Category Archives: marketing

April 22, 2026 · 6:00 am

“Consent” must be assessed objectively, says Court of Appeal

The Court of Appeal has handed down an important judgment (RTM v Bonne Terre Ltd & Anor [2026] EWCA Civ 488) on the meaning of “consent” in the context of data protection and ePrivacy law, and overturned what had been a problematic prior judgment of the High Court, which had left many businesses, especially those in the betting and gaming sector, facing an “ineradicable” risk of claims that potentially they could not reasonably have defended. The Court of Appeal’s judgment will no doubt be seen by those businesses as a welcome reversal, providing greater legal certainty.

So what does “consent” mean, in the data protection statutory scheme?

Article 4(11) of the UK GDPR says it means

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

And Article 7 puts the onus on the data controller to prove that the standard has been met.

Section 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”, which deal with the sending of direct electronic marketing to individuals and the use of cookies and similar technologies), adopts the Article 4(11) UK GDPR definition (and applies it to “subscribers” and “users” as opposed to data subjects).

So far, so straightforward. But what happens in the case of someone who purports, by a clear affirmative action, such as ticking a box, to give specific, informed and unambiguous indication of his wishes, signifies agreement to the processing of personal data relating to him, and to the receiving of direct electronic marketing, but who later argues that the consent was vitiated by factors of which the data controller/sender of the marketing was unaware, and could not reasonably have been aware. Put another way, is the sending of direct electronic marketing on the basis of the objectively valid consent of someone who was subjectively incapable of giving valid consent, to be treated as lawfully sent?

“No”, said the High Court in the first instance. RTM was someone who, in his own submission, had gambled in circumstances, and to a degree he described as, “compulsive, out of control and destructive”, and claimed, in data protection and in misuse of private information, for damages, on the basis that, as he argued, Bonne Terre (operating as Sky Betting and Gaming, or “SBG”)

gathered and used extensive information, generated by his use of its platforms, unlawfully…especially by way of personalised and targeted marketing which he could not handle and which fed his compulsive behaviour

Mrs Justice Collins Rice DBE, had held, in her judgment, (even though RTM had not pleaded in these terms) that even though RTM had not lacked capacity to consent, and “that he wanted the direct marketing material – even perhaps craved it” he was one of a small subset (an “irreducible minimum”) of “individuals for whom decision-making…was already out of control in relation to gambling, and for whom the consenting mechanisms and information provision meant nothing other than barriers to gambling to be overcome”. Even though SBG had adopted controls in line with gambling regulatory requirements and expectations to avoid the risk of marketing to “problem gamblers” (the judge’s words) and even though these controls “can and do help manage and minimise the particular risks of direct marketing to online gamblers…they cannot and do not eliminate them”. This was because he “lacked subjective consent“; “the autonomous quality of his consenting behaviour was impaired to a real degree“; and “the quality of [his] consenting was rather lower than the standard required“, and “insufficiently freely given“.

The first instance judgment had presented all businesses, but especially those in the betting and gaming sector, with a problem and a risk: i) how could they establish in each case the subjective aspect of a data subject’s consent? and ii) if they could not establish that subjective aspect, how could they deal with the risk that marketing which would on the face of it be lawfully sent, would be held not to be, if the recipient was one of the irreducible minimum whose consent was not, subjectively, valid? Perhaps unsatisfactorily, the judge had said that this was

a risk which is ultimately ineradicable. Problem gamblers may not always be easy to recognise, and there will always be relevant information about them which is ultimately unreachable by the provider, and properly so because it is information which is itself in the private domain

The Court of Appeal has now roundly overturned the decision. Giving the main judgment, Lord Justice Warby revisited what a data controller must be able to demonstrate, in circumstances where consent is said to be present: the controller must “show that the data subject made a statement or took some other clear affirmative action…that ‘signifies agreement’”, they must also prove that “the data subject’s ‘indication’ met each of the four criteria prescribed by the legislation, namely that it was (i) freely given, (ii) specific, (iii) informed, and (iv) unambiguous”. All of these, he holds, are objective tests: “the data controller does not have to prove what was actually in the mind of the individual data subject at the time of the ‘indication’”.

