HomeNewsWiggin successfully represents Sky Betting & Gaming in the Court of Appeal

Key contacts

Patrick Rennie Partner Email Patrick
Adelaide Lopez Partner Email Adelaide

April 21, 2026

We are proud to have successfully acted for Sky Betting & Gaming (SBG) in a landmark Court of Appeal decision relating to data protection.

SBG appealed a High Court ruling against it on five grounds, and today the Court of Appeal has unanimously allowed SBG’s appeal on all five.

This is an important outcome for SBG, and a significant development for all gambling operators and for controllers more broadly.

You can download the judgment here. The Court has also prepared a media summary to help in understanding the Court’s decision, which you can access here.

Background

For background, the claimant (RTM) is a self-declared problem gambler and brought a claim against SBG that inter alia it had sent them direct marketing emails without their consent. RTM’s arguments were that they had never consented to receive direct marketing and therefore it was unlawful. SBG disputed RTM’s claim.

Last year the High Court ruled that SBG’s direct marketing was unlawful because RTM was not able to give their consent due to their gambling disorder – effectively that their disorder meant that decisions regarding consent were so impaired so as not to be valid.

In reaching its conclusion, the High Court created a new test for obtaining valid consent under the UK GDPR and PECR. This test was said to consist of three strands, but in reality, the High Court determined that consent would be valid if one of the following two conditions applied and could be evidenced:

  • the data subject subjectively intended to give their consent; or
  • the choice by the data subject about consent was autonomous.

Appeal

The Court of Appeal granted SBG permission to appeal. SBG appealed the judgment on five grounds, the most significant of these being:

  • The High Court had made a ruling on a matter that was not pleaded by the claimant, specifically that the claimant had not argued that their consent was invalid due to their gambling disorder, and therefore SBG had not had an opportunity to present a defence to this issue;
  • The High Court took the wrong approach in law on what amounts to legally valid consent. The proper test for consent was set out in the UK GDPR, namely that consent needed to be specific, informed, unambiguous and freely given; and,
  • The High Court’s conclusion that SBG had not obtained consent was incorrect.

The Information Commissioner intervened in the appeal on the issue of consent. Its position was that the High Court had erred in its test for consent and that the correct test was an objective assessment against the criteria laid out in the UK GDPR – that the consent was specific, informed, unambiguous and freely given.

Today, the Court of Appeal has found in favour of SBG on all five grounds. The case will be remitted to the High Court to be heard again. This is a necessary result due to the original High Court judgment not ruling on many of the issues originally pleaded.

Consequence

The most significant consequence for gambling operators (and in fact all controllers) is the Court of Appeal’s findings on the test for consent.

The Court of Appeal has wholly rejected any suggestion that the test for consent contains any subjective element. The test for legally valid consent is an entirely objective one and is set against the criteria in the UK GDPR.

The Court of Appeal concluded that what a controller knows or ought reasonably to know about a data subject is not relevant when considering whether consent was freely given. Effectively, the test for valid consent is an objective one without any qualification.

The judgment provides certainty for controllers when obtaining consent. Controllers should assess the information they provide to data subjects about processing on the basis of consent and their mechanisms when obtaining consent. If these, objectively, result in data subjects’ consent being specific, informed, unambiguous and freely given, then controllers can have greater confidence that their processing complies with the UK GDPR and PECR.

Comment

Patrick Rennie, Partner and Head of Data Protection, says:

“This is an important and sensible judgment. Controllers need to understand what data protection law requires of them and how to comply with it. The original judgment left controllers, particularly operators, in an impossible situation akin to strict liability. The Court of Appeal’s decision brings greater clarity, allowing controllers to focus, on delivering services in a compliant and confident way.”

Adelaide Lopez, Partner in Litigation, says:

“We are very pleased with the Court of Appeal’s decision in this remarkable case. The test applied by the court in the first instance was novel in law and not argued for by either side. These failings were, significantly, called out by the judgment on appeal and by the Information Commissioner, appearing as Intervener, who noted that the court’s approach in the first instance was legally wrong. Consistency in approach by the courts is important for the fair administration of justice and we’re pleased to see that the Court of Appeal has righted the ship.”

Get in touch

If you would like to understand more about the judgment or what this means for you, please do get in touch with Patrick Rennie or Adelaide Lopez.

Expertise