In May 2018, the European Union handed every person on the continent a remarkable gift: the legal right to tell a website, clearly and without ambiguity, no, you may not track me. Companies that failed to honour that right faced fines calibrated to make their CFOs choke on their flat whites. It was, on paper, a watershed moment for digital rights.

What happened next was one of the most creative acts of institutional bad faith in the history of software design.

Rather than simply stopping the tracking, or building honest interfaces where "Accept" and "Reject" sat side by side like civilised options on a restaurant menu, the industry invented the dark pattern — a user interface deliberately engineered to confuse, exhaust, and manipulate people into consenting to something they would never consciously choose. The cookie banner became less a mechanism for obtaining consent and more a masterclass in psychological pressure applied at the exact moment you just wanted to read an article about the weather.

3x
Researchers found that on sites using dark pattern consent banners, users clicked "Accept All" three times more often than sites with equivalent, clearly designed choices, not because they preferred it, but because the design made it the path of least resistance.

Act One: The Theatre of Consent

Act I

Let's set the scene. You've followed a link to a news article. Maybe it's something urgent. Maybe it's something trivial. Either way, you want to read it. You've barely registered the headline when a large panel rises from the bottom of the screen like a velvet curtain opening on a play you didn't book tickets for.

The panel announces, in a font size calibrated to make the important bits difficult to parse at a glance, that the site and its "partners" (a word that in this context means "700 advertising companies, several of which are incorporated in tax havens and one of which you've never heard of because it was incorporated last Tuesday") would like to use cookies and other tracking technologies to personalise your experience.

There is a large, bright button. It says something like "Accept All" or "I Agree" or, in an especially heroic act of framing, "That's OK!" The button is the colour of confidence. It is placed where your thumb naturally rests. It is, in the language of UX design, salient, meaning it visually dominates the choice.

Somewhere in the vicinity of this button, perhaps below it, perhaps to its side in a slightly smaller font, perhaps rendered in a grey that achieves the remarkable feat of being technically visible while practically invisible, there is an alternative. It might say "Manage Preferences". It might say "Learn More". It might, if the site is feeling generous, say "Reject Non-Essential", though that phrase has been quietly replaced on many sites with "Continue Without Accepting", a choice of words that implies you are taking something without paying for it, like a shoplifter, rather than simply exercising a right you are legally entitled to.

We value your privacy
We and our 342 partners process personal data for the purposes of personalisation, analytics, and targeted advertising. By clicking "Accept All" you consent to our use of cookies and similar technologies. To learn more, visit our Privacy Centre.
A dramatisation. The "reject" and "manage" options have been rendered in proportionally accurate visual weight.

Most people click the big button. Studies consistently show opt-in rates of 85 to 95 percent on banner-heavy sites. The industry points to this as evidence that people want personalised advertising. This is the equivalent of a casino pointing to its revenue as evidence that people love losing money.

Act Two: The Labyrinth of Granularity

Act II

Suppose you resist. Suppose you are one of the rare, stubborn, or sufficiently caffeinated people who clicks "Manage Preferences". What awaits you is a masterpiece of friction by design.

You are presented with a list of "purposes", a word that in the IAB Transparency and Consent Framework means "categories of things we want to do with your data that sound reasonable until you read the small print." The purposes have names like:

Each of these has a toggle. The toggles are off for some purposes and on for others, arranged in no immediately comprehensible order. Some are greyed out, with a note explaining they are "required for the site to function", a claim that deserves a great deal more scrutiny than it typically receives, since "the site functioning" is routinely defined to include every commercially convenient purpose imaginable.

Below the purposes is a list of "partners", the real number rather than the sanitised summary. On large publisher sites this list routinely exceeds 500 companies. Each company has its own toggle. Each toggle is, by default, switched on. To opt out of all of them individually, you would need to click approximately 500 times, scrolling through a list that, if printed, would comfortably serve as the world's most depressing novel.

The exhaustion is not a bug. It is a feature. The design of these preference centres is not accidental friction. Research by academics at MIT and the University of Michigan has demonstrated that the number of clicks required to reject all tracking is directly and intentionally calibrated to maximise abandonment. Every extra click between you and "Reject All" is a design decision with a financial motive.

The technical term for this is a dark pattern. The working definition: any user interface designed to lead users toward choices that benefit the service rather than the user. The cookie preference centre is perhaps the most comprehensively documented example in the history of interface design, studied, catalogued, annotated, and roundly condemned by everyone except the people building it and the regulators moving too slowly to stop it.

Act Three: The Consent That Wasn't

Act III

Here is where the comedy tips into something darker: even when you do click through the labyrinth and toggle everything off, there is no guarantee the data collection stops.