In a classic example of judicial understatement, Warby LJ noted that the effect of the decision of the judge below was to establish a “principle that decisions deliberately made by a capacitous individual may nonetheless be vitiated for lack of consent” and further noted that it was a “legally novel” principle, whose “contours are not clear to me”.

Recitals 4 and 7 of the UK GDPR are relevant here. The first reminds us that

The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights

and the second reminds us that

Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced

As Warby LJ notes, an “inevitable corollary” of the original ruling would be that a business “could not guarantee its ability to ‘demonstrate’ conformity with the consent requirements of data protection law and PECR”, and

the unsatisfactory and ultimately opaque nature of the test for legally effective consent which the judge applied…would create considerable legal and practical uncertainty for economic operators

Absent a further appeal by RTM, which would need to be to the Supreme Court, and which would seem unlikely, the Court of Appeal has now gone a long way towards restoring legal and practical certainty as to the meaning of “consent” in data protection law, and how data controllers should approach the task of gathering and proving consent.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, controller, cookies, Data Protection, judgments, marketing, PECR, UK GDPR

Tagged as , , ,

February 5, 2026 · 4:39 pm

DUAA commencement – what’s hot and what’s not

I’ve written for the Mishcon de Reya website on the commencement on 5 February of the majority of the data protection and eprivacy provisions of the Data (Use and Access) Act 2025: 

https://www.mishcon.com/news/data-protection-and-electronic-privacy-reform-whats-hot-and-whats-not

Leave a comment

Filed under charities, Data (Use and Access) Act, Data Protection, Data Protection Act 2018, marketing, PECR, UK GDPR

Tagged as ,

March 22, 2025 · 5:55 am

O’Carroll v Meta – what now for targeted adverts on Facebook

Following the news that claimant Tanya O’Carroll and defendant Meta have settled ahead of what was likely to be a landmark data protection case, what are the implications?

Ms O’Carroll argued that advertising served to her on Facebook, because it was targeted at her, met the definition of “direct marketing” under section 122(5) of the Data Protection Act 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”) and thus the processing of her personal data for the purposes of serving that direct marketing was subject to the absolute right to object under Article 21(2) and (3) UK GDPR.

Meta had disputed that the advertising was direct marketing.

The “mutually agreed statement” from Ms O’Carroll says “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

One concludes from this that Meta will, at least insofar as the UK GDPR applies to its processing, now comply with any Article 21(2) objection, and, indeed, that is how it is being reported.

But will the upshot of this be that Meta will introduce ad-free services in the UK, but for a charge (because its advertising revenues will be likely to drop if people object to targeted ads)? It is indicating so, with a statement saying “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

The ICO intervened in the case, and have uploaded a summary of their arguments, which were supportive of Ms O’Carroll’s case, and her lawyers AWO Agency have also posted an article on the news.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, facebook, Information Commissioner, marketing, Meta, Right to object, UK GDPR

Tagged as , ,

January 24, 2025 · 7:27 am

Cookies, compliance and individuated consent

[reposted from my LinkedIn account]

Much will be written about the recent High Court judgment on cookies, direct marketing and consent, in RTM v Bonne Terre & Anor, but treat it all (including, of course, this, with caution).

This was a damages claim by a person with a gambling disorder. The claim was, in terms, that the defendant’s tracking of his online activities, and associated serving of direct marketing, were unlawful, because they lacked his operative consent, and they led to damage because they caused him to gamble well beyond his means. The judgment was only on liability, and at the time of writing this post there has been no ruling on remedy, or quantum of damages.

The domestic courts are not regulators – they decide individual cases, and where a damages claim is made by an individual any judicial analysis is likely to be highly fact specific. That is certainly the case here, and paragraphs 179-181 are key:

such points of criticism as can be made of [the defendant’s] privacy policies and consenting mechanisms…are not made wholesale or in a vacuum. Nor are they concerned with any broader question about best practice at the time, nor with the wisdom of relying on this evidential base in general for the presence of the consents in turn relied on for the lawfulness of the processing undertaken. Such general matters are the proper domain of the regulators.

