RTM v Bonne Terre Limited & Anor

The Claimant describes himself as a recovering online gambling addict. He is a private individual with no national profile. He has been anonymised so far in this litigation because of the risk the privacy interests he has been seeking to protect could not otherwise be fully and fairly adjudicated upon without encroaching on them – that is, by exposing the detail of his past private problem, of which he is deeply ashamed, to the unwarranted intrusion and censure of the community in which he lives and works.

The Defendants operate under the Sky Betting and Gaming (‘SBG’) brand of online gambling platforms. The First Defendant provides paid-for betting and gaming products, and the Second Defendant free-to-play games. SBG describes itself as a market-leading brand within the online betting and gaming industry, part of the broader entertainment sector. It has a customer base of around four million individual players.

The Claimant used to gamble online with SBG, and others, in circumstances and to a degree he describes as compulsive, out of control and destructive. He says although he did not gamble exclusively with SBG, it was his preferred and predominant online platform at the time, and he used a number of its products.

He now brings a privacy claim in data protection and the misuse of private information. He says SBG gathered and used extensive information, generated by his use of its platforms, unlawfully, including by analysing and combining it through sophisticated profiling algorithms, and especially by way of personalised and targeted marketing which he could not handle and which fed his compulsive behaviour. He seeks compensation for harm, distress and loss.

But SBG says it complied with all its legal obligations throughout and, in particular, that much of what the Claimant now says he objects to, he consented to at the time.

Statutory regulation of online gambling

The provision of online gambling – betting and gaming – is regulated by the Gambling Act 2005, and needs a licence. The 2005 Act established a Gambling Commission to oversee the licensing regime, with responsibilities not only for the issue of licences and the enforcement of conditions to which licences may be made subject, but also for promulgating codes of practice and setting standards more generally about how gambling opportunities are provided.

The Gambling Commission website states that ‘we exist to safeguard players and the wider public by ensuring gambling is fair and safe’ and that ‘making gambling safer is at the core of what we do’. ‘Safer gambling’ is a term the industry uses to refer to initiatives and measures for identifying, minimising and mitigating the risk of ‘gambling harm’. Gambling harm in turn refers to a range of damaging outcomes for both individuals (particularly the young or vulnerable) and society generally. The former can range from financial problems such as debt and bankruptcy to mental health issues such as anxiety, depression and gambling addiction; the latter can include linkage to crime and deprivation. Over recent years, the safer gambling agenda has grown substantially in prominence within the industry, and the Gambling Commission has tackled a range of what it has identified as risk factors, including advertising and marketing, with a combination of restrictive regulatory measures, education and explanation requirements, and mandated provision of self-help tools. That trajectory, of continuing evolution and improvement in the sector’s management of the risk of harm to a minority of vulnerable individuals, is important orientation for a case which deals with events some six or seven years ago.

The Act itself provides for ‘licensing objectives’ to govern the scheme; these include, by section 1 of the Act, ‘ensuring that gambling is conducted in a fair and open way’ and ‘protecting children and other vulnerable persons from being harmed or exploited by gambling’. In exercising its functions under the Act, the Gambling Commission must aim to pursue those objectives, and at the same time to permit gambling in so far as it thinks is reasonably consistent with the pursuit of the objectives (section 22 of the Act).

The Gambling Commission’s codes of practice are required, by section 24 of the Act, to:

describe arrangements that should be made by a person providing facilities for gambling for the purposes of—

(a)

ensuring that gambling is conducted in a fair and open way,

(b)

protecting children and other vulnerable persons from being harmed or exploited by gambling, and

(c)

making assistance available to persons who are or may be affected by problems related to gambling.

The codes may also include provision for ‘how facilities for gambling are advertised or described’ (s. 24(3)).

Failure to comply with a code of practice does not itself result in legal liability (s.24(8)), but the codes ‘shall be taken into account by a court or tribunal in any case in which it appears to the court or tribunal to be relevant’ (s.24(9)).

The Gambling Commission has issued a series of codes of practice since the Act came into force, including versions effective from October 2016, April 2017, January 2018 and October 2018. They all contain provisions requiring licensees to have policies and systems in place to combat problem gambling, including by providing information to help individuals control the amount of time and money they spend on gambling, for example by taking time out. Licensees must initiate personal interaction with customers where their behaviour may indicate problem gambling. And their policies must include:

specific provision for making use of all relevant sources of information to ensure effective decision-making, and to guide and deliver customer interactions, including in particular

i.

provision to identify at-risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling: this should be by reference to indicators such as time or money spent

ii.

specific provision in relation to customers designated by the licensee as ‘high value’, ‘VIP’ or equivalent.

Data protection law

Data protection law is a statutory privacy code governing the processing of personal data. In all its modern UK forms it has operated by reference to a set of statutory principles binding on data controllers, enforceable in two complementary ways – first, by way of an independent regulatory regime overseen by the Information Commissioner, and second, by creating individual rights enforceable by data subjects through private court actions.

It is uncontroversial that the Defendants were ‘data controllers’, the Claimant a ‘data subject’, and his ‘personal data’ were ‘processed’ when any relevant operation was performed on any of them by SBG or its ‘data processor’ subcontractors.

UK data protection law was shaped by EU law – first by way of a Directive implemented domestically in the Data Protection Act 1998, and then by way of the General Data Protection Regulation (GDPR), recognised domestically in the Data Protection Act 2018. The GDPR in turn was converted into purely domestic law (the ‘UK GDPR’) when the UK left the EU on 1^st January 2021.

The period of active commercial interface between the Claimant and SBG, and which is in issue in these proceedings, begins in early 2017 (a date triggered by limitation periods; the Claimant was a customer of SBG for some years before that) and runs until the end of 2018 or the first few days of 2019, when SBG suspended his account and when he overcame his habit anyway and stopped gambling altogether. The data protection regimes in place at the time were (a) the 1998 Act up until 24^th May 2018 and (b) the GDPR thereafter.

The data protection principles: lawful processing

Both data protection regimes require personal data to be processed lawfully,and specify conditions for that.

In the 1998 Act, the data protection principles are set out in Schedule 1. The First Data Protection Principle states:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a)at least one of the conditions in Schedule 2 is met…

The Schedule 2 conditions include the following:

1.

The data subject has given his consent to the processing.

2.

The processing is necessary—

(a)for the performance of a contract to which the data subject is a party…

3.

The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

…

6.

(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

In the GDPR, the data protection principles are set out in Art.5. Art.5.1(a) states that ‘Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject’.

Art.6 then provides that processing shall be lawful only if and to the extent that at least one of a list of conditions applies. These include the following:

a.

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b.

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c.

processing is necessary for compliance with a legal obligation to which the controller is subject;

…

f.

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The data protection principles: health data

Data protection law makes special provision, in addition to the standard regime, for the processing of some categories of personal data. These include information as to a data subject’s ‘physical or mental health or condition’ (s.2 of the 1998 Act) and ‘data concerning health’ (Art.9.1 GDPR).

Data of this nature cannot lawfully be processed at all, at any rate without the ‘explicit consent’ of the data subject, other than by limited specified bodies or in limited specified circumstances. These include where the processing is necessary for the exercise of any functions conferred on any person by or under an enactment (1998 Act, Sch.3.7(1)(b)), and in limited public interest circumstances (GDPR Art.9.1(g)).

The data protection principles: fairness and transparency

The first data protection principle also requires that data must be processed, in relation to the data subject, fairly and, in the case of the GDPR, in a transparent manner.

The 1998 Act unpacks the concept of fairly in Part II of Schedule 1 as follows:

1.

(1)In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

…

2.

(1)… for the purposes of the first principle personal data are not to be treated as processed fairly unless—

(a)in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and

(b)in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).

…

(3)The information referred to in sub-paragraph (1) is as follows, namely—

(a)the identity of the data controller,

(b)if he has nominated a representative for the purposes of this Act, the identity of that representative,

(c)the purpose or purposes for which the data are intended to be processed, and

(d)any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

…

The GDPR provides help with interpreting the requirements of fairness and transparency in its recitals. Recitals do not have distinct operative effect, but are aids to construction, and drill down further into the detail. Here, for example, is the opening of recital 39:

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. …

Here is the opening of recital 58, which includes a specific reference to online advertising:

The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.

And here is recital 60, which makes specific reference to profiling (a term not present in UK data protection law before the GDPR, and which is discussed further below):

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

The data protection principles: purpose limitation

The 1998 Act’s second data protection principle states that ‘personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’.

The equivalent provision in the GDPR at Art.5.1(b) requires personal data to be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’.

The data protection principles: data minimisation

The 1998 Act’s third data protection principle states that ‘personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed’. The equivalent provision in the GDPR, at Art.5.1(c) requires personal data to be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.

The data protection principles: storage limitation

The 1998 Act’s fifth data protection principle states that ‘personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes’. The equivalent provision in the GDPR, at Art.5.1(e), states that, subject to specific exceptions, personal data are to be ‘kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.

The rights of data subjects: private law causes of action

Both the 1998 Act and the GDPR confer an individual right to bring a civil action for the unlawful processing of personal data.

Section 13 of the 1998 Act provided as follows:

Compensation for failure to comply with certain requirements

(1)

An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)

An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)

the individual also suffers damage by reason of the contravention, or

(b)

the contravention relates to the processing of personal data for the special purposes.

(3)

In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

The decision of the Court of Appeal in Vidal-Hall v Google[2015] EWCA Civ 311 removed the conditions in section 13(2). So any damage – including distress – caused by a data controller’s contravention of a requirement of the 1998 Act is potentially actionable by a data subject.

The GDPR provisions on individuals’ rights are found in Art.82:

1.

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2.

Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3.

A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

The rights of data subjects: rights to prevent processing

The 1998 Act created two potentially relevant rights to prevent processing.

Section 10(1) provided as follows:

… an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a)the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b)that damage or distress is or would be unwarranted.

The effect of such a notice was to trigger an obligation for the data controller to confirm compliance with the notice or explain why it was not doing so. An unjustified failure to comply could be enforced in the courts.

Section 11 of the 1998 Act created a right for data subjects to prevent ‘processing for purposes of direct marketing’. It provided as follows:

Right to prevent processing for purposes of direct marketing

(1)An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

(2)If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

(3)In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

The GDPR deals a little differently with the ‘right to object’. Where a data controller is relying on the ‘legitimate interests’ basis for processing, and specifically for profiling, Art.21.1 provides that, in the event of an objection, ‘the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims’.

Art.21.2-3 provide further as follows:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

The rights of data subjects: automated decision-taking and profiling

Section 12 of the 1998 Act made provision in respect of any decision taken by or on behalf of a data controller which ‘significantly affects’ an individual and ‘is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct’. Such an individual was given an entitlement to give notice requiring no such decision be taken. Otherwise, a data controller was required to notify a data subject that such a decision had been taken, and the data subject then had a period of time in which to require it to reconsider the decision or take it on a different basis.

There were exceptions to these rights. One such exception was where the decision was taken in the course of performing a contract with the data subject, and another was where the decision was authorised or required by or under an enactment. In both cases there was a further condition to be satisfied before a data controller had the benefit of an exception: either (a) the effect of the decision was to grant a request of the data subject or (b) steps had been taken to safeguard the legitimate interests of the data subject (for example by allowing them to make representations).

The GDPR developed this right. First, Art.22.1 provided:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her.

This right was no longer dependent on the data subject registering an objection.

Again, there are exceptions. Art.22.2-3 provide as follows:

2.

Paragraph 1 shall not apply if the decision:

a)

is necessary for entering into, or performance of, a contract between the data subject and a data controller;

b)

is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

c)

is based on the data subject’s explicit consent.

3.

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Art.22.4 makes further restriction on automated decision-taking based on the special categories of personal data, including health data.

‘Profiling’ is explained further in recital 71, as consisting of:

any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

The Privacy and Electronic Communications Regulations 2003

The data protection regimes were supplemented by the Privacy and Electronic Communications Regulations 2003 (‘PECR’) – which were in force throughout the period to which this claim relates. These Regulations implemented a further EU Directive (the ePrivacy Directive), which was stated to particularise and complement data protection law. In particular, PECR makes further provision for the use of cookies and for direct marketing by email, including the requirement that, in order to establish the lawful processing of personal data, both activities had to be founded on data subject consent.

In relation to cookies, Regulation 6 includes:

(1)

…a person shall not store, or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2)

The requirements are that the subscriber or user of that terminal equipment—

(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b)has given his or her consent.

(3)

Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

In relation to direct marketing by email, Regulation 22 provides:

Use of electronic mail for direct marketing purposes

22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2)

Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3)

A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

(4)

A subscriber shall not permit his line to be used in contravention of paragraph (2).

Regulation 30 of PECR provides for enforcement by way of private law actions:

Proceedings for compensation for failure to comply with requirements of the Regulations

30.—(1) A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.

(2)

In proceedings brought against a person by virtue of this regulation it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the relevant requirement.

…

Misuse of private information

The tort of misuse of private information traces its origins to the decision of the House of Lords in Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22, which explained the consequences of the Human Rights Act 1998 incorporating into domestic law Articles 8 and 10 of the European Convention on Human Rights. From that case comes the classic statement of the tort as concerned with ‘the protection of human autonomy and dignity—the right to control the dissemination of information about one's private life and the right to the esteem and respect of other people’.

A claim in misuse of private information has to establish the components of a two-stage test. In the first place, a claimant must show they had ‘a reasonable expectation of privacy’ as to the information in question. That test was confirmed by the Court of Appeal in Murray v Express Newspapers plc [2009] Ch 481 at [36] to be:

a broad one, which takes account of all the circumstances of the case. They include the attributes of the claimant, the nature of the activity in which the claimant was engaged, the places at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant and the circumstances in which and the purposes for which the information came into the hands of the publisher.