The Transparency and Consent Framework, the industry standard for recording and communicating consent signals across the ad-tech ecosystem, operates on the honour system. It records your preferences as a string of characters called a TC string, which is technically transmitted to all the participating "partners." What it cannot do is verify that those partners honour it. Independent audits have repeatedly found that data continues to be collected after rejection, that third-party scripts fire regardless of the consent state, and that some companies receive data before the banner has been interacted with at all.

The consent, it turned out, was theatre. The tracking was real regardless of what you clicked.

Consent, to be meaningful, requires a genuine choice. A choice constructed to be as difficult as possible to make is not consent. It is capitulation dressed up in a legal framework.

The Belgian Data Protection Authority reached essentially this conclusion in February 2022, ruling that the TCF itself was incompatible with GDPR. The decision sent a tremor through the industry. Enforcement proceedings began. A remediation plan was proposed. The tracking continued.

The Irish Data Protection Commission, which oversees most of the major US tech platforms because they chose to headquarter in Dublin, accumulated a backlog of complaints so large that it became itself the subject of EU-wide criticism. The fines, when they came, were significant in absolute terms and negligible as a percentage of revenue; the industry absorbed them the way a large ship absorbs a wave, a brief shudder, a slight list, and then full steam ahead.

90%
Studies have found that up to 90% of cookie banners fail to comply with GDPR requirements, despite the regulation having been in force for years and the fines for non-compliance being theoretically ruinous.

The Fiction of "Legitimate Interest"

If you were paying very close attention while navigating that preference labyrinth, you may have noticed that some purposes were not controlled by a toggle at all. They had a different note: "Based on legitimate interest."

Legitimate interest is a provision in GDPR that allows data processing without explicit consent when there is a genuinely compelling reason (preventing fraud, for instance, or responding to a legal obligation). It was designed for edge cases. It has been deployed by the ad-tech industry as a universal skeleton key.

The logic goes like this: delivering a personalised advertisement to a user constitutes a legitimate interest of the advertiser. The advertiser's commercial interest in targeting you is weighty enough that it overrides the requirement to obtain your explicit consent. You do not need to agree to it. You cannot opt out of it via a consent banner, because it does not require consent. If you want to object, you must exercise your right to object separately, through a different process, which you will find explained somewhere in the privacy policy, which is approximately 12,000 words long and has not been read in its entirety by any living human except the lawyers who drafted it.

This is the moment the comedy becomes tragedy. The user who survived the banner, navigated the preference centre, toggled all 500 partners, and clicked Save Settings, has not opted out of anything that operates under legitimate interest. They have merely reduced the number of companies with explicit consent to process their data. The shadow fleet of companies invoking legitimate interest sailed right past them.

What Prism Tracks That the Banners Won't Tell You

The fundamental problem with cookie banners is not that they ask for consent badly. It is that the question they're asking is the wrong one. "Do you consent to cookies?" is a bureaucratic question designed by lawyers to produce a defensible record. It is not a question designed to give you useful information about what is happening to your data.

The question you actually need answered is: of all the third parties that loaded when I visited this site, which ones received data about me, what data did they receive, and what did they do with it?

No consent banner tells you that. Prism does.

Prism's consent tracking records what signals were sent, what trackers were present, and what each site's consent state actually was, not the sanitised summary you were shown in the banner, but the actual list of entities that received your data. It logs the difference between what you clicked and what happened. It builds a timeline of which sites have behaved honestly and which have continued tracking after rejection.

The Consent Control Centre in Prism's dashboard shows you your consent history across every site you've visited, including sites that never showed you a banner at all (because they couldn't be bothered), sites where the banner fired but tracking preceded it, and sites where you rejected all cookies but data was transmitted anyway under legitimate interest.

Prism tracks what you actually agreed to, not what the banner claimed you agreed to. For many users, the gap between those two things is the size of a small country and the shape of a business model.

The Epilogue: You Deserved Better

Cookie banners were always going to be difficult. Obtaining genuine informed consent at scale, across millions of users with varying technical literacy, for a data processing ecosystem of baroque complexity, was never going to be simple. A reasonable industry might have responded to that challenge by simplifying the data collection, building privacy into the default, and reserving tracking for contexts where users actively and meaningfully opted in.

Instead, the industry hired a small army of UX professionals, paid them handsomely, and set them to work making consent as frictionless in one direction and as impenetrable in the other as the letter of the law would permit. They succeeded brilliantly. The resulting consent rates are monuments to the power of design to shape human behaviour, and a damning indictment of what that power looks like when deployed without ethics.

The law gave you a right and the design quietly took it away. The enforcement arrived late and moved slowly. And the tracking continued, uninterrupted, in the 80 milliseconds between you clicking the link and the banner appearing, long enough for the auction to run, the data to be broadcast, and the result to be logged in dozens of databases in cities you will never visit.

The least you deserve is to know exactly what happened. That's what Prism is for.