising industry against over-reliance on meaningless, deceptive or “dark pattern” consent processes. It reiterates that controllers must be able to demonstrate that the qualities of consent (freely given, specific, informed and unambiguous) are met, and importantly that the risk that someone has not provided operative consent is one to be borne by the business. If that risk materialises, the business will be liable, regardless of the general risk mitigation measures which it has in place.

In addition, as the AdTech industry relies on data collection processes of the type that were in issue in this case, the judgment also implies that the “data supply chain” of the industry may be rife with personal data collected without legally operative consent, and that legitimate interests in many cases will not be an acceptable lawful basis.

The judgment is also a welcome reassertion of the very raison d’être of data protection law, warning controllers against casual attitudes to the vast amounts of personal data processed every day by thousands of actors in the online advertising industry, and its consequences:

“Experience does teach us, as a society, not to be naïve about the way our online behaviour has consequences for us by way of advertisements and offers. But I remind myself of the wording of Recital 58 to the GDPR about ‘situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising’. In the Claimant’s case the raw data comprised the cumulative fine detail of behaviour he had himself recognised at the time as harmful and out of control. And it was being used to encourage him to do more.” [§167]

Finally, the judgment reinforces the reprimand taken by the ICO against SBG’s parent company in September 2024, as a result of submissions made by AWO on behalf of Clean Up Gambling. The ICO’s investigation had found that a pixel embedded within the Sky Bet website had facilitated the setting of approximately 40 third-party marketing cookies without users’ valid consent.