Skip to main content
ComplicerAUDIT GRADE
MethodologyUse casesEU AI ActPricingBlogDocsSign inSTART FREE AUDIT
← JOURNAL
GDPR·MAY 27, 2026·11 MIN READ

Consent, Competition, and Dark Patterns: Why Data Protection Is Becoming a Market Power Issue

BY COMPLICER TEAM

For years, cookie banners were treated as a privacy compliance problem.

The question was usually:

"Did the user consent?"

That question is still important, but it is no longer enough.

In 2026, European regulators are increasingly looking at a broader question:

"Was the user given a real choice in a digital market where platforms, interfaces, and advertising systems shape that choice?"

On 23 April 2026, the European Data Protection Board announced a stakeholder event on the interplay between competition and data protection, organised with the European Commission. The event, scheduled for 29 June 2026, is intended to support upcoming guidelines on this topic and reflects the EDPB's wider focus on cross-regulatory cooperation.

This matters because consent is not created in a vacuum. Consent is affected by:

  1. interface design,
  2. platform dependency,
  3. market power,
  4. advertising business models,
  5. user lock-in,
  6. information asymmetry,
  7. data combination across services,
  8. dark patterns.

A consent banner can be technically present and still fail as a real choice.

1. Why competition law and data protection are now connected

Data protection asks whether personal data is processed lawfully, fairly, transparently, and with respect for individual rights.

Competition law asks whether markets are fair, contestable, and not distorted by dominant or gatekeeper power.

In digital markets, these two questions increasingly overlap.

Why?

Because personal data is not only privacy-sensitive. It can also be a competitive asset.

A company with access to large amounts of user data can improve targeting, personalization, ad measurement, product optimization, and lock-in. That can make the service better, but it can also reinforce market power if users have no realistic alternative or if competitors cannot match the data advantage.

The EU's Digital Markets Act, for example, is explicitly designed to make digital markets fairer and more contestable.

For compliance teams, the key insight is:

A consent flow can be legally risky not only because it collects personal data, but because it uses design and market position to pressure users into data sharing.

2. The consent question is becoming more economic

Traditional cookie compliance focuses on whether consent is valid under GDPR and ePrivacy-style rules.

A wider 2026 view asks whether the user's choice is meaningful in the real market context.

Traditional privacy questionCompetition-aware question
Did the user click "Accept"?Did the user have a real alternative?
Was a reject button shown?Was rejection equally easy and non-punitive?
Was consent specific?Was the user forced to accept broad data combination to access a dominant service?
Was the banner clear?Was the interface designed to steer users toward data sharing?
Was the vendor disclosed?Does the platform's data advantage limit competition?
Was the legal basis recorded?Is consent being used to legitimize market-power-driven data extraction?

This does not mean every small website is a competition-law case.

A local business using a cookie banner is not the same as a large platform with cross-service data combination and behavioral advertising.

But the regulatory direction matters for everyone because it changes expectations around "real choice".

3. Consent or pay: the model that exposed the problem

The clearest example is the consent or pay model.

In a consent-or-pay model, users are asked to choose between:

  1. consenting to personal data processing, often for behavioral advertising, or
  2. paying a fee to access the service without that processing.

In Opinion 08/2024, the EDPB assessed consent-or-pay models implemented by large online platforms. The opinion focused on large platforms that attract large numbers of users in the EEA and process personal data for behavioral advertising.

The EDPB's concern was not simply that payment exists. The deeper concern is whether users of large platforms can freely consent when the alternative is paying, leaving, or losing access to an important service.

The opinion is especially relevant because it treats consent quality as dependent on context:

FactorWhy it matters
Platform sizeUsers may depend on the service
Network effectsLeaving may mean losing social, professional, or commercial access
Fee levelA high fee can pressure users to consent
Behavioral advertisingThe processing may be extensive and intrusive
Alternative serviceUsers may need an equivalent option without behavioral advertising
Power imbalanceConsent may not be freely given where the controller has strong leverage

For website owners, the lesson is broader:

Consent is not valid just because the user clicked. The surrounding choice architecture matters.

4. The DMA pushed this issue into competition enforcement

The Digital Markets Act creates obligations for large gatekeeper platforms. Its purpose is to make digital markets fairer and more contestable.

Meta's advertising model became one of the most visible examples of the overlap between privacy and competition. In 2025, the European Commission fined Meta €200 million under the DMA for its "consent or pay" model, finding that users were not offered a less personalized but equivalent alternative. Reuters and other outlets reported that the Commission expected users to have a meaningful choice over the combination and use of personal data for advertising.

In January 2026, Meta introduced new ad personalization options for Facebook and Instagram users in the EU, giving users a choice between fully personalized advertising and a less personalized ad experience using less data.

The important compliance lesson is not "every business is Meta."

The lesson is:

Regulators are no longer looking only at whether consent exists. They are looking at whether the design of choice preserves user autonomy and market fairness.

5. Dark patterns make consent less reliable

A dark pattern is an interface design that manipulates or steers users toward a choice they might not otherwise make.

In privacy contexts, dark patterns can make consent invalid or at least legally risky because they weaken the user's free, informed, and unambiguous choice.

Common consent dark patterns include:

PatternExampleCompliance concern
Visual hierarchy manipulation"Accept all" is bright; "Reject" is grey or hiddenUser is pushed toward consent
ObstructionReject takes 3 clicks; accept takes 1Refusal is not as easy as acceptance
Ambiguous labels"Continue", "OK", "Got it"User may not understand they are consenting
Preselected optionsAdvertising or analytics already checkedConsent is not active and specific
Confirm-shaming"No, I do not want a better experience"Emotional pressure
Forced bundlingAnalytics, ads, and personalization accepted togetherConsent is not granular
Repeated promptsUsers are asked again and again after rejectingPressure and fatigue
Deceptive necessityAdtech placed under "strictly necessary"Misleading purpose classification

These design issues are not cosmetic. They affect whether consent is valid.