These have come to be known as the ‘Murray factors’, but they are illustrative, and not exhaustive, of ‘all the circumstances of the case’.

If a reasonable expectation of privacy is established, then a court must go on to consider whether a breach of that privacy has been made out. The starting point there is whether a defendant ‘knows or ought to know that there is a reasonable expectation that the information in question will be kept confidential’ (Campbell, [134]). Establishing a breach, too, is highly fact-specific. Expectations of privacy, and breach, may not be all-or-nothing matters, and it may be necessary to consider the nature and extent of the unwanted audience.

The second stage of the test asks whether, if a claimant does have a reasonable expectation of privacy, and it has been breached, there are relevant considerations that might outweigh that privacy. A balancing exercise is required, looking at the nature and purpose of the interference with privacy and whether there is any justification for it, usually considered in terms of anyone's competing Art.10 rights of freedom of expression (Campbell, [137]). Art.10 also protects the right to ‘receive and impart information and ideas without interference’.

The Claimant sets out his claim by reference to this legal framework, and to his own evidence about his gambling history and its effects on him. I outline this in three stages: first, by summarising the contextual history he gives, and which is not materially challenged; second, by outlining the factual context to the claim as pleaded; and third, by identifying the specific heads of liability the Claimant pleads.

The Claimant’s gambling history

What follows is the Claimant’s account of his gambling history at large. It begins in April 2009. He was 21 years old, living with his parents, and on a modest wage. He saw a newspaper advertisement from another well-known online firm offering a free football bet. He says he was hooked more or less straight away. He expanded quickly from football to include horserace betting, then virtual horseraces, and on to online slot machines which, he says, took a particular hold on him. He soon began to find himself spending long, unbroken hours gambling online, including whole days and through into the early hours of the morning – and in secret, keeping it from his family.

He started by financing his habit from his wages, making small bets of £10 or £20. But that quickly escalated through depositing hundreds of pounds at a time into his online accounts and betting it all, and on to deposits in the low thousands. He had been saving for a deposit on his first house with his fiancée; by mid-August of 2009 he had exhausted all his savings, including by gambling nearly £11,000 of new money in a single day.

He opened an online account with SBG in December that same year, originally to play free games. He placed his first bet with SBG on 6^th May 2010, and continued betting with them, and others, until October 2011. At that point, his mother found out about his gambling; and he accepted her offer to hand over control of his finances to her. In that way, he stopped online betting until May 2012, managed to build up his savings again, and left his parents’ home to set up house with his fiancée, whom he married in 2014.

After he regained control of his money, his gambling immediately resumed, picking up significantly with the SBG products from August 2012. He kept it secret from his wife for a few years, largely by gambling in the early hours while she slept, and by shielding his financial arrangements from her. He was spending not only all his available wage, but borrowing from friends and family without telling them why, and then started taking out commercial loans – a total of thirteen between 2013 and 2016. He describes the obsessive nature of his gambling: the emotional dependency, its almost complete hold on his mind – ‘I thought about it all the time’ – and being in thrall to the hope of one big win which would solve everything.

He did have a degree of insight into the scale of his problem at the time. Over that same period, 2013-2016, he managed some self-limiting steps. He took advantage of SBG’s facility to impose a daily limit on his betting at various points. He closed his account with SBG in August 2015 only to reopen it again a few days later – a pattern of behaviour potentially consistent with either an attempt to self-limit or an attempt to secure better deals from them – in particular access to free offers and betting bonuses to make his betting money go further. He closed his SBG account for a rather longer period between June 2016 and April 2017 (he says he was finding better offers and bonuses elsewhere).

He had also, in 2016, taken the radically self-limiting step of ‘self-excluding’ from two of the other online platforms he had been using. Self-exclusion is a panic-button mechanism provided by the online gambling industry, by which an out-of-control gambler is able simply to bring their engagement with a provider to a complete and irreversible stop for a period of time.

The behaviour he describes at this time has some distinctive features. These include its radical unaffordability: he sometimes bet more than his net monthly wage in a day, sustaining high daily losses, gambling until he ran out of money, and then financing and refinancing through loans. He describes ‘chasing his losses’, impelled by the hope of clearing his debts with a win, even while they continued to escalate, and making deposit after deposit to do so, often on the same day. He describes playing continuously for hours every day, especially in the early hours of the morning. He describes more generally the deception and betrayal gambling brought into his marriage and its impact on his work. He describes its destruction of his own mental wellbeing and ordinary functioning, making him incapable of concentrating on anything else. He says he, in effect, lost a decade of his life to online gambling.

The period of the claim

The Claimant’s evidence was that in the period of the claim – a little under two years between early 2017 and the end of 2018 or the beginning of 2019 – he used as many as 40 online gambling platforms. He said it was his worst gambling period, that he knew he was heading towards a precipice. He explained it was ‘a crazy time – I could not concentrate – it was a haze – all I wanted to do was gamble’.He knew he had a problem; he had run out of money and was servicing loans. Any winnings were immediately re-deposited. He was in the grip of an ‘all consuming’compulsion, unable to stop or control it, unable to think straight at all.

He was aware of potential sources of help, and of available self-limiting controls, but felt helpless to operate them effectively. One example he gives is of the self-imposed daily deposit limit with SBG over the summer of 2018. This mechanism enables customers to limit the amount of money they can put into their online gambling account each day, so limiting how much gambling they can do without making wins. He was working with a daily limit of £100 in April 2018. In May he raised that to £250; in June to £500; and in July to £1,000. Thereafter he often made high daily deposits with SBG, including some at or near that limit.

The Claimant’s evidence is that in the 8 months between May and December 2018 he put £31,923 of new money into his SBG account. He was averaging monthly losses of some £1,793: he lost £3,292 in August 2018 alone. At the time, his average monthly take-home pay was less than £2,500, his domestic outgoings around £1,100 and his loan repayments £851. He was, he says, heading for ‘financial armageddon’ and personal breakdown. He says he started to contemplate suicide as the only means of escaping the mess.

He describes achieving a final decision to stop gambling altogether at the end of 2018. He says he realised there was no external means for breaking his habit, and no self-limiting steps that would help him, short of quitting. He did not discuss his decision with his friends or family, and sought no support. He says it was a journey he took on his own, and doing that was part of restoring his self-control and self-respect.

He sets out the resolute hard work that has kept him ‘clean’ since then, through difficult times burdened by anxiety. He says part of his ‘rehabilitation’ was researching and challenging the online gambling sector and its regulation, and pursuing subject access requests with SBG. He describes being both shocked by and dissatisfied with the results. In response to one subject access request at the end of 2018, records suggest SBG contacted him to discuss it, or at least tried to; it then suspended his account on 9^th January 2019, citing ‘safer gambling’ concerns. He never took any steps to restore it, and never bet with them or anyone else again. The Claimant has since been involved in campaigning for greater regulation of the online gambling sector.

The pleaded heads of liability

The Claimant accepts that, as a customer, SBG was entitled to process his personal data in order to take and process his betting – that is, for the performance of its contract with him to provide gambling services – and to comply with its regulatory responsibilities, particularly as regards safer gambling policies and controls. But, he says, SBG was not entitled to harvest his transactional data (specifically by the use of cookies) to undertake detailed profiling analytics and algorithmic predictions in order to target and personalise its marketing to him, and to deliver that marketing in an intense manner including by sending him emails at an average rate of twice a day.

Specifically, the Claimant says SBG had nolawful basis for such processing. Obtaining his personal data by cookies, and delivering direct marketing particularly by email, required his consent in order be lawful, and he says he gave no legally effective consent. Otherwise (using his personal data for creating profiles for the segmentation and targeting of direct marketing back to him), he says (a) it was not necessary for the performance of SBG’s contract with him (to permit him to gamble); (b) it was not necessary for regulatory compliance or safter gambling purposes; and (c) SBG was not entitled to rely on its own legitimate interest in the processing complained of, because it had no legitimate interest in designing and implementing targetedmarketing to problem gamblers – or any legitimate interest it did have was outweighed by the processing’s prejudice to the rights and freedoms of the Claimant. In any event, he says, on the particular factual matrix of this case, and on the authority of the decided cases, legitimate interest could not provide a lawful basis for profiling for direct marketing purposes: consent was required and he did not consent.

He also says this processing (profiling for direct marketing) failed the requirements of transparency and fairness because he was never told about it; the privacy notices in place at the time did not explain it and were positively misleading in suggesting it would not be undertaken without consent.

In addition, he says that the data being processed here were, or included, special (health) data, because they revealed gambling addiction or at least problem gambling with mental health implications, and none of the conditions permitting the processing of such special data (including consent) was present.

He says that in any event this processing contravened the principles relating to purpose limitation, data minimisation and storage retention.

In relation to PECR, the Claimant says SBG breached his entitlements in two respects. First, he was not given compliant information about, and he did not give valid consent to, its use of cookies. Second, he did not consent to, and was not provided with a compliant means of avoiding, direct marketing emails.

In relation to the tort of misuse of private information, the Claimant says he had a reasonable expectation of privacy in his gambling history, his patterns of gambling and susceptibility to special offers or other encouragements to gamble in a particular way, and his gambling addiction. He says this information about his disordered private life was itself intensely private, and SBG’s use of it, particularly disclosure to third parties, was disproportionately harmful to him and not justified by any countervailing right or freedom.

In very broad outline at this stage, SBG’s responsive position is that the Claimant did in fact consent to cookie use and to direct marketing; it was entitled to rely on that consent to render these forms of processing lawful; and it relies on its own legitimate interests for the intermediate ‘behind the scenes’ processing in its marketing model – including for its profiling and targeting operations. It denies breaching any of the other data protection principles cited. It rejects the misuse of private information claim as being unprecedented on the factual matrix of the case, in particular in having no application to the disclosure of private information as between a data controller and a data processor (and denying any other relevant disclosure), and as adding nothing to the data protection regimes in governing the internal processing of personal data it did itself.

Obtaining and using personal data

Pausing there, I turn next to the evidence I received about how SBG in fact did process personal data – that of its customers in general and, where relevant, of the Claimant in particular. Again, I do not understand there to be material dispute about what follows; the focus of this dispute is less about what SBG in fact did, and more about what it ought or ought not to have done, or about the legal consequences of its actions. In other words, the core issues are about how the systems and policies, which were historically applied to the Claimant and his data at the time, map across to his rights and entitlements.

While this litigation had its genesis in what the Claimant calls his ‘rehabilitation’ activities, and in his reaction to the response to his subject access requests, there has over its course been something of an evolution in the parties’ shared understanding of the factual history, and a consequent narrowing of the issues between them. SBG now knows a great deal more about the Claimant’s background than it did, and the Claimant in turn has learned a considerable amount about SBG’s data processes. The presentation of his claim has accordingly evolved somewhat from what he says was his initial shock and bafflement at the nature and extent of the use of his personal data, in particular as to the involvement of a network of third-party data processors, and his demands for a proper explanation of how that could have been lawful and consistent with data protection law. Before me, there was a rather narrower focus on the issue of what, if anything, he consented to in the marketing part of the operation.

This process of mutual education was substantially advanced as a result of the disclosure process in this claim, and by the evidence provided before and at the trial by senior managers within SBG, which Mr Knight, Counsel for the Claimant, acknowledged was (largely) helpful. These included (a) Mr Stephen Wilkinson, senior data scientist; (b) Mr Duncan Esson, marketing technology product manager; (c) Mr Jon Watkin, identification strategy manager, specialising in the business’s safer gambling function; and (d) Mr Paul Courtney, data protection officer. I accept and rely on their evidence for what follows; it is not materially disputed. I am conscious that in some respects the match between the witnesses’ description of SBG’s operations and the exact timeframe of the claim is imprecise. None of the witnesses was in post at the time, and their evidence relies on working backwards to some extent from more recent practice. But in the limited respects in which historical precision is necessary, I deal with it more specifically below.

On SBG’s own account, it collects ‘extensive customer data regarding use of SBG’s service over time’. Mr Wilkinson explained that ‘as a digital business, all customer activity is recorded, stored and used for the day-to-day operation of the business and for compliance with our regulatory obligations’. This ‘raw data’ captures a detailed picture of individual customers’ use of the business’s products – the different games, the date, time and period spent on each, the money invested, wins and losses, time spent on different locations within the website generally, hyperlinks clicked, devices used, marketing responded to, and so on. It is a comprehensive accrual of a rich resource of information about customer activity (although not quite all of it; I was told for example that uncompleted bets are not recorded or used).

The raw data are stored in SBG’s data warehouse – a large collection of servers. There, they are operated on by systems created by the data science team. First, data will be aggregated into ‘data points’ – clusters of information about an individual’s activity – which then enter the ‘feature store’. These data points range from the relatively simple (for example, an individual’s favourite product, or favourite time of day for gambling) to the more evaluative (for example, whether an individual was a ‘high value’ customer of a particular product). There might be around 500 data points per individual in the feature store at any one time – and the processes of aggregation are continuously generated by real-time synthesis. Of those features, subsets may be crystallised out into portraits of individuals as the business most needs or wants to know about them – what SBG has since come to refer to as the ‘customer DNA database’.

Next, these individual data points pass into collective business information systems (although without necessarily ceasing to retain their quality as the personal data of identifiable individuals). That might be by way of analytical segmentation, to provide what is effectively historical pictures of patterns over time. Or it might be by way of building propensity models – using individuals’, or segments’, past behaviour to predict their future behaviour.

This sort of modelling is commissioned, and used, by different parts of the organisation for different purposes. And it is at the point of commissioning and using the modelling, particularly the propensity modelling, that SBG’s business model bifurcates in a way which is particularly relevant to the present case. Leaving aside the ordinary transactional purposes of the business – the data processes needed to run the business and the betting and gaming activities themselves – SBG uses propensity modelling in two ways which, bar a single linking mechanism, are kept strictly apart: marketing to customers, and operating safer gambling controls.

