With reforms to the Privacy Act 1988 (Cth) on the horizon, the recent UK case of RTM v Bonne Terre [2025] EWHC 111 (KB) provides guidance to Australian online gambling operators (and Australian companies more broadly) about best practice in obtaining online consent from users.
While this case applied UK law (including the UK’s GDPR regime), the principles are instructive for Australian businesses in obtaining users’ consent and what steps should be taken to ensure that the consent they receive from customers is effective.
Background
The defendants in the case – Bonne Terre Ltd and Hestview Ltd – conducted an online gambling business under the Sky Bet brand in the UK. The claimant, RTM, was a recovering gambling addict who regularly used the Sky Bet platform. He claimed that Sky Bet gathered information generated by his use of its platforms and used it unlawfully to provide personalised and targeted marketing which fed into his compulsive gambling behaviour.
There are strict legal requirements in the UK which limit the ways in which data controllers can use and deal with users’ personal information. In this case, RTM accepted that Sky Bet was entitled to process his personal data to accept and process his bets (ie, to perform the contract with him to provide gambling services) and to comply with their regulatory responsibilities, as provided for in UK privacy law. However, he claimed that Sky Bet had no lawful basis to harvest his transactional data to undertake detailed profiling analytics and algorithmic predictions to target and personalise Sky Bet marketing to him. In particular, he claimed that obtaining his personal data by way of cookies required his consent to be lawful and argued that he never provided relevant consent.
Sky Bet defended the claims on the basis that the claimant did, in fact, consent to the cookie use and direct marketing and led evidence of how that consent was ascertained. This evidence included a detailed privacy policy, a pop-up requiring cookie consent to proceed to the site and various individual checkboxes – one which required acknowledgement that the terms had been read, the other consenting to the use of the cookies and direct marketing. As a result, Sky Bet argued that, in the circumstances, it was entitled to rely on the claimant’s consent and therefore did not breach its privacy law obligations.
Decision
Justice Collins Rice acknowledged that the key issue in the case was the lawfulness of the processing of RTM’s personal information and the adequacy of the consent provided by the claimant.
The judge explained the authorities which provide that, in order for consent to be legally effective, it has to be ‘free, specific and informed’ – in other words, consent has to be freely given by well-informed individuals who properly understand the consequences of the consent they are providing. The data controller (ie, the company) bears the burden of demonstrating that the person has consented to the processing of their personal data.
In this case, the judge outlined three elements which should be taken into account when determining whether consent from a person has been adequately obtained:
- the subjective element of the person’s state of mind (ie, what the person thought about, understood and desired);
- the autonomous choice of the person about consent (ie. whether the person is able to determine the consequences of giving or withholding consent); and
- the evidential element of establishing consent.
Satisfying the ‘subjective’ element (ie, that good quality subjective consent has been given) is a relatively low threshold. In comparison, satisfying the ‘autonomous’ element is a high threshold. This means that, whilst it may be relatively easy for data controllers to show that consent has been given, it will be difficult for data controllers to show that individuals understood the consequences of that consent, or that individuals intentionally chose to limit the quality of their consent, for example, by intentionally disregarding privacy policies and ignoring pop-ups.
Where it is impossible to ascertain what a person was or was not thinking at a given point in time, the evidential element assists in the assessment of whether the individual had provided ‘free, specific and informed’ consent. For example, the judge noted that not unticking a pre-ticked box was too ‘evidentially ambiguous’, whereas the positive act of ticking a box which cannot be reached without scrolling through relevant text makes it far more probable that the consent meets the required threshold.
In this case, evidence about the claimant’s state of mind and addiction at the time at which consent was purportedly obtained meant that there was no subjective consent which could be described as ‘free, specific and informed’. The question, therefore, was whether the claimant nevertheless decided to proceed, shortcutting the opportunities provided to inform himself, which could be described as autonomous.
The judge explained that, although Sky Bet had measures in place to identify problem gamblers, it was an imperfect system with a not insubstantial risk of ‘false negatives’ – or of failing to identify problem gamblers. For this reason, there was always a risk that Sky Bet could send marketing materials to problem gamblers on a targeted or personalised basis, and the associated risk that the consent of those individuals was not legally effective. The effect of this would be that Sky Bet could not rely on that consent for personalised marketing. Because of this risk, and the vulnerability of problem gamblers with respect to gambling advertising, such consent will often be ‘too overborne, passive, unfocused and ambiguous, and too bound up with the craving or compulsion to access gambling’ to meet the required standard. Accordingly, because of his gambling problem, the claimant in this case fell below the required standard for direct marketing because he was operating from a ‘damaged and defective condition of personal autonomy’ and was unable to freely consent.
Sky Bet’s use of cookies for the purposes of serving direct marketing to the claimant was therefore held to constitute unlawful processing of personal information under UK privacy law.
Implications
The judge went to great lengths to emphasise that claims of this kind are primarily context-specific and that no single principle can be universally applied when it comes to assessing the sufficiency of consent. The judge also emphasised that this case was not about whether gambling service providers owe a duty of care to their users. However, the judge’s analysis may be instructive of how courts should approach the question of consent and the lengths to which online gambling operators, and other entities, must go to ensure that consent is legally effective. The case serves as a timely reminder for Australian online gambling companies to review their privacy disclosures and customer consent processes and settings on their platforms to ensure they are compliant and sensibly calibrated. Companies should also ensure that they are complying with their other statutory requirements, such as the requirement to have a ‘clearly expressed and up-to-date’ privacy policy and that they take reasonable steps to make it available free of charge and in an appropriate form.
It is important to note that this case was decided in respect of UK privacy laws (GDPR regime) which are stricter and more onerous than current Australian privacy laws. For instance, unlike the GDPR, the Privacy Act currently does not specifically regulate the use of cookies. The Australian Privacy Principles (‘APPs’) contain rules for the collection and use of personal information, requiring consent where the entity wishes to use it for a purpose other than the purpose for which it was collected, and requiring that entities notify users about the collection of their personal information. The APPs also provide that organisations which hold personal information about an individual must not use or disclose it for the purpose of direct marketing unless the individual has consented to the use or disclosure of their information for that purpose. These requirements operate alongside gambling-specific laws, such as the Betting and Racing Act 1998 (NSW), which prohibits gambling service providers from providing gambling advertisements to a betting account holder via direct marketing unless the holder has given ‘express and informed consent’ to receive them. The Interactive Gambling Act 2001 (Cth) also makes it offence to provide direct marketing to individuals registered on the National Self-Exclusion Register.
For more information about this case or about how you can comply with your privacy obligations, please contact Jamie Nettleton, Lachlan Gepp or Cate Sendall from the Addisons Gaming & Gambling team.