For compliance teams, banner design must be tested like a product control, not reviewed only as a legal notice.

6. Market power changes the consent analysis

The same banner design can have different implications depending on context.

A small blog, a national news site, a dominant social network, and a workplace platform do not create the same user choice environment.

ContextConsent pressure
Small optional websiteUser can leave easily
News site with paywallUser may face information access trade-off
Workplace softwareEmployee may not feel free to refuse
School platformStudent may have no practical alternative
Dominant social networkLeaving may mean social exclusion
Gatekeeper platformCross-service data control may affect markets
Essential serviceRefusal may affect access to important services

That does not mean consent is impossible in high-dependency contexts. But it means the controller must be more careful.

Questions to ask:

QuestionWhy it matters
Can the user realistically refuse?Freely given consent
Does refusal reduce core service access?Possible detriment
Is there an equivalent alternative?Real choice
Is the fee reasonable if payment is offered?Avoid coercive pricing
Is behavioral advertising separated from basic ads?Data minimisation
Can users choose less personalized processing?Granularity
Is consent bundled across services?Specificity and market power
Are users repeatedly pressured after refusing?Dark pattern risk

7. What this means for consent banners

A competition-aware consent banner should be designed around genuine choice.

Weak consent design

ProblemExample
One dominant accept button"Accept all" is the only obvious action
Hidden rejectReject is behind "Manage options"
Bundled purposesAnalytics, ads, personalization together
Vague description"We use data to improve your experience"
Vendor overloadHundreds of vendors with no usable explanation
No easy withdrawalSettings hard to find later
No non-tracking alternativeUser must accept behavioral ads or leave/pay

Strong consent design

Good practiceExample
Equal first-layer choicesAccept all / Reject all / Manage choices
Plain language"Advertising cookies let us measure ads and show personalized ads."
Purpose separationNecessary, analytics, advertising, personalization
Vendor clarityNamed vendors or accessible vendor list
Real rejectionReject blocks non-essential technologies technically
Easy withdrawalPrivacy settings link available later
Less intrusive alternativeContextual ads or limited-data ads instead of behavioral ads
Evidence loggingTimestamped consent state and browser behavior proof

The strongest banner is not the one that maximizes opt-in rate. It is the one that maximizes defensible consent quality.

8. Behavioral advertising is the pressure point

Behavioral advertising sits at the center of this debate because it often depends on:

  1. persistent identifiers,
  2. cross-site tracking,
  3. profiling,
  4. data combination,
  5. auction systems,
  6. large vendor ecosystems,
  7. measurement pixels,
  8. retargeting.

That creates both privacy and competition questions.

From a privacy perspective:

IssueConcern
ProfilingUsers may be categorized and targeted
Cross-site trackingData is collected beyond one website
Vendor complexityUsers cannot understand who receives data
Consent fatigueUsers click without understanding
Sensitive inferenceInterests may reveal sensitive attributes
Data minimisationLarge-scale tracking may exceed necessity

From a competition perspective:

IssueConcern
Data advantageLarger platforms can collect and combine more data
Market dependencyPublishers and advertisers depend on dominant ad systems
Lock-inUsers and businesses cannot easily switch
Self-preferencingPlatforms may favor their own ad services
Consent leverageDominant services can pressure users more effectively

This is why the EDPB and European Commission are working on the interplay between competition and data protection.

9. How to audit consent design scientifically

A modern consent audit should examine both UI and browser behavior.

Step 1: Capture the interface

Record:

EvidenceWhy
First banner screenshotShows initial choice architecture
Button labelsDetects ambiguity
Button stylingDetects visual pressure
Click pathMeasures effort to reject vs accept
Category defaultsDetects preselection
Vendor list accessTests transparency
Mobile layoutMobile banners often differ
Dark pattern notesDocuments manipulation risk

Step 2: Measure choice parity

Compare accept and reject flows.

MetricGood result
Clicks to accept1
Clicks to reject1
Visual prominenceComparable
Language clarityClear
No preselected optional purposesYes
No repeated pressure after rejectYes
Settings available laterYes

A simple rule:

Rejecting non-essential tracking should be no harder than accepting it.

Step 3: Test technical enforcement

After each choice, scan:

StateWhat to test
Pre-consentNon-essential tools blocked
Reject allAds, analytics, pixels, tags blocked
Accept allTools load only after consent
Granular choiceCategories behave separately
WithdrawalTracking stops after revocation

Evidence should include cookies, localStorage, sessionStorage, network requests, scripts, tags, and pixels.

Step 4: Check market-pressure factors

For larger platforms or essential services, add:

QuestionWhy
Is there a free alternative without behavioral ads?Real choice
Is the paid option priced reasonably?Avoid coercion
Is refusal punished by loss of core service?Detriment
Are users locked into the platform?Dependency
Are services bundled?Specificity
Is data combined across services?Consent scope

Step 5: Produce a consent defensibility score

A practical score might include:

AreaWeight
Interface fairness25
Technical enforcement25
Transparency20
Granularity10
Withdrawal10
Market pressure review10

This gives teams a way to compare banners beyond opt-in rate.

10. Common findings and fixes

Finding 1: Reject is hidden behind settings

Risk: Users are steered toward acceptance.

Fix: Put "Reject all" on the first layer with equal prominence.

Finding 2: Advertising and analytics are bundled

Risk: Consent is not specific enough.

Fix: Separate purposes into distinct categories and ensure technical controls follow those categories.

Finding 3: Behavioral