Direct marketing

SBG markets to its existing customers directly by email, text and push notification (short pop-up alerts on a browser or phone), as well as on social media and by displays on other websites. It does so by the familiar marketing concepts of ‘upselling’ and ‘cross-selling’ – encouraging people to do more of what they already do, or do it at a higher level, or to diversify and try something else they might also like. Direct marketing is segmented – targeted to members of groups who have been identified by the business’s data modelling as having a propensity to engage with it and alter their behaviour in response to it. These segmented marketing campaigns may operate at quite a high level of generality – for example targeting customers who have been betting on the outcome of football matches to encourage them to move into betting during games (say, on who will score the next goal). Or they might operate at a level of finer detail – for example by identifying customers who have been playing a particular game at a particular level and encouraging them, on the basis of the pattern of their play, to move up a level.

Segmentation and targeting also feature data analytics which allocate a financial value to customers, based on their actual or potential contribution to SBG’s profit margin. This might be by way of calculating the profit it would expect if a dormant account were reawakened, or a customer’s interest rekindled in a product they had moved away from (the ‘winback margin’). It also focuses in on ‘high value’ customers – those who are high users of the platform and high spenders, and who therefore demonstrate an existing appetite and means, and a potential propensity for more playing.

To that extent, SBG does not resist the description that its direct marketing is personalised. Of course, that does not imply any sort of bottom-up approach of building an individual marketing profile for each customer from their raw data. But it does imply a degree of top-down tailoring or targeting, via models created from aggregated, analysed and segmented propensity models for which individual customers’ data is the raw material. There was some discussion before me about the role of segment size – which does vary – and about the lack of evidence of which segments the Claimant was allocated to at the time. But the point is the segments, and their cumulation or intersection, are just a part of the systems that take individuals’ raw data and create profiles to ‘personalise’ the online marketing experience. And it does imply marketing campaigns based on individual customers’ data matching a target profile. These campaigns can be frequent and intense, constantly responsive as they are to the evolving profiles of customers’ online behaviour.

More generally, SBG’s marketing team uses customer behaviour data, and analytical and propensity modelling, to monitor the effects of their marketing campaigns. So there is something of a continuous feedback loop using customers’ responses to marketing – what they do or don’t open or spend time looking at, and the extent to which their subsequent activity suggests a positive response to the marketing so it can be concluded to have ‘worked’ in their case. The models ‘learn about’ customers’ responsiveness or susceptibility to marketing in this way, and use that knowledge to enhance the effectiveness of their continuing marketing to those customers.

Safer gambling

SBG is required, in accordance with the Gambling Commission’s licensing conditions and code of practice, to:

use a range of indicators relevant to their customer and the nature of the gambling facilities provided in order to identify harm or potential harm associated with gambling. These must include:

a.

customer spend

b.

patterns of spend

c.

time spent gambling

d.

gambling behaviour indicators

e.

customer-led contact

f.

use of gambling management tools

g.

account indicators.

SBG considers itself a market-leader in the field of safer gambling. It uses data modelling and a range of tools and programmes to operate a ‘control framework’. SBG’s witnesses impressed on me that this had actively evolved both during and after the period of the claim, but that although they now regarded their framework as much improved and still improving, they were confident it was at all times compliant with industry norms: both as to the regulatory mandated minimum of indicators and as to the controls themselves.

The indicators were derived from individuals’ raw data, including both single factors such as age, frequency or magnitude of deposits and losses, and the duration and timing of time spent gambling, and also change factors such as a sharp escalation or sudden jump in risky behaviour. These are then aggregated for risk or propensity modelling.

As Mr Watkin explained it to me, the ‘safer gambling’ propensity model in place at the period of the present claim mapped an individual’s risky behaviour against that of a gambler who hits the self-exclusion button, giving a probability score of how likely that individual is to be approaching self-exclusion. Mr Watkin accepted that perhaps the gamblers with the very worst problems do not self-exclude at all, and that the self-exclusion propensity model was to that extent limited in design. But he said that self-exclusion was a ‘nice clear data point’, that historical paths leading to it could be described in terms of escalating overall risk, and that those same factors and patterns of risk could then be reverse-engineered into a strong predictive model.

There are other aspects of the risk modelling that do not speak for themselves. There are important and accepted descriptors of gambling harm – unaffordability, personal impact – which are not straightforwardly factored in to the modelling for apparent lack of raw data. Past self-exclusion may be an important indicator of future risk, but the model was limited to information drawn from SBG’s own transactional data alone. It did not have access to information about an individual’s behaviour, including self-exclusion, on other firms’ platforms. It did not have access to information about a customer’s finances, health, employment or home life. All of these are however highly relevant to the identification, and therefore management, of risk of gambling harm.

I asked Mr Watkin whether this did not mean that SBG was inevitably operating in an environment in which its modelling depended on a relatively small and partial amount of insight into any customer’s absolute risk quotient, and therefore was operating with a large amount of risk that it would not identify customers who were in fact at high risk of harm or sustaining actual harm. He accepted that that was fair. There was in other words a high risk of false negatives. There was a large amount of ‘external’ or ‘contextual’ information which was strongly correlated with risk but which SBG did not or could not factor in. But he said the raw transactional data was nevertheless capable of being intelligently analysed for indication of risk.

He made an important business model point in this context. Risk modelling is about prioritisation of some customers as more risky than others. The interventions that are triggered are resource-intensive; they lead to human review and interaction – sending awareness messages, or calling customers to check whether all is well. False positives are wasteful, and interfere with customers’ entertainment experience. So it is a matter of prioritisation.

The relationship between marketing and risk modelling

Both SBG’s marketing algorithms and its risk modelling draw on the same raw data and use the same kinds of data science techniques, including segmentation and profiling. But fundamental to its business model is that it does not use its risk analysis products in its marketing modelling. As it was explained to me, that is out of an ethical (and regulatory) concern that risk products should not be interrogated for their positive marketing potential. All of SBG’s witnesses were clear that it was not in its own business interests, and not consistent with its regulatory obligations, positively to seek to market to customers identified as at high risk of gambling harm.

There is a single systematic business linkage made between risk and marketing. That comes when an individual’s risk index is sufficiently high to trigger ‘suppression’ – the turning off of all direct marketing to them for a period. This is a major intervention, not easily triggered. And it is a cliff-edge or binary mechanism: short of it, the marketing team will continue to market. SBG’s witnesses accepted that some of the marketing team’s most attractive ‘high value’ customers might, looked at through the safter gambling lens and with a complete set of information, also be its customers most at risk of harm or actually harming. Without, for example, affordability information it could be difficult to tell the difference between the affluent and happy ‘high roller’ and the out-of-control problem gambler heading towards bankruptcy. But unless the suppression trigger is activated, the marketing team will market – including in cases where safer gambling interventions short of suppression have been activated. Mr Wilkinson gave one example of data relating to gambling in the morning hours. That can be a marker of harm. But, short of suppression, the marketing model will interpret it as a cue that that is a particularly productive time to send marketing to that individual.

There was an interesting exception to this picture of the complete separation of marketing modelling and risk modelling. Mr Wilkinson explained to me that his data science team does potentially have access to some external data relevant to gambling risk, and that includes publicly available information from the Office of National Statistics which correlates postcodes with affluence or deprivation – and hence with affordability. But he told me his team is authorised by SBG to take decisions not to use that sort of information in its marketing models, for ethical reasons – again, because the business does not wish to use risk factors such as social deprivation positively to enhance the attractiveness of its marketing.

It bears repeating, however, that, absent the activation of the suppression mechanism by the safer gambling models, the business did not use risk information it had, or which it could obtain from open sources, or which it could ask its customers about, to moderate its marketing models either. It was all or nothing. An individual scoring for risk just short of the suppression threshold would be treated for marketing purposes without reference to safer gambling risk, including, as a potential ‘high value’ asset, for enhanced targeting. There were no intermediate stages in which marketing continued but was moderated or safeguarded.

Conversely, Mr Watkin accepted that direct marketing to online gamblers raises unique regulatory and safer gambling issues – and indeed the suppression mechanism is itself a clear recognition of that. Online advertising can be frequent, powerful and personalised and is delivered directly at the marketing/consuming interface; it can be engaged with and responded to instantly and frictionlessly. We looked at some examples: these displayed high visual production values and a high emotional register, and some included offers and rewards as well as the promised entertainment – the thrills – of the product itself.

It bears repeating, also, that I am seeking to examine a particular slice of historical time, with the assistance of SBG’s witnesses who were not necessarily in post at that time or able to speak definitively to practice at the time; and, again, that SBG’s policies and practices in relation to safer gambling have continued to be developed and refined since.

‘Lawful basis’ - overview

The data protection regimes applicable to the relevant period of this claim are constructed, as we have seen, from a number of nested or intersecting principles. These are designed to strike a sophisticated balance between, on the one hand, the freedom and flourishing of public life and modern business and trade (the Directive implemented in the 1998 Act was a single market measure) – increasingly dependent as these are on information about people, their behaviour and their preferences in order to calibrate, influence and meet demand – and, on the other hand, the rights of individuals to privacy, ultimately derived from Art.8 ECHR, and so including ‘the protection of human autonomy and dignity—the right to control the dissemination of information about one's private life and the right to the esteem and respect of other people’. The sophistication of the balance between commercial freedom and the autonomous control by individuals of their personal information comes partly from the relatively fine-grained detail of the data protection regime, and partly from its inherent fact-sensitivity and reliance on essentially evaluative and context-specific concepts. The balance is struck in different places and different ways accordingly.

The fact that individual privacy and autonomy are engaged when businesses process personal data explains the prominence of consent as a concept in data protection and related law. The giving of consent to data processing is itself an assertion of individual autonomy, and therefore the best guarantee that the resulting processing strikes a proper balance. But to that generality, a number of qualifications must be made. The first relates to the quality of consent. The 1998 Act and the GDPR use qualifying language around consent, and I look at what the legislation and the authorities say about that in more detail below. In some places, consent is identified as needing to be freely given – and indeed consent which is less than free is less than autonomous. In some places it must be explicit or unambiguous. In some cases it must be informed – the information and transparency requirements of data protection law are aimed at least in part at supporting fully autonomous decisions by data subjects about whether or not to consent, and therefore at the quality of that consent.

Some forms of processing require consent, demonstrable by the data controller, otherwise they cannot lawfully be undertaken at all; but they are relatively few. In the period we are looking at, the parties accept that processing via cookies, and processing by way of direct marketing (particularly by email), were both in this small category. That is for reasons considered below. Along the consent spectrum a little way, the data protection regimes provide for lawful processing in some cases without active consent, but where there are what might be called different forms of passive consent – for example the non-exercise of rights to prevent or object to some forms of processing, or the non-exercise of opt-out choices. Again, however, such choices, to be meaningful, may have to be actively offered, accessible and informed in order to guarantee a proper balance of interests.

Further along the spectrum, there is provision made for processing without consent at all where, for example, that is a pressing need in order to protect the interests of an individual who cannot consent, or where specific safeguards for an individual’s interests are provided, or where countervailing public interests and the rights of others, as already enshrined in law, require that. The autonomy of the data subject, and of others, remains respected in those tailored ways.

And then at the far end of the spectrum there are the ‘legitimate interests’ provisions, where the balancing exercise is simply exposed as such, to be considered on a case by case basis. There is recognition here that modern business norms are broadly understood and accepted in society, that the uninterrupted flow of the information on which the convenience of everyday life depends has become an ordinary reality, or public good, to which we all assent at some level (or at least which does not much compromise our privacy and autonomy, relative to its benefits), and that data regulation is itself an overhead which is ultimately passed on to consumers.

But although these particular provisions do enshrine a form of default to the legitimacy of processing personal data without consent, it is important to note at the same time that there is also a default to a requirement for the justification of such processing. Data protection law requires the processing of all personal data to be, in the end, demonstrably justifiable by reference to its impact on the privacy of the data subject, whether by consent or not. A data controller with no demonstrable legitimate interest in processing an individual’s data without their consent has no right to do so. And that is a granular proposition. It is not an all-or-nothing question. It applies to each instance of processing undertaken.

The present claim spreads itself across a range of potential heads of liability, both within the (wider) data protection regime and beyond. I was given before trial an agreed list of issues (and sub-issues) running to a dozen and more. But as I have said, the active dispute between the parties narrowed in focus and clarity as matters proceeded. Mr Knight put it to me in his closing submissions that the key issue was whether SBG had a lawful basis for the processing complained of (that is, for the purposes of direct marketing to him) at all. And Mr Hopkins, Counsel for SBG, put it to me in closing that the subset of that question which deals with consent to direct marketing went to the heart of the case. I agree, on the basis I have just set out, that lawful processing is the key issue, that the consent subheading is at the heart of that matter, that this issue is potentially dispositive of the claim, and that it needs to be resolved before the remaining heads of claim can be meaningfully considered. Only if the processing complained of was lawful in the first place, do other aspects of it have significantly determinative potential.

In turning now to that question, I begin with the matter of this Claimant’s consent. To the extent that I find the Claimant gave legally operative consent to the processing of which he complains, that necessarily disposes of his challenge to that process on the grounds of lawful basis. There are limited disputes of fact about the choices he did or did not make, and more acute issues arising about the quality of the choices he made, in particular as to the extent to which they were sufficiently autonomous and informed to provide a basis for lawful processing.