In this case, the defendant could not defeat a challenge that in the case of this claimant its policies and consenting mechanisms were insufficient:

If challenged by an individual data subject, a data controller has to be able to demonstrate the consenting it relies on in a particular case. And if that challenge is put in front of a court, a court must decide on the balance of probabilities, and within the full factual matrix placed before it, whether the data controller had a lawful consent basis for processing the data in question or not.

Does this mean that a controller has to get some sort of separate, individuated consent for every data subject? Of course not: but that does not mean that a controller whose policies and consenting mechanisms are adequate in the vast majority of cases is fully insulated from a specific challenge from someone who could not give operative consent:

In the overwhelming majority of cases – perhaps nearly always – a data controller providing careful consenting mechanisms and good quality, accessible, privacy information will not face a consent challenge. Such data controllers will have equipped almost all of their data subjects to make autonomous decisions about the consents they give and to take such control as they wish of their personal data…But all of that is consistent with an ineradicable minimum of cases where the best processes and the most robust evidential provisions do not, in fact, establish the necessary presence of autonomous decision-making, because there is specific evidence to the contrary.

This is, one feels, correct as a matter of law, but it is hardly a happy situation for those tasked with assessing legal risk.

And the judgment should (but of course won’t) silence those who promise, or announce, “full compliance” with data protection and electronic marketing law.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, consent, cookies, Data Protection, GDPR, judgments, marketing, PECR, Uncategorized

Tagged as , ,

August 11, 2024 · 10:06 am

Soft opt in marketing for non-profits

Why can’t charities send speculative promotional emails and text messages to customers and enquirers, in circumstances where commercial organisations can? And should the law be changed?

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) deals with circumstances under which a person can send an unsolicited direct marketing communication by email, or text message.

In simple and general terms, a person cannot send an unsolicited direct marketing email or text message to an individual’s private email account, unless the individual has consented to receive it. “Consent”, here, has the stringent requirements imposed by Article 4(11) and Article 7 of the UK GDPR.

(The actual law is more complex – it talks of an “individual subscriber”. This is the person who is a party to a contract with a provider of public electronic communications (for which, read “email” and “text message”) services for the supply of such services. So, if you have signed up for, say, a gmail account, you have a contract with Google, and you are – if you are an individual – an individual subscriber.)

The exception to the requirement to have the recipient’s consent is at regulation 22(3) of PECR, which says that the sender of the marketing communication does not need the prior consent of the recipient where the sender: obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; the direct marketing is in respect of the sender’s similar products and services only; and the recipient has been given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

This exception to the general “consent required” rule has long (and probably unhelpfully) been known as the “soft opt in”.

The notable requirement for the soft opt in is, though, that the recipient’s contact details must have been collected in the course of the sale or negotiations for the sale of a product or service.

There are various types of non-profit organisation which may well correspond with, and wish to send promotional emails and text messages to individuals, but which don’t as a rule sell products or services. Perhaps the most obvious of these are charities, but political parties also fall into the type.

The Information Commissioner’s Office (ICO) has long held that promotional communications sent by such non-profits do constitute “marketing” (and the Information Tribunal upheld this approach as far back as in 2006, when the SNP appealed enforcement action by the ICO). (I happen to think that there’s still an interesting argument to be had about what “marketing” means in the PECR and data protection scheme, and at one end of that argument would be a submission that it implies a commercial relationship between the parties. However, no one has yet taken the issue – as far as I’m aware – to an appellate court.)

But the combined effect of regulation 22(3) and the interpretation of “marketing” as covering promotional emails and text messages by charities, means that those charities (and political parties etc.) can’t send soft opt in communications.

The Data Protection and Digital Information Bill, which tripped and fell yards from the finishing line, when Mr Sunak, in a strategic master stroke, called the general election early, proposed, in clause 115, to extend the soft opt in where the direct marketing was “solely for the purpose of furthering a charitable, political or other non-commercial objective” of the sender.

Will the new Labour administration’s proposed Digital Information and Smart Data Bill revive the clause? The government’s background paper on the legislative agenda in the King’s Speech doesn’t refer to it, but that may be because it’s seen as a relatively minor issue. But, in fact, for many charities, the issue carries very significant implications for their operations and their ability effectively to fundraise.

