LiveUnder the magnifying glassWhat the headlines skippedZoom in
The · LoupeThe detail everyone missed.
Deep Dives

The Quiet Rewrite of Cookie Consent

Regulators spent years building the cookie consent wall, and the ad industry spent the same years quietly building a door around it.

M
By Manon Vasseur
Nantes · 4 July 2026 · 2 min read
The Quiet Rewrite of Cookie Consent

When the EU's ePrivacy rules turbocharged the spread of cookie banners, the assumption was simple: users would finally control their data. What happened instead was a masterclass in compliance theatre. Banners multiplied, legal teams celebrated, and tracking continued, often indistinguishable from its pre-GDPR form.

The mechanics are not mysterious. Dark patterns, pre-ticked boxes, buried reject buttons, seventeen-step opt-out flows, were documented almost immediately by researchers and privacy advocates. Yet enforcement remained patchy at best, and the burden of navigating consent shifted entirely onto the individual user.

The Architecture of Apparent Choice

What regulators perhaps underestimated was the sheer engineering effort the industry would deploy in response. Consent Management Platforms (CMPs) emerged as a booming sector, ostensibly to help publishers comply. In practice, they became sophisticated tools for nudging users toward the commercially preferable option: accepting everything.

Studies from academic institutions across Europe have repeatedly shown that default settings and interface design have a far greater impact on consent rates than any stated user preference. The choice architecture, in other words, is the policy.

What Enforcement Actually Looks Like

A handful of high-profile fines, Google, Meta, others, generated headlines. But fines represent a fraction of a percent of the revenues they are meant to deter. For every case that reached a decision, hundreds of complaints languished in national authority queues, sometimes for years.

The detail worth zooming in on: many of the largest CMP providers simultaneously advise regulators on best practice and sell their consent infrastructure to publishers. The conflict of interest is structural, and it rarely makes the press release.

The next iteration of this story is already underway. As third-party cookies phase out in various browsers, the industry has pivoted to alternative identifiers, hashed emails, device fingerprinting, contextual cohorts, that operate largely outside the consent framework as currently written. Regulators are, once again, writing rules for the previous war.

✦ The Loupe

More stories