Consent – evidential background

The Claimant objects to the obtaining and processing of his data for the purposes of direct marketing to him. Some of the raw data used by the marketing team were also, as we have seen, used by the safer gambling team and for the provision to the Claimant of the services he contracted for. To that extent he raises no issue about obtaining the information per se. But consent is granular as to purpose. Some of the data were obtained via cookies, with a purpose to provide raw material for modelling responsiveness, and propensity to respond, to particular marketing. He says he did not consent to this. He says, in other words, that he did not consent to (a) the obtaining, via cookies, of personal data for the purposes of direct marketing to him, (b) the processing of that data through profiling and modelling operations for that purpose, or (c) the direct marketing itself.

The first part of the relevant period - cookies

It is not disputed that, at or before the (re-)activation of his SBG account in April 2017, the Claimant would have encountered a cookie banner on accessing the SBG website. I was shown an example current at the time. It reads:

This website uses cookies

Cookies help us and our third party partners provide and improve our services. By visiting or using this website, you consent to the use of cookies in accordance with our Cookies policy, which includes details of how you can change your cookies settings. Accept and close.

The parties agree that SBG was required at the time by Regulation 6 of PECR to ensure individuals are provided with clear and comprehensive information about the purposes of storage of, or access to information obtained by cookies, and that the individual has given consent, before it can obtain information about their online behaviour via cookies. SBG says the Claimant, by clicking the ‘accept and close’ button, both gave, and provided evidence of, legally effective consent. The Claimant says he did not.

The Claimant does not ultimately dispute that he would have clicked an ‘accept and close’ button. He says his entire focus at the time was on accessing the gambling opportunities to which this banner was an obstacle to be overcome as quickly as possible. There is no evidence that he clicked on the link to, or read, the cookies policy. He says he did not.

At the time, clicking on the cookies policy hyperlink would have taken you to a ‘cookies policy and privacy notice’ which opens like this:

When you create or log into an online account via the Sky Betting & Gaming websites, you agree to our use of cookies as set out in this Policy. Otherwise, by continuing to scroll, click, navigate or use the Sky Betting & Gaming websites, content, products or services you agree to the use of cookies as described in this Policy.

You should be aware that when you access or use our content, products and services, we may collect information from your devices by using 'cookies'. For further details about the types of cookies we use, please see the section ‘Cookies on the Sky Betting & Gaming websites’ below.

If you would like to learn more about your cookie settings, how to manage these cookies and/or how to opt-out from the cookies being set, please see the section ‘Controlling My Cookies’ below.

What are cookies and how do they work?

Cookies are small bits of text and numbers that are downloaded onto the devices you use to receive Sky Betting & Gaming content, products and services and access online information. Your browser makes these cookies available every time you visit the website again, so it can recognise you and your device and can then tailor what you see.

What do we use cookies for?

Cookies play an important part in the day-to-day functioning of websites and other online content. Cookies help your device or browser to access information (for example, the selections you have placed in your bet slip), identify you as a user (for example, so we can keep you logged into your account when you navigate around the websites) or use certain features (for example, you want to reset your PIN or User ID) when you use the Sky Betting and Gaming websites. We also sometimes use other cookies to help prevent fraud (for example, by detecting multiple fraudulent transactions from the same computer) or to enhance your experience (for example, by showing more relevant price boosts based on your previous activity). We do not use cookies for any reason that does not:

•

Make adverts and other content more effective and relevant to you.

•

Ensure we can pay our affiliate partners correctly for the users they refer to us.

•

Improve your Sky Betting and Gaming experience by providing anonymised analytics.

•

Deliver features and content (for example we might want to see how many customers visited the homepage yesterday compared to last week).

•

Detect and defend against fraud and other security risks to protect our customers, partners and Sky Betting and Gaming itself.

•

Meet our legal, compliance and regulatory duties. SB&G are regulated by both the Alderney Gambling Control Commission and United Kingdom Gambling Commission.

•

Continually improve our products and services (for example, by testing different product experiences with different users to see which the best is).

As outlined in the summary above, there are many different types of, and uses for, cookies. However, they can be grouped in the following four main groups: (1) strictly necessary, (2) functionality, (3) targeting and (4) analytical. Further detail about how and why Sky Betting and Gaming uses each of this type of cookie can be found in the detail below.

The document goes on to give more detail about each of these four types of cookie. The ‘strictly necessary’ cookies are those needed to provide the content, product or service an individual asks for. The ‘functionality’ cookies are described as follows:

Type of Cookie: Functionality.Some of these cookies are set by third parties such as Maxymiser, OpenBet, and GetClicky.

What do they do? These cookies recognise you when you return to our website and allow us to remember the choices you make. They also help us to provide improved features.

How do we use this type of cookie? Here are a few examples of some of the ways in which we use functionality cookies:

remembering your preferences and settings, including language, location and marketing preferences (such as choosing whether you wish to receive marketing information);

remembering the selections in your betslip;

remembering if you've used a specific application or website before;

showing you information that's relevant to the content, products or services that you receive;

giving you access to content provided by social-media websites, such as Twitter; and

showing 'related article' links that are relevant to the information you're looking at.

Links to further information follow.

The ‘targeting’ cookies are explained like this:

Type of Cookie: Targeting. Some of these cookies are set by third parties such as TeaLeaf, Revenue Science, Google and Oddschecker.

What do they do? We sell space on some of our websites to advertisers. The resulting adverts often contain cookies which are stored onto your device as you visit different websites. The advertiser uses the browsing information collected from these cookies to:

•

restrict the number of times you are shown a particular advertisement. This is sometimes called ‘frequency capping’; and

•

show other advertisements that are relevant to you, while you’re accessing our information.

Your browsing activity may be grouped with information about what is being accessed by other users within similar interest and demographic grounds. The result is then used to show you advertisements based on those interests. This is often called online behavioural advertising (OBA).

How do we use this type of cookie? Here are a few examples of some of the ways in which we use targeting cookies:

•

to remember websites you have visited;

•

to remember links you have followed; and

•

within advertisements for our own Sky Betting & Gaming products.

…

We use targeting cookies to make our website and advertising displayed on it more relevant to your interests.

The ‘analytical’ cookies are described by reference to the collection and aggregation of data about how much SBG’s websites, information and links are used. They are explained in terms of providing visibility of overall patterns of usage, and of trends, rather than any one person’s activity. But it is acknowledged that the data collection and usage will include personal data.

There is a section on ‘controlling my cookies’. It explains and gives links to: information about general controls available on all browsers; and for opting out of ‘OBA’; and for opting out of cookies altogether, by preventing, deleting or disabling them (although it adds that doing so would affect the normal functioning of its websites).

The first part of the relevant period – profiling and marketing

Having set out its cookies policy, the privacy notice goes on to deal with the processing of personal information more generally. Under a heading ‘how we may use your information’ it sets out a list of eight uses. The list continues as follows:

Unless you’ve asked us not to:

9.

To send you periodic communications and other information about your chosen content, products and services.

10.

To send you direct marketing from us or our trusted business partners (specifically including Sky UK Ltd). This may include communications by post, telephone or email and SMS, about us and our business partners’ content, products and services, events and special offers, including, where applicable, for a reasonable time after you have ceased to be a customer of ours.

11.

To provide you with tailored advertising. This means that we have your agreement to use the information we hold about you, for example, to make some of the adverts you see more relevant to you.

There is then a section headed ‘your preferences’. It sets out that customers can choose not to receive direct marketing, and can adjust their preferences in the following ways: (a) ‘via your Sky Betting & Gaming … account’; (b) ‘by clicking on the ‘unsubscribe’ link in email marketing information from us in relation to future email marketing’ and (c) ‘by replying ‘STOP’ to 57785 in any SMS message in relation to future SMS messages’.

There is no dispute that the Claimant was not receiving direct marketing with effect from the (re-)activation of his account in April 2017 – he had either not opted in, or he had opted out. But SBG maintains that he positively opted in on 26^th July 2017 by changing his marketing preference settings while logged on to its site. The Claimant says he has no recollection of having done so – on that day or any other – and that there is no sufficient evidence he did. This is one of the few disputed findings of historical fact (rather than evaluation) I am required to deal with in these proceedings. The evidence is as follows.

SBG relies on a customer spreadsheet record for the Claimant which includes a column called ‘contact ok’ which switches from ‘no’ to ‘yes’ on 26^th July 2017. That, it says, accurately records a marketing opt-in from the Claimant. Mr Esson was SBG’s chief witness for this. He was not in post at the relevant time, so his evidence is interpretative rather than direct. There are a couple of other potentially relevant columns in this spreadsheet, one of which (‘partner contact ok’) also switches from ‘no’ to ‘yes’ on the same day while the other (‘mkt contact ok’) remains at ‘no’. The explanation offered for the latter was that this was some sort of unused experimental column with a view to a since-abandoned project. The ‘partner contact ok’ column seemed to fluctuate between ‘no’ and ‘yes’ for the remainder of the relevant period, but the ‘contact ok’ setting remained on ‘yes’. It was put to Mr Esson that it was far from clear what if anything these records did show about the Claimant’s consent to direct marketing.

The parties agree that there is no record that the Claimant was actively present (gambling, or making deposits or withdrawals) on SBG websites on 26^th July 2017. He had been active on 24^th and 28^th July (depositing money and playing casino games) and on 25^th and 28^th July (to place football bets). The Claimant says the fact that he was not active on the day in question suggests he was not logged on at all: ‘I would not have logged into the platform without gambling… I had funds in my account on that date so I would not have logged in without playing’. SBG points out that one of the football matches he bet on during his 25^th July session was played on the 26^th, and that he could have been logged on to the website to watch the match or review the progress of an accumulator bet, and changed his settings then. It also says its records show he changed his email address on the same day.

There is no dispute that direct marketing to the Claimant began on 28^th July 2017, and continued without objection from him thereafter.

It is not in my view beyond ambiguity what the spreadsheet columns mean. But it is plain that SBG recorded, and activated, a change in the Claimant’s consent to direct marketing at this time. SBG puts to me that there are only two possible explanations: a spontaneous and isolated malfunction in SBG’s recording and activation system, or a deliberate, proactive choice by the Claimant to change the marketing preference settings on his account. I can see that the former is improbable. The question is whether the latter is the only, or more likely, alternative.

It may well be more probable than not that the commencement of direct marketing was a response to something the Claimant did (conceivably associated with changing his email address). That receives modest reinforcement from the fact that the Claimant experienced what was, on his own case, a sudden change to an intensive marketing experience without apparent protest (and he never used the ‘unsubscribe’ link in the small print of any of the marketing or took any other step to control it). But that reinforcement can be no more than modest for the reasons set out in more detail below – essentially that the Claimant’s consumption of marketing became swiftly subsumed into his dysfunctional gambling habits more generally. However, I have little or no evidence for what that originating action by the Claimant might have been – its nature, quality or terms. I hesitate in the circumstances to accept that I must proceed on an assumption that all possibilities other than proactive choice are eliminable. Exactly what the Claimant did cannot with any confidence be inferred from the spreadsheet evidence I saw and the interpretative evidence I was offered. It is largely a matter of speculation. I discuss the implications of that below.

The second part of the relevant period – the GDPR refresh

SBG, in common with many other businesses, undertook a policy and operational ‘refresh’ in March 2018 with a view to the coming into force of the GDPR. SBG’s evidence is that they conceptualised, and implemented this, as a ‘re-consent’ process. Their records indicate that they notified their customers of the refresh on 2^nd April 2018 by way of a three-step process. First, there was a new set of terms and conditions, which customers had to scroll through. There were two boxes at the bottom to click. The first was a box to tick to confirm that the new terms and conditions had been read and understood. The second was a box to tick to confirm they had been accepted. SBG’s records indicate the Claimant ticked both boxes on 6^th April 2018. He says he has no recollection of having done so.

When the boxes had been ticked, a revised privacy and cookies notice was presented on full screen, requiring customers again to scroll down and tick two equivalent boxes – to confirm the policy had been read and understood, and to confirm it was accepted. Again SBG’s records indicate the Claimant ticked both boxes the same day. The Claimant’s evidence is that he did not in fact read the policy; if he did anything, he would just have ticked all the boxes to make this material go away.

The final step was to present customers with a choice about direct marketing. This choice was presented differently depending on whether customers were already opted in or opted out. SBG had recorded the Claimant as an already opted-in customer. So he was given a choice either to opt out or to ‘continue with my current preferences’. SBG’s records suggest he appears to have taken the latter option. The Claimant says he has no memory of any of this.

The second part of the relevant period – cookies

The new privacy policy was a considerably more substantial document than its predecessor: printed off, it runs to some 17 A4 sides, so there was a lot of scrolling to do before the boxes at the end were reached. Its first substantive section is called ‘collecting information about you’ and that section has a subsection on ‘information we get via cookies’. This expands on the cookie section of the earlier policy. It opens by saying that as well as using cookies for essential purposes, ‘we also use them to make things quicker, easier and more personal to you, and to help us understand how our websites are used. They can also be used to present you with more tailored advertising content.’ It continues:

You can choose whether to accept or reject some or all types of cookies and control this through your device’s browser settings. We will make you aware of this by showing you our cookie banner when you visit our site. If you then continue to use our websites without adjusting your browser settings, we will use cookies as set out in the sections below, so to help you make an informed choice it’s important to know why we use the different types of cookie and what that means for your online experience. This section provides you with a summary of the main points and tells you how switching off the different types of cookie will affect your experience on our websites.

The policy continues with an explanation of what are now six categories of cookies. The first two are the ‘strictly necessary’ for the operation of the site, and a category dealing with crime prevention and detection. The third gives an updated explanation of ‘functionality cookies:

Functionality cookies: Enabling the features of the website

These Cookies allow our websites to remember the choices you have made, such as your user name, your region or the selections you have placed on your bet slip. They help us keep you logged into your account as you navigate around our websites, and enable you to use certain features such as resetting your PIN or user ID. We also use them to personalise your experience by, for example, showing more relevant price boosts based on your previous activity, giving you access to information provided by social media websites such as Twitter, or to show you ‘related article’ links relevant to information you’re looking at.