It should be revived, and it should be enacted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under charities, Data Protection Bill, Information Commissioner, marketing, PECR, political parties

Tagged as , ,

July 1, 2024 · 10:57 am

Can you stop election candidates sending you post?

During every recent general election campaign I can remember, there have been social media posts where people complain that they’ve received campaign material sent to them, by name, in the post. Electoral law (whether one likes it or not) permits a candidate to send, free of charge, one such item of post regardless of whether the recipient has objected to postal marketing, in general or specific terms. This right is contained in section 91 of The Representation of the People Act 1983. So, if you don’t like it, lobby your new MP in a few weeks’ time to get it changed.

Given that it’s always a topic of contention, I welcome the Information Commissioner’s Office’s publishing of guidance (including on the “one item of post” point) for the public on “The General Election and my personal data – what should I expect?

What the guidance does not address, however, is a conflict of laws point. Article 21(2-3) of the UK GDPR create an absolute right to object to direct marketing and a consequent absolute obligation on a person not to process personal data for direct marketing purposes upon receipt of an objection. So how does this talk with the right given to electoral candidates to send one such communication?

Tim Turner has written on this point, in his “DPO Daily”, and says “I don’t think the Representation of the People Act trumps the DP opt-out right”, but – on this rare occasion – I think I disagree with him. This is because section 3(1) of the Retained EU Law (Revocation and Reform) Act 2023 provides that retained direct EU legislation – such as the UK GDPR – must be read and given effect in a way which is compatible with all domestic enactments, and, insofar as it is incompatible with them, those domestic enactments prevail.

So, the short answer to the title of this blog is “no” (although they can only send you just one personally addressed item).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, elections, Information Commissioner, marketing, political parties, UK GDPR

Tagged as , , ,

April 28, 2023 · 7:09 pm

HMRC sending spam

Have HMRC jumped the gun, and assumed that they can now (in advance of the Data Protection and Digital Information (No.2) Bill being passed) rely on the soft opt-in for email marketing?

In common with many other poor souls, I have in recent years had to submit a self-assessment tax return to HMRC. Let’s just say that, unless they’re going to announce a rebate, I don’t relish hearing from them. So I was rather surprised to receive an email from “HMRC Help and Support” recently, telling me “what’s coming up in May” and inviting me to attend webinars. A snippet of the email is here

This certainly wasn’t solicited. And, at least if you follow the approach of the Information Commissioner’s Office (ICO) was direct marketing by electronic means (“Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations“).

The only lawful way that a person can send unsolicited direct electronic marketing to an individual subscriber like me, is if the recipient has consented to receive it (I hadn’t), or if the person obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient (see regulation 22 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (“PECR”)). But HMRC cannot avail themselves of the latter (commonly known as the “soft opt-in”), because they have not sold me (or negotiated with me for the sale) of a product or service. The ICO also deals with this in its guidance: “Not-for-profit organisations should take particular care when communicating by text or email. This is because the ‘soft opt-in’ exception only applies to commercial marketing of products or services“.

I raised a complaint (twice) directly with HMRC’s Data Protection Officer who (in responses that seemed oddly, let’s say, robotic) told me how to unsubscribe, and pointed me to HMRC’s privacy notice.

It seems to me that HMRC might be taking a calculated risk though: the Data Protection and Digital Information (No.2) Bill, currently making its way through Parliament, proposes (at clause 82) to extend the soft opt-in to “non-commercial objectives”. If it passes, then we must expect much more of This Type Of Thing from government.

If I’m correct in this, though, I wonder if, when calculating that calculated risk, HMRC calculated the risk of some calculated individual (me, perhaps) complaining to the ICO?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Bill, HMRC, Information Commissioner, marketing, PECR, spam

Tagged as ,

March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

September 7, 2021 · 7:24 am

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

Tagged as ,

August 12, 2020 · 12:26 pm

Some PECR figures in light of a new monetary penalty notice

Presented without comment.

21,166,574 unsolicited direct marketing messages

£100,000 monetary penalty

Only £1k in the bank at the last filings

Zero chance of recovery?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, marketing, monetary penalty notice, PECR

Tagged as ,