Without these cookies you will still be able to use the site, but may experience difficulty using certain features, and will need to keep logging in as you navigate around our sites. You will not see content (including price boosts) that is relevant to you.

The fourth category is ‘analytical cookies’, again explained in terms of overall usage figures and trends. The fifth category is this:

Targeting Cookies – Marketing & advertising

These cookies are used to deliver adverts and content that are more relevant to you as well as to limit the number of times you see a particular advertisement and to measure the effectiveness of advertising campaigns. The Cookies remember that you have visited a website, and we share this information with other organisations for advertising purposes. We also use them to test and improve our products and services by, for example, testing out different product experiences with different groups of customers to see which is most popular.

Without these cookies: You will be able to use and enjoy all the features of our websites but the adverts you see will not be tailored to your interests.

And the final category of cookies is this one:

Tracking Cookies: Online Behavioural Advertising

We use cookies placed by third parties to collect personal information about your browsing activity, which they then group with data about what other people with similar interests in similar demographic groups are looking at. The resulting information is used to show you online adverts based on those interests (this is known as ‘online behavioural advertising’).

We use a cookie placed by a company called Lotame to collect non-personal data that is used for online behavioural advertising. To opt out of the collection and use of data by Lotame in your browser (including a mobile browser if you have enabled third-party cookies), you can click here and follow the instructions provided. Your opt-out choice is applied only to the browser from which you make the choice, so if you use different browsers you will need to opt out in each one. This opt-out is cookie based, so if you delete your cookies, you will no longer be opted out and will need to opt out again.

In Germany, our Skybet.de website uses third party cookies from a company called Exactag, from which you can opt out here, and Google Analytics, from which you can opt out here. Again, these two opt outs are cookie-based. Skybet.de also uses the following third party tracking cookies, all of which you can control through your browser settings: Silverpop (now IBM Digital Marketing), Fabric Engine, DoubleClick, Google Tag Manager, Income Access and Urban Airship.

Without these cookies: you will still be able to use and enjoy the features of our websites and you will still be presented with advertising but it is unlikely to be relevant to you.

Under the heading ‘Controlling my cookies’ the policy states: ‘All modern browsers allow you to see what cookies you have, and to clear them individually or in their entirety by changing your cookie settings. Cookie settings are typically found in the 'options' or 'preferences' menu of your browser, otherwise you should use the 'Help' option in your browser for more details. You may also find the links below helpful:’ followed by a list of links to cookie settings in common browsers.

The second part of the relevant period – profiling and marketing

The new privacy policy’s second substantive section is called ‘how and why we use your personal information’. A number of sub-headed sections follow. The seventh of them is this:

Giving you a more personal experience

Whichever SBG products or services you use, wherever and however you interact with us, we want to give you the same great level of service and make it personal to you. We will tailor your experience, personalising the layout and content of our sites according to what we know about you, your preferences and the way you like to play or bet. For example, we will present you with features we know you have used or think you are likely to use, show you the type of score card or bet slip that best suits your style of betting, remind you to deposit funds when your account is running low and personalise search results to show more relevant results first.

We also look at aggregated (non-identifiable) data showing how our customers use our products and features and which games they tend to enjoy. We use this information to suggest games we think you’ll enjoy because they are popular with others who play the same games as you.

Privacy Rights: Can I object to having my personal information used in this way?

We believe this personalised experience makes betting and gaming better and we want to give you the best customer experience we can. Using your personal data in this way enables us to do that in a way that we believe does not have an impact on your privacy. If you don’t want your data used in this way your option is to not use our services and to close your account.

Please note that some aspects of your customer experience are provided via cookies. If you have enabled cookies in your browser, we will personalise certain aspects of our site, such as remembering your user name and location, and you can control this via your browser settings. You can learn more about how to control this here.

Two or three subheadings later, this section appears:

Things we do with your consent: Marketing

We will send you offers and information only if you have given your consent for us to do so, in which case we will contact you via email, post, SMS or online about any of our group products and services. We never share your data with companies outside our group for them to use for their own marketing. From time to time, we may team up with a third party to bring you details of a product or service that might interest you, but where we do this the contact will come from us – we will never pass your details to the third party without your prior consent.

Please be assured that we do not use any sensitive information we hold about you (for example, information about self-exclusion, health or ethnicity) for marketing-related purposes.

Keeping it Relevant

At SBG we want to make betting and gaming better for you, so we want to be able to tell you about products, services and features that you will find exciting and relevant, and we tailor the offers and information we send to suit you. To do this, we look at what we know about you – such as your age, location and gender, your browsing, betting and gaming history and patterns, your social media usage and how you interact with us – and we use it to build up a picture of you that helps us decide what you’re most likely to want to hear about. (This is sometimes known as ‘Profiling’). WE also combine this with information we’ve obtained from publicly or commercially available sources about the things people with similar characteristics to you (in terms of age, gender, location, etc) tend to be interested in so we can fine-tune the offers we present to you.

Putting you in Control

We firmly believe our customers prefer offers and information that are relevant to them and their interests over general adverts, so we tailor all our marketing using this picture we’ve built up of you. We think this makes our marketing better both for you and for us. However, data protection law gives you the right to opt out of having your personal data used to build up this type of picture and predict what you might be interested in, so you can opt out at any time. As we explain above, all our marketing is tailored to you in this way, so to opt out of this type of personalisation you will need to opt out of receiving all direct marketing from us. You can do this when you sign up, by not ticking the box to opt in to marketing, or at any later point via your online account, and SkyBet customers in Italy and Germany can also do this via their online preference centre. We won’t then send you offers and information by post, email or SMS but we will continue to personalise your online experience based on the picture we’ve built up of you. This means you’ll continue to benefit from a more personalised look and feel on our websites and apps, and will still see the following:

•

Targeted pop-ups telling you about products, services and offers we think you’ll like

•

Bespoke offers relevant to you, communicated through pop-ups or other on-site content

•

On-site (including in-game) recommendations for games you have played or might enjoy

•

Targeted messages on social media platforms such as Facebook or Twitter (which you can control easily through your privacy settings on each individual platform) and in other places on the internet that support targeted advertising.

We think this strikes the best balance: it lets you opt out of receiving marketing through offline channels (post, email and SMS) while still enjoying the best online and in-game experience and without having to miss out on boosts, bonuses and other benefits. However, if you prefer not to receive any personalise messages or offers online you can opt out by editing your account details via your online account. If you do opt out you will experience a less personal look and feel on our sites and apps and won’t get to hear about bespoke offers and bonuses, but don’t worry – we will continue to personalise those aspects of your online experience that are not marketing-related so, for example, you will still see the games you recently played. Please also note the following:

•

We will still make onsite recommendations for games you might enjoy. We base these on how our customers as a whole tend to use our site and features, not on information about you as an individual.

•

Some personalised banner adverts on our sites are controlled separately through cookies, so you will also need to adjust your browser’s cookie settings or you will continue to see them

•

You may still see our adverts on other websites or social media platforms you visit, but these will not be specifically targeted at you,

Marketing: Keeping it relevant and putting you in control – At a Glance:

All our marketing is tailored to be more relevant and interesting to you, so if you’re:

•

Happy to receive personalised offers and information by email, post, SMS and online – Make sure you opt in to direct marketing

•

Happy to see personalised offers and information when you’re online but don’t want to receive the by email, post or SMS – you need to opt out of direct marketing

•

Not happy to see personalise offers and information online or by email post or SMS – be sure to opt out of personalised marketing and adjust your cookie settings to avoid receiving banner adverts.

Remember, you can change your mind at any time by updating your preferences in your account.

The standards for legally operative consent

It is necessary at this point to start taking a closer look at what the legislation, and the decided authorities, say about the nature of the requirement for consent in the PECR and data protection regimes – including for cookies and direct marketing. It is not disputed that there is no material difference between those two regimes for this purpose. That indeed is what the courts have said. Direct linkage is made by Regulation 2(3) of PECR itself.

There is no definition of consent in the 1998 Data Protection Act. Article 2(h) of the underlying Directive provided that ‘“the datasubject’s consent” shall mean any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.

That definition appears in a rather more developed form in the GDPR as follows (Art.4.11):

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Art.7 of the GDPR provides further as follows:

Conditions for consent

1.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

It is noteworthy that the effect provided for in Art.7.2 is the ineffectiveness of the ‘consent’.

Consent is further dealt with in a number of the GDPR’s recitals. This, in particular, is set out in Recital 43 as an aid to the construction of ‘freely given consent’:

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

The leading CJEU authority on the quality of consent, where it is relied on for lawful processing, is Planet 49 [2020] 1 CMLR 25 – a case which postdates the period we are looking at. It was about an online lottery, in which participants were faced with a pre-ticked box giving permission for cookies (phrased as an agreement to a ‘web analytics service’ to evaluate online behaviour to enable advertising ‘based on a user’s interests’). Cookies would be activated by continuing use of the website unless the box was unticked.

The CJEU held the pre-ticked box could not be relied on as constituting, or giving evidence of, legally effective consent. Legally effective consent, and evidence of such consent, for these purposes had to have a number of qualities.

First, consent itself had to be free, specific and informed. Information must be provided to put an individual ‘in a position to be able to determine easily the consequence of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed’ ([74]).It is in connection with this point that I have set out SBG’s successive privacy policies above.

Second, according to the Advocate General’s Opinion which the Court largely followed, consent had to be separate: participation in the lottery and consent to cookies could not be constituted by, or form part of, the same act, nor could the latter be presented as ancillary to the former. This was said to derive from the requirement for consent to be both ‘freely given’and ‘informed’, and is more clearly reinforced by what Art.7 GDPR says about the need for a request for consent to be ‘clearly distinguishable’ from other matters with which engagement is sought.

And finally an indication of consent had to be active and not passive. A passive indication is inherently ambiguous as to whether actual consent has been given. A player was able to get on and use the website without having to do anything at all. They may not have given their mind in any way to the matter of cookies, or even to have noticed the pre-ticked box. So it was not evidence of anything in fact having been decided by the player ([52]-[54]). But having to do something active made it ‘far more probable’ that a positive decision had been taken by the individual.

The CJEU took a similar approach in Orange Romania (EU:C:2020:901). And both were followed domestically in Leave.EU v Information Commissioner [2021] UKUT 26 (AAC). In that case, consent was being considered in a direct marketing context. The Upper Tribunal considered the CJEU authorities to ‘set a relatively high bar to be met for a valid consent’. It noted that ‘consent’ should be regarded as ‘a generic concept within the arena of data protection’. And it emphasised the importance of the overall factual matrix in considering in any given case whether legally effective consent for these purposes had been given, in particular the importance of establishing the terms of any ostensible consents. In the context of direct marketing, it noted the relevance of the question of whether advertising ‘may involve an intrusion into recipients’ privacy or otherwise cause distress’. And it gave as an example of that, ‘marketing for the betting and gambling industries’.

The CJEU has interpreted Art.7.1 GDPR as establishing that, ‘where processing is based on consent, it is the controller who bears the burden of demonstrating that the data subject has consented to the processing of his or her personal data’ (Meta Platforms v Bundeskartellamt [2023] 5 CMLR 22 at [152]).

The relevant legislation, and these authorities I was shown on the quality of consent required to render data processing lawful, need some unpacking. The language of and relating to the legislation, and the rhetoric of the judgments, is in terms which suggest a bar which is indeed ‘relatively high’ – consent must be free, specific and informed, it must be separate from the activity to which it stands as a threshold requirement, it must be active and unambiguous. This qualifying language is referable to the origins of data protection law in Art.8 ECHR and its underlying understanding of privacy as implying individual autonomy, including the genuinely autonomous control of personal data. But there are three distinct strands perceptible in this rather complex idea.

First, there is the subjective element of the individual’s state of mind – what they actually thought about, understood and desired. This actual and high quality, individuated, consent has a palpable presence in the authorities as at least an aspirational standard. But on closer examinationit may be that this element alone is not after all set at a particularly high minimum requirement in data protection law, and does not need to be, because it has to be understood alongside the second element – what might be described as the autonomous choice of the individual about consent. The authorities do not speak in entirely subjective terms in setting their ‘relatively high’ standard. They do speak about consent being specific, which implies some basic threshold of subjective understanding that consent is being given, and to what it is being given. But they also speak about individuals being ‘in a position’ to be able to determine the consequences of giving or withholding consent, including by being well-informed – that is, ‘provided with’ full and clear information. These expressions emphasise less an individual’s subjective state of mind, and more the external circumstances of their choices.

The requirements for consent in data protection law have deep roots in the protection of the autonomy of the individual. That extends not only to the subject matter of the consent – the freedom to choose or not to choose to have one’s personal data processed in certain ways and with certain consequences, with specificity about what those are – but also to the process of consenting itself. If an individual makes a fully autonomous choice to limit the quality of their own consent – for example by choosing not to engage with information which is readily available and accessible – and so executes a permission which is subjectively ill-informed and misunderstood, there is no inevitable compromise of their autonomy in attaching legal effect to that choice.

The balance between these first two elements which is struck in the authorities appears to set a relatively low threshold for the presence of good-quality subjective consent but a relatively high threshold for establishing that any deficiency of subjective consent is itself autonomously chosen. That is unsurprising; it is a position which is both principled and pragmatic. It is principled because it respects the personal autonomy which it is the purpose of these consent provisions to safeguard. Some processing of personal data is sufficiently invasive (cookies are a form of surveillance of personal activity) or intrusive (direct marketing imposes itself on personal attention) to be unlawful without an individual’s autonomous submission to the compromises of personal autonomy which they intrinsically involve. But individuals’ freedom to make that autonomous submission, and decide how to make it, must itself be respected.

And it is pragmatic because the balance it strikes between commercial freedom and individual privacy has to be a workable one. Commercial freedom is a collective good. Businesses cannot operate the data systems on which they rely, to provide the goods and services we want at a cost we can tolerate, at the level of inquiring into every individual customer’s subjective state of mind. But they can ensure that their systems factor in decision points about consent which maximise the probability that everyone’s decision at these points is fully autonomously undertaken. They can ensure that good quality, accessible, relevant and accurate information is provided about the consents engaged, they can take steps to guide the decision-making processes towards or through that information, and they can take steps to focus individuals’ minds soberly and separately on the privacy consenting decision in its own right rather than distracting them with all the attractions conditional on that decision.

That takes us to the third strand – the evidential element. If the authorities set only a modest standard for subjective consent, but a relatively high standard for the quality and autonomy of decisions about consent, they further provide some minimum evidential standards for establishing it. Not unticking a box will not do: it is too evidentially ambiguous, because it is entirely consistent with both a complete lack of subjective consent and a complete lack of any autonomous choice having been exercised – the individual may simply not have noticed the box at all. But a positive and separate act of ticking a box which cannot be reached without scrolling through relevant text, and which is separate from a confirmation that the text has been read, is a piece of evidence which makes it ‘far more probable’ that an individual’s decision about consent will be of the relevant quality. The authorities do not say it constitutes that consent. And of course it is evidence which is still consistent with a complete lack of subjective consent. It does nevertheless have a number of features capable of evidencing an autonomous exercise of choice about consent, including the autonomous choice, either way, about taking advantage of the information resources made available. It cannot, however, guarantee any quality of autonomy. The boxes might, for example, have been ticked by a third party, or by an individual under a temporary or permanent incapacity, or under a positive misapprehension, or indeed in any number of circumstances in which no fully autonomous decision by the data subject has been taken.

And the authorities do emphasise the fact-sensitivity of the requirement for consent – in all its aspects. Where consent is disputed, the relevant factual matrix is likely to include all three elements: an individual’s subjective consent, the quality of autonomy in any decisions they made about consent, and the evidential basis on which a data controller relied in proceeding on the basis of consent.

I cannot ignore either what is said in the authorities about the potential significance of marketing to online gambling customers, where that appears as part of the factual matrix of consent in any disputed case. The parties in the present case made submissions to me about the extent to which online gambling was, and was not, ‘special’ – different from other online activities, and particularly with reference to direct marketing to existing customers. I consider that further below. But I start the necessary consideration of the full factual matrix in this case with the subjective quality of the Claimant’s consents, and with the autonomy of the decisions he made about them.

The subjective quality of the Claimant’s consents

The World Health Organisation recognises ‘Gambling Disorder (Predominantly Online)’ as a medical condition, in the following terms:

A pattern of persistent or recurrent gambling behaviour that is primarily conducted over the internet and is manifested by:

1.

impaired control over gambling (eg onset, frequency, intensity, duration, termination, context);

2.

increasing priority given to gambling to the extent that gambling takes precedence over other life interests and daily activities; and

3.

continuation or escalation of gambling despite the occurrence of negative consequences.

The behaviour pattern is of sufficient severity to result in significant impairment in personal, family, social, educational, occupational or other important areas of functioning.

The Claimant has never had any formal medical diagnosis for his gambling behaviour – what he calls his ‘addiction’. I have no medical evidence at all in this case (other than an account of the Claimant describing symptoms of anxiety and depression to his GP as part of his ‘rehabilitation’, and obtaining anti-anxiety medication; he did not tell his GP anything about his gambling, however). I cannot therefore proceed on the basis that the Claimant was at the relevant time under any sort of medically recognised disability.

Nor does the Claimant say he lacked general capacity, by reference to the state of his mental health or wellbeing, to give consents of a kind capable of altering his legal position. He does not, for example, say anything other than that he could and did enter into effective contractual relations for the provision of gambling services. The question for this case is not whether he was capable of giving legally effective consent in general. Nor is it whether he was acting wisely and in his own best interests at the time; it is in principle entirely possible for many or most forms of legally effective consent to be given unwisely and disadvantageously. That in itself is fully comprehended in the concept of autonomy. Nor is this a case about whether SBG was under any sort of duty of care to protect the Claimant from his own legally-effective decisions. This is a data privacy case which, relying on privacy law, has to grapple with the issue of consent from the unique perspective of privacy and personal autonomy. The question for this case is whether the Claimant did give consent to the processing of which he complains – consent, that is, of the standard required to be legally effective to place the consequent processing of his personal data on a lawful footing on that basis.

I start by accepting in broad terms the Claimant’s evidence of his subjective experience of gambling and of its effects on him and his wellbeing. It is not materially challenged. I found him to be a straightforward witness of honesty, integrity and insight; answering clearly, concisely and respectfully under cross-examination; and if anything given to understatement rather than overstatement of his evidence. I am entirely satisfied that any inconsistencies and irregularities in his account are more likely than not attributable to the irreducible stresses of the litigation experience, the nature of his predicament at the time with which this claim is concerned, and his deep shame, both then and now, at the extent to which his gambling behaviour diminished him, and indeed his integrity, at the time.

The account the Claimant gives himself of his online gambling behaviour has clear features of compulsiveness: of ‘impaired control’, ‘precedence’ over life, relationships and work, and ‘continuation or escalation’ in the face of negative consequences. I accept his description of the excessive time (duration and time of day) he felt he spent online gambling, its radical unaffordability for him, and the secrecy, deceits and compromises of his relationships with others that it entailed. I accept his subjective account of his humiliation and dismay at what he was doing, then and since. I accept that the Claimant genuinely understands himself to have been a problem gambler.

I also accept that, by any ordinary social standards, he was at the relevant time sustaining ‘gambling harms’, including as they are understood in the industry – unsustainable financial indebtedness, emotional distress, and compulsive behaviour patterns impacting the quality of ordinary autonomous living. SBG’s Mr Watkin did accept – with hindsight – that ‘it is possible this person had a gambling problem’, and that his patterns of gambling at the time ‘could be indicative of problematic behaviour’. Indeed, Mr Hopkins accepted in his closing submissions that, had they known what they now know about the Claimant’s gambling behaviour, and with the benefit of their improved modern ‘safer gambling’ systems, they would have intervened on his gambling at a much earlier stage.

I am not concerned with labels. I am satisfied that the Claimant was at the time a highly vulnerable individual in relation to his gambling behaviour. It requires no deference to industry, medical or other expertise to be able to recognise in the Claimant’s evidence a disorderly lifestyle in which a subjectively experienced compulsion to gamble consumed a man’s personal and material resources to a degree which significantly diminished him, his personal autonomy, his private life, his moral compass, and the full autonomy and freedom of the choices he was making. I put it no higher – but at the same time no lower – than that. That was his evidence, and I accept his evidence. It is material context for considering the questions of consent which arise in this case – part of the factual matrix to be inhabited when evaluating his actions.

I have no difficulty either in accepting the Claimant’s evidence that to the extent that, at the time, he gave passive or active signs of consenting to cookies, he had not in fact given his mind to the issue at all. He clicked through, without reading any privacy notice, simply to get rid of the messages on his screen and get on with gambling. He had not informed himself of the nature and use of cookies to obtain and use raw data for ultimate marketing purposes, and he had not availed himself of the information provided relating to profiling and personalisation processes and purposes. He just wanted to get on and gamble.

His situation in relation to the direct marketing itself is a bit different. Obviously, when he started to receive it in July 2017, he was immediately aware of the fact. As explained above, I can and do infer that on balance he was more likely than not to have done something himself to trigger that change. His evidence is that he has no recollection of that, and it may be, again, that he was so preoccupied with his compulsion that he engaged with the issue to the minimum degree necessary to get on with gambling. That could have been quite a low degree, much as with the cookies, although I have no evidence of exactly what he did or how he did it. And exactly what he did and how he did it matter – these are missing parts of the relevant factual matrix. Because they are missing, I cannot make speculative assumptions about the circumstances and quality of any consent he gave at the time.

Nevertheless, at some level I can and do accept that he wanted the direct marketing material – even perhaps craved it. There is evidence from the transcripts at the time that on one or two occasions when he took the initiative to contact SBG through its online chat function, including to effect temporary closure of his account, his chief preoccupation was with trying to get more and better offers and bonuses; these were after all opportunities to do more gambling for the same financial input from him. He told me he was ‘begging’ for these opportunities on the chats, desperate as he was to access more gambling. I can and do find it probable that he felt the same about the direct marketing – if not on a considered basis in advance of signifying consent, at any rate when he started to receive it: desperate to find more opportunities there too, or just to find new hope of the big win that would turn his life around. On his own account, it would appear that his consumption of direct marketing was part of a pattern with his compulsion to gamble: subsumed into, fed by, and feeding, his cravings.

The records show that not only did he take no step to stop the marketing, he was highly responsive to it. He opened 98% of the marketing emails he received. I was shown a number of examples of instances in which he responded to the offers and prompts and changed his gambling behaviour accordingly. The more he responded – trying new things, accepting bonuses, going up a level – the more the marketing models responded with more, and more tailored or directed, marketing. That is exactly what they were designed to do. The Claimant was gambling in what might reasonably be called a fast-moving marketing-saturated environment, one in which rich information provided by his own online behaviour was being played back to him in real time with tailored enticements and inducements to play more and play bigger. The records show that in August 2018 alone, there were 114 email campaigns for which the Claimant was ‘selected’. These were frequent, high-impact online experiences in their own right, including offers some of which had to be accepted quickly. He was playing on several of SBG’s products, and for long periods. He was highly available to, and responsive to, marketing, including while playing. The modelling had identified him as a ‘high value’ customer, and so they marketed to him as such. It never identified him as at high enough risk for marketing suppression. The financial triggers for suppression were set at levels beyond the realistically possible reach of a man of the Claimant’s modest means, even when he was spending all the money he could get his hands on and more.

SBG put it to me that, even without reading the privacy notices, the Claimant cannot have failed to notice the personalised (reactive and tailored) quality of the marketing he was receiving. I do not agree. I accept the Claimant’s evidence that he was genuinely astounded by the revelation of the scale and sophistication – and even the fact – of the operation to play his own behaviour back to him as targeted marketing. Experience does teach us, as a society, not to be naïve about the way our online behaviour has consequences for us by way of advertisements and offers. But I remind myself of the wording of Recital 58 to the GDPR about ‘situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising’. In the Claimant’s case the raw data comprised the cumulative fine detail of behaviour he had himself recognised at the time as harmful and out of control. And it was being used to enable and encourage him to do more. His insight into that at the time, and the underlying mechanisms, should not be overestimated on the evidence I have, even without factoring in his being in a ‘haze’ in which he ‘could not think straight’.

In these circumstances, I find on the evidence that the subjective quality of the Claimant’s consents was as follows. First, his consent to the use of cookies for marketing purposes was limited to clicking the buttons he was presented with – the original ‘accept and close’, and the GDPR refresh buttons – without giving his mind to the matter or reading any of the accompanying material. Second, not having read the material, he had limited, if any, insight into the system – or the fact – that his online behaviour was being fed into modelling in order to create and enhance direct marketing to him tailored accordingly. Third, his entertainment of, engagement with and responsiveness to direct marketing were themselves intimately bound up with his own problematic gambling behaviour, and partook of its qualities.

The autonomous quality of the Claimant’s decisions about consent

Mr Hopkins placed considerable, and repeated, emphasis on the fact that this is not a duty of care case. I agree with him about that; it is not. There have been a number of cases before the courts in recent years in which individuals evidencing a history of gambling problems have sought to obtain remedies for losses and harms from providers on a range of legal bases – including breach of contract, breaches of statutory duty under the gambling regulation regime, and negligence (breach of duty of care) – all without success (see for example Calvert v William Hill [2008] EWHC 454 (Ch) and EWCA Civ 1427; The Ritz Hotel Casino v Al Geabury [2015] EWHC 2294 (QB); Gibson v Betfair [2024] EWHC 2900 (Comm)). Cases turn on their pleadings and facts, and this case, brought in the King’s Bench Division’s Media and Communications List, pleads absent or defective consent in the context of privacy law. So I am not concerned with questions of duty of care.

I may not, however, be in agreement with Mr Hopkins about the consequences of that. He proposed, for example, that the fact the Claimant had not read any privacy notices, but had nevertheless ticked the boxes he was provided with, was fatal to his claim. He proposed that in these circumstances I need not concern myself with the content of the privacy notices or the context of the box-ticking. That might be right in a duty of care case, where contributory negligence by a claimant was pleaded. But on the question of whether SBG is entitled to rely on the Claimant’s consent for the lawfulness of its processing (moreover in a case in which, I note in passing, no defence under PECR Regulation 30(2) is pleaded) it is not quite the end of the matter. The context in which the boxes were ticked – both immediate and wider – is part of the relevant factual matrix within which I have to judge the autonomous quality of the Claimant’s decisions about signifying consent, and the power of the evidence for it on which SBG relied. A crucial part of that immediate context was the nature and process of the box-ticking exercises themselves and the quality of the information SBG ‘provided’ or ‘made available’ in the course of it. These are at least capable of furnishing the conditions for, and providing more or less good evidence of, an autonomous process of the necessary quality.

SBG’s evidence is of a trajectory of improvement across the relevant period in these respects. In the first part of the relevant period, it had relied on the ‘accept and close’ button for evidence of cookie consent by the Claimant, and the only evidence it has for any direct marketing consent by him is circumstantial. The former at least required a positive, non-ignorable, box-ticking exercise. To that extent it was baseline Planet 49 qualifying evidence – it is possible for this to be regarded as evidence of an autonomous process, in a way that was not possible with an ignorable pre-checked box. But it still presented a binary choice – proceed to the website or not. The banner told the customer that clicking the button and visiting or using the website was cookie consent. There was no separation between an act signifying consent as such and an act signifying engagement with the content of the site. It was in a classic barrier format.

The privacy notice in force at the time also told customers that creating or logging in to an online account via the SBG websites, or scrolling, clicking navigating or using the websites, was agreement to the use of cookies as set out – and on a wholesale basis. So there was no clear separation between the two decision points – using the website and consenting to cookies. The policy itself has its limitations in terms of the requirement to provide or make available accessible, clear and comprehensive information about either cookie use or processing of personal information for marketing. In particular, what it says about the use of cookies for direct marketing is even ambiguous about the extent to which it applied to SBG’s own marketing to its existing customers as well as the selling of website advertising space to third parties.

The privacy policy’s section on direct marketing was presented on a passive opt out rather than an opt in basis – it was processing that would happen ‘unless you tell us not to’. And the content of the privacy notice was something that, on such limited evidence as I have of the processes presented to the Claimant relating to direct marketing consent, was an entirely ignorable part of the consenting processes.

So as a matter of evidence of autonomous choices having been made by the Claimant, the first part of the relevant period is not unambiguous. The consenting process was consistent, notwithstanding the positive actions required to activate both cookies and direct marketing processing, with the Claimant being unaware of the substance (and possibly even the existence) of the privacy terms and conditions, and of playing only a passive role in the substance of the consenting, albeit an active role in the clicking of the relevant buttons. And the privacy information available provided relatively limited support for conscious, autonomous decision-making.

As regards the latter part of the relevant period, postdating the GDPR refresh, SBG accepts that this was a distinct upgrade in the quality of the decision-making context it provided in order to obtain reliable consents, and that that in turn was in response to a perceptible shift in what the new legal regime was understood to be expecting or encouraging. It makes no concessions as to what was required in this respect, either before or after the refresh; it maintains a position of constant improvement and aspiring to best practice as well as legal and regulatory compliance in the matter. But there is no doubt that the operative system put into place in the spring of 2018 provided a considerably richer context for the consenting exercise than that which had preceded it. And it is not in the end a matter of what was mechanistically required (by law or good practice), it is a matter of the strength of the evidence provided, by the conditions in which assents were given, for autonomous decision-making about consenting.

So in looking at the post-refresh period, I can see in the first place that the construction of the decision-making process was designed to guide the individual, step by step, through individual decision points – on the terms and conditions, the privacy notice (including cookies) and direct marketing. In each case the terms had to be scrolled through to reach the tick boxes. Separate boxes had to be ticked in each case to confirm that the material had been read, and then to confirm that the terms were accepted. It was impossible to progress through it without at least being aware of all the relevant information and performing a positive and specific act of assent in relation to it. None of this was ignorable.

The privacy notice itself has many good qualities. It is hard to get the balance right in such notices between being fully informative and being digestible. It is a long document. But it is written clearly and accessibly, dealing with technical matters in simple terms, and is over all well-presented. In particular, the headings stand out clearly and would be noticeable even when the document was being scrolled through quickly. It covers all the relevant ground. It is not strictly neutral – either about cookies or about direct marketing – and it certainly presents ‘personalisation’ of the online experience in positive and attractive terms (and its alternative as an impediment to that experience). But it does not have to be strictly neutral to support autonomous decision-making about consent.

So far as cookies are concerned, it is fair to say that it is not made especially easy to do anything other than consent – and on an all-or-nothing basis too. There were no simple clicks to ‘decline and proceed’ or ‘manage cookies’; instead customers are sent off to navigate the help sections on their browsers if they have any reservations. So far as direct marketing is concerned, there is a degree of inertia inserted into the mechanism by its use of the ‘continue with my current preferences’ device. For opted-in (or not opted-out) customers that has some evidential weaknesses. First, it builds in a default to consent, albeit by requiring a positive confirmation of that. Second, to a degree it invites inference of consent from acquiescence in the status quo. And third, it preserves to some extent whatever the advantages and disadvantages of the original historical consenting mechanism might have been (a significantly limiting factor in the present case). Mr Knight also makes a fair point about the way profiling is dealt with under the heading of ‘things we do with your consent’, when SBG was in fact relying on its legitimate interests to undertake profiling without consent.

For present purposes, however, it perhaps suffices to say this. The engineering of the consent mechanisms in the GDPR refresh was sufficient to provide a reasonably robust evidential basis for SBG to rely on its being probable that, where the relevant boxes had been ticked, a specific autonomous decision had been taken about consenting – either to give fully subjective consent or to choose to forego fully subjective consent in the knowledge of the nature and consequence of that choice and proceed on that basis. Customers had been provided with clear, accessible and relevant information, made available to them and drawn to their attention on a literally line by line basis as they scrolled through. They had been taken to separate decision points as to having read the material and as to having consented on the basis of the material. SBG was certainly in a considerably stronger position to rely on this evidence than it had been pre-refresh.

I repeat – because it is important to clarify the limitations of the exercise I am engaged on – that such points of criticism as can be made of SBG’s privacy policies and consenting mechanisms, particularly in the earlier part of the relevant period, are not made wholesale or in a vacuum. Nor are they concerned with any broader question about best practice at the time, nor with the wisdom of relying on this evidential base in general for the presence of the consents in turn relied on for the lawfulness of the processing undertaken. Such general matters are the proper domain of the regulators. By contrast I have a single data subject, a single set of facts and a single slice of historical time before me. The authorities only go so far as to address the relationship between a consenting process (and its associated information provision) and the probability that a data subject has autonomously consented. An evidentially more robust process will increase that probability, but it cannot in the end guarantee it. A data controller who chooses to process personal data in a way which demands consent, such as for direct marketing, cannot ultimately rely absolutely on generic probabilities and risk control mechanisms, or the fact that nearly everyone who has been through the consenting process will have either subjectively consented, or taken an autonomous decision (to the requisite standard) to shortcut the opportunities given to do so. If challenged by an individual data subject, a data controller has to be able to demonstrate the consenting it relies on in a particular case. And if that challenge is put in front of a court, a court must decide on the balance of probabilities, and within the full factual matrix placed before it, whether the data controller had a lawful consent basis for processing the data in question or not.

That is what the law requires, and it does so consistently with the principled and pragmatic balance set out above. In the overwhelming majority of cases – perhaps nearly always – a data controller providing careful consenting mechanisms and good quality, accessible, privacy information will not face a consent challenge. Such data controllers will have equipped almost all of their data subjects to make autonomous decisions about the consents they give and to take such control as they wish of their personal data in the respects in which the law requires data processing to be consented to, and established powerful evidence that they have done so. Data controllers cannot operate whole systems at the level of individual circumstances. And most data subjects who decide not to take the trouble to give specific and informed subjective consent, but press the buttons anyway, may be inferred to have taken an autonomous decision based on their own evaluation that the protection of their privacy is not worth doing anything more about.

But all of that is consistent with an ineradicable minimum of cases where the best processes and the most robust evidential provisions do not, in fact, establish the necessary presence of autonomous decision-making, because there is specific evidence to the contrary. There is an irreducible minimum risk that, even where an individual data subject with legal capacity has clicked on the buttons, they have not done so as part of an autonomous decision-making process such as privacy law demands. The present Claimant says in effect that he is one such – and that the law places the risk of such cases on the data controller and not the data subject.

I have already concluded that the evidence of the Claimant’s engagement with the consenting processes on which SGB relies does not establish subjective consent which can be described as free, specific and informed. The next question is whether it nevertheless establishes a decision to proceed in any event, shortcutting the opportunities provided, which can itself be described as properly autonomous.

The Claimant’s response to the circumstances relied on by SBG is to say, in effect, that we need to do more than look at the risks in the system and the general probabilities. We have to focus on him as an individual as well. And his evidence is that he was not making decisions relating to his gambling in general – and these box-ticking decisions in particular – on a fully autonomous basis at all. His case is that he was one of the irreducible minimum of data subjects whose behaviour could not in fact be read as either subjective consent of the requisite quality, nor an autonomous decision of the requisite quality which recognised that he was being provided with effective mechanisms to control his personal data and to give free, informed and specific subjective consent to its use, but freely opting to decline those opportunities and proceed none the less. He was not engaging with any of it. He just felt compelled to gamble, at any price – whether financial (in so far as he was able) or in terms of his own privacy, personal autonomy and family life. He would have – he did – say yes to get past anything and everything capable of delaying or impeding his access to gambling. He deceived his wife, begged from his family and friends, gave over all his money, and clicked away his personal information, obliviously. And while the other matters were contextual, his clicks were intimately bound up in real time and space with his consumption of online gambling.

The Claimant’s evidence is that his decision-making about matters to do with gambling was materially compromised throughout the relevant period. He says his self-control, the quality and rationality of his decision-making, his sense of his personal integrity and self-worth, and his personal and private autonomy were damaged by his habits in a spiral of self-harm especially in relation to making decisions relating to (more) gambling. He says that to the extent that he executed deliberate acts which proceeded from, and had the effect of exacerbating, that spiral and further compromised his privacy and autonomy, those were acts which cannot properly be described as proceeding from free, active, informed, specific and unambiguous exercise of autonomous choice; privacy law does not recognise them as such. He says that whatever he did to trigger the harvesting and manipulation of his personal data about his gambling, to be returned to him as potent incentivisers of more gambling, were acts of that nature. They proceeded from compromised autonomy, and further compromised his autonomy, in a self-reinforcing manner.

I have accepted the Claimant’s evidence of how things were for him. But I do have to evaluate their consequences. Personal autonomy is not an all-or-nothing thing. The authorities emphasise its dependence on context and degree. Individuals’ decisions about their own privacy can be more or less free or constrained, active or passive, informed or heedless, considered or impulsive. The question on which this case potentially turns is whether, in the absence of subjective consent of the relevant quality, the evidence before me makes it more probable than not that that absence was itself the product of sufficiently autonomous decision making by the Claimant such that SBG is entitled to rely on it as the basis for lawfully undertaking the processing of which complaint is now made. The authorities require that to be assessed in the full relevant factual matrix. Doing so involves revisiting SBG’s business model, and what the authorities say about marketing to gamblers, to consider where the law places the carriage of the risks involved.

Marketing gambling to problem gamblers

Direct marketing of gambling to online gamblers, subject as it is to multiple layers of regulation, is explicitly recognised, both within the industry and in the decided authorities, as raising special issues. SBG’s Mr Watkin accepted that, and SBG does not shy away from it. These special issues are described in various ways – including by reference to its particular intrusiveness, its particular potency and effectiveness, or its particular risk of harm. It is recognised that there is a subset, a small minority, of online gamblers – vulnerable individuals, including but not restricted to diagnosed gambling addicts – for whom this kind of marketing can, as a result of these factors, fairly be described as dangerous to them. It deals in an intimately personal issue, their problem with gambling, that affects their whole lives. The advertising of products which are dangerous to everyone is strictly controlled – tobacco advertising is the obvious example. There are no equivalent controls in place for the protection of the minority who are experiencing, or at high risk of experiencing, gambling harms. And whether or not there should be is a question for a legislature, not a court. But online gambling is provided by a regulated industry and the recognition and protection of vulnerable individuals within that regulated context is, as we have seen, central to the regulatory purpose.

The relevant generic controls in place across the industry include mandatory and best-practice standards for safer gambling policies and practices, and for the policies and mechanisms for privacy protection and consenting. These are overseen by the Gambling Commission and the Information Commissioner respectively. They can and do help manage and minimise the particular risks of direct marketing to online gamblers. But they cannot and do not eliminate them. They are not a complete insurance policy.

That is vividly illustrated by SBG’s own marketing suppression policy. In the first place, the very existence of such a policy is a plain acknowledgment of the link between direct marketing and the danger it poses for problem gamblers. So what exactly is that danger? It is a danger proceeding from, and contributing to, the compulsion of such individuals to gamble without reference to its damaging effects on their integrity and autonomy, personal or financial. And the suppression policy overrides ‘consent’. It must acknowledgeat some level that the evidenced ‘consent’ of such individuals to direct marketing is not absolutely determinative of its own freedom to market to them. Formally, SBG’s case is that this is a matter of ethics rather than law. That may be so, so far as regulatory compliance is concerned. But the data protection regime (inflected by PECR) creates individual rights, and the present case engages the question of the nature and extent of the consenting necessarily relied on in such cases.

SBG’s suppression policy draws a bright line between a minority of notably high-spending problem gamblers and other (potential) problem gamblers it has classified as high-value. The former are not marketed to, and the latter are especially marketed to. I put it that way, because SBG cannot demonstrate, and does not seek to demonstrate, that its suppression policy eliminates all risk of marketing to problem gamblers. It cannot and does not assert that because the Claimant did not trigger marketing suppression therefore he was not a problem gambler and his ‘consenting’ was reliable. The acknowledged limitations of its risk modelling and the raw data on which it relies do not permit it to.

Nor, I observe in passing, can SBG assert that its suppression policy is a complete answer to its regulatory duty to have safer gambling policies which ‘must include specific provision for making use of all relevant sources of information to ensure effective decision-making, and to guide and deliver customer interactions, including in particular provision to identify at-risk customers who may not be displaying obvious signs of, or overt behaviour associated with, problem gambling’ and in doing so to make ‘specific provision in relation to customers designated by the licensee as ‘high value’’. At the relevant time, SBG was not using ‘all relevant sources of information’ about risk of gambling harm to effect any impact at all on direct marketing to high value customers outside its suppression mechanism; it was otherwise keeping marketing and safer gambling completely apart in its modelling, and declining to take account of available information, for example about affordability, into its marketing models. I understand that its policies and practices, and those of the wider industry, may well have moved on since. I repeat again, I am engaged in a historical exercise in looking at a particular time slice.

In any event I note these points not in relation to SBG’s safer gambling policies or its regulatory compliance at that time, which are not my concern in this case. I make them for two entirely different reasons. First, because the Gambling Act requires a court to take the gambling codes of practice into account in a case in which they appear to be relevant. I consider the regulatory recognition of the position of vulnerable individuals within the industry, especially those whose vulnerability relates to the industry, a relevant part of the overall factual matrix within which I must consider and apply the appropriate standards of consent required by law.

And second, I make them because of their relevance to the fact that SBG was in all these circumstances demonstrably carrying a substantial risk of marketing gambling to problem gamblers on a targeted or personalised basis. It does not dispute that. Among those problem gamblers were individuals operating at a level of damaged and deteriorating autonomy in relation to their gambling to a degree indistinguishable from, or potentially worse than, those in the category triggering the suppression of all direct marketing, but to whom marketing was in stark contrast being directed in a personalised manner and to an enhanced degree. They include problem gamblers who could have triggered the suppression mechanism if, for example, their previous self-excluding history had been on SBG’s own platform rather than other providers’ platforms as the Claimant’s was, or who, being more affluent, were spending and losing sums which were bigger than those the Claimant could have contemplated.

And that was, in my judgment, not just an ethical or regulatory but a legal risk. It was a risk that the consenting of those problem gamblers was not a proper legal basis on which SBG was entitled to rely for that personalised marketing and the cookies which enabled it. It was a risk that there was no subjective consent of any quality present, because the problem gamblers were subjectively aware of and consenting to nothing about the gambling except the gambling. It was a risk that in shortcutting consenting mechanisms and failing to engage with privacy information these were not the autonomous acts of individuals making free, active and aware choices – however unwise – about their personal information, but were the compromised acts of individuals for whom decision-making about their time, money and privacy – about their personal integrity and their entire private lives – was already out of control in relation to gambling, and for whom the consenting mechanisms and information provision meant nothing other than barriers to gambling to be overcome in short order. It is hard to recognise in that factual matrix autonomous decision-making of the ‘relatively high’ standard envisaged by data protection law.

The fact that SBG was carrying a risk of marketing gambling to problem gamblers whose consenting was not of the standard required to be relied on for lawful processing is, in my judgment, obvious. I test that proposition in this way. Mr Hopkins had put it to me that ‘If [the Claimant] did change his setting in that way then he freely took a positive action unambiguously to indicate that he wished now to receive marketing communications from us’. I asked Mr Hopkins, towards the end of his closing submissions, whether the ‘consent’ of a problem gambler to the marketing to him of gambling opportunities can properly be described as freely given. In response, he made a powerful appeal to the need to calibrate my decision in this matter against business reality. I agree with him that it is important to do so. He put it this way:

An operator in our position cannot assume that there is going to be any inability to exercise free choice. That cannot be the starting assumption. That is the language used in the Ritz Hotel Ltd v Geabury case that we cite with reference to an individual's autonomy and their choice to gamble.

“Choice” was a word I specifically pressed in evidence with the Claimant. Granted, in re-examination Mr Knight sought to salvage something from all of that by eliciting an answer to the effect “well, I was not functioning very well then". [Note: what he actually said was that he was undergoing ‘an absolutely chaotic event in my life’.]We are back into the same sort of territory. I say the starting point cannot be to assume that the ability to give free consent is in doubt. You need a positive reason in the case of any particular individual to query that. If you are not hitting our Safer Gambling triggers, back to our conversation earlier, then there is no reason to call that into question. The starting assumption cannot be the other way round just because it is a gambling context. That is to allow, albeit serious, risks that are associated with a minority to drive the sort of assumption that overturns the ability to obtain consent at all. Where would it stop? How could you obtain any consent? How could you put any stock in what people said if that were the presumption you were leading with?

My response is this. The question of whether the ‘relatively high’ quality of consent is present, and of the degree to which an individual’s action is either ‘free’ or ‘unambiguous’, is always potentially in issue, because the law is constructed so as to give individual data subjects a legal right not to have their data processed for personalised direct marketing unless it is – at the points of both the initial cookie use and when triggering actual marketing – sufficiently consensual. That is something a data controller who is challenged must be able to demonstrate. I entirely agree that does not mean a controller can or must establish it beyond doubt individually from the outset in every case. But that does not mean it can always be guaranteed by systems either; there is an ultimately ineradicable risk in relying on them.

The carriage of that legal risk is a matter for the business. (That might be considered implicit in the ‘reasonable care’ defence provided by PECR Regulation 30(2)). It has choices to make about cookies and direct marketing and about the people on the other end of them whose personal information it uses. It has many resources available to assist it in doing so. It has regulatory standards and guidance to help it set up and operate consenting processes, including high-quality privacy information, which can then yield strong evidence of consenting of the necessary quality. In the overwhelming majority of cases, that evidence is likely to be unanswerable. It also has regulatory standards and guidance – and rich data resources relating to individuals – to help inform safer gambling mechanisms to suppress or modify its marketing or its consent mechanisms at a more granular, or individuated, level should it choose to do so. Of course, all of these represent business overheads, and there are business choices to be made about how far to invest in managing and minimising the carriage of the risk of absent or defective consenting. And it is a risk which is ultimately ineradicable. Problem gamblers may not always be easy to recognise, and there will always be relevant information about them which is ultimately unreachable by the provider, and properly so because it is information which is itself in the private domain.

So there is no question of a presumption or even a starting point of absent or defective consent. But there is a question of managing the risk of it, including recognising the signs and symptoms of defective consent and the options for responding to them. And there is always ultimately the issue of the false negative – the individual who, for whatever reason, has not in fact provided the legal basis on which the business has relied.

In other sectors this may all be somewhat academic. But in this respect it is right that direct marketing to gamblers occupies a far place along a spectrum. There is an obviously enhanced risk of defective consent in such a cohort. It will include instances of selling gambling to some people whose autonomous ability to resist that selling is substantially diminished. It will include selling a product which, for some people, will harm them and further diminish the autonomous control they have over their private lives. And where it is personalised, that may at the same time both represent the obtaining and use of very personal information about their disordered behaviour, and its processing to make the marketing even more intrusive and hard to resist.

In some of these cases, the provider will not be able to rely on consent for all of this. There is an obvious and fundamental imbalance in the rights and interests of the respective parties in such cases. I remind myself, just by way of general context, of what recital 43 to the GDPR says about that: that in order to ensure consent is freely given it is unlikely to be easy to rely on it where there is a clear imbalance between data controller and data subject. The example is given of public authority data controllers, who may be monopoly suppliers of services needed, but the analogy is extendable to data controllers in the gambling sector where they provide services craved by individuals in circumstances of compromised autonomy. The recital guides that consent is ‘presumed’ not to have been freely given where services an individual ‘needs’ cannot be obtained without privacy consents despite such consents not being necessary for the performance of the service. And it is not necessary for online gambling providers to market to their customers in order to allow them to gamble. It is something they choose to do for their own commercial reasons. The clear imbalance is part of the relevant factual matrix for the consenting behaviour in the present case.

Mr Hopkins accepted that, absent operative consent, SBG has no legitimate interest in processing personal data, including profiling, for the purposes of personalised direct marketing to problem gamblers. There are measures providers can take to improve and refine their processes to reduce the risk not just of gambling harm but of the impact of problem gambling on the very consents on which they must rely. That is a matter for them. But when in any case the risk does eventuate, the basis for lawful processing will not be there.

My analysis is as follows. The relevant legislation and authorities, both European and domestic, indicate that in order to provide a lawful basis for direct marketing, and for the underlying use of cookies for that purpose, a data subject’s consenting behaviour has to be of a ‘relatively high’ quality. That quality is expressed by reference to individual qualities such as ‘free’, ‘active’, ‘informed’, ‘unambiguous’, and ‘specific’ or ‘distinct’. What that means in practice is highly context-specific.

There are measures indicated by and under the relevant statutory regimes to assist data controllers in the online gambling sector to obtain, and evidence, consenting behaviour of the necessary quality. The sector is such, however, as to carry a real rather than theoretical risk that, occasionally, those measures will not in fact succeed in producing consenting behaviour of the necessary quality, and that the evidence of it will not be reliable. That is because it carries a known and ultimately ineradicable risk that the autonomy of the consenting behaviour in question is vitiated to some degree by problem gambling, so falls short of the relatively high quality required in law. It will be consenting behaviour which is too overborne, passive, unfocused and ambiguous, and too bound up with the craving or compulsion to access gambling, to which the consenting is experienced as a condition to be overcome, to meet the necessary legal standard.

In any individual case of challenge, a court needs to consider, on the evidence, and in its full context, whether or not the consenting behaviour relied on is of the necessary quality. That is clearly a highly evaluative matter. I have only the present case before me. I have accepted the Claimant’s evidence of the nature and extent of his decision-making, and looked at all the evidence of the nature and context of his consenting behaviour towards SBG. I have found he lacked subjective consent. I am also satisfied that the autonomous quality of his consenting behaviour was impaired to a real degree. I have no doubt at the same time it is possible to imagine even worse cases of problem gambling, and even worse cases of impaired consent. Nevertheless the standard looked for is relatively elevated. On balance – and it may be a fine balance – my conclusion is that, on the particular evidence and facts of this case, the quality of this Claimant’s consenting was rather lower than the standard required where processing personal data for the purposes of direct personalised marketing is concerned, throughout the relevant period, because of his gambling problem and his associated vulnerability and compromised autonomy.

It was insufficiently freely given, in particular. The Claimant’s consenting behaviours proceeded directly from a damaged and defective condition of personal autonomy with which the acts of consenting were inextricably and intimately bound up. The circumstances of his consenting behaviour are not recognisable as amounting to free, unambiguous, informed, specific, or distinct from the uncontrolled craving to gamble. Standards of consent set in data protection law are not insensitive to that sort of context. On the contrary, they can be recognised as requiring a ‘relatively high’ and context-specific standard of consent precisely because of the need for it to be especially incontrovertible before it can be relied on, when the processing of personal data not only invades privacy and compromises autonomy but proceeds from compromised autonomy of the very same nature.

It follows that I am required to hold that, in this particular case, (a) SBG’s use of cookies for the purposes of personalised direct marketing to the Claimant and (b) SBG’s direct marketing to the Claimant were not lawful processing. In those circumstances, I do not need to give distinct consideration to the question of the distinct lawful basis for profiling the Claimant for the purposes of direct marketing. The profiling was parasitic on the obtaining of the data and the ultimate delivery of the marketing, and had no other standalone purpose so far as he was concerned; it necessarily discloses no distinct basis for lawful processing. The acceptance that SBG had no legitimate interest in profiling for personalised marketing to problem gamblers without their consent, in circumstances in which I have concluded that that is exactly what they did here, stands as its own conclusion.

Nor do I consider it necessary or proportionate to pursue the issues raised on the Claimant’s pleadings about the subordinate conditions for lawful processing (including whether the conditions for processing health data were relevant on the facts) and the other data protection principles. To the extent that the processing in question depended on the acquisition of data for which there was no lawful basis in the first place, it was inevitably vitiated. I do not need to make individual findings on the distinct points raised under these headings.

The claim as pleaded raised a small number of further data protection points which may not strictly speaking be disposed of by my finding on the principal issues. In particular, an issue is raised by the Claimant about two ‘objection requests’ made by reference to Art.21 GDPR, one in 2021 to one of SBG’s data processors and one in August 2022 in pre-action correspondence. And SBG itself raises an issue about the precise date of the beginning of the relevant period and the running of the limitation periods. None of this was ventilated in any detail at trial, and it is far from clear what, if anything, is said to turn on it. I have already identified this claim as having started out on a broad and somewhat inquisitorial basis; I am grateful to both Counsel for the focus and economy they demonstrated in their submissions, and I have accepted what I understood to be their invitation to concentrate on what were in the end agreed to be the key issues.

And finally, I am unpersuaded that, on the facts of this case, the claim for misuse of private information is sufficiently likely to add anything material to the analysis to make it proportionate to analyse it in any detail. It was not materially addressed as such in Mr Knight’s submissions. And from first principles, in a case brought by a data subject against a commercial data controller, in relation to its own processing and that of the data processors under its control, it is inherently unlikely to. As I set out at the beginning, data protection law is at root a detailed statutory articulation of the balance the law strikes between individual privacy and the commercial freedoms to operate personal data dependent businesses. It would be unexpected to find that starting at the higher level of generality would lead to a different place from starting at the more detailed level the statutory code has provided, as I have done.

Judgment is given for the Claimant on the issues of obtaining his personal data through the use of cookies for purposes of targeted direct marketing without his operative consent, and of targeted direct marketing to him by email without his operative consent. That is dispositive of the substance of his claim, in his favour.

That is, as I have been at pains to set out, a decision confined to the particular circumstances of this case, and to the particular historical period in question. Other cases will have different facts and circumstances, particularly as, I am told, SBG’s own policies and practices, and those of the wider online gambling industry, have since evolved so as even further to reduce the risk of the emergence of claimants such as the present one.

The question of potential remedy was not dealt with at trial, but deferred to be considered on the basis of the detail of my findings on liability. This judgment itself nevertheless stands by way of declaratory relief of a nature which, the Claimant told me, he regards as particularly important.

I therefore await further submissions on remedy. It may, however, be of assistance to make clear at the outset that I do not by any means expect this to be in the nature of a straightforward exercise in quantification. In some of the other cases brought by problem gamblers, to which I have referred, where findings of liability were made against the claimants, the courts made alternative findings of failure of remedy with particular reference to issues of causation. Those issues would need to be dealt with in this case also, and may not be straightforward. It is only the matters for which SBG has been adjudged to be legally liable, in the period in question, and which are demonstrably causative of identifiable and quantifiable loss or harm, for which financial compensation can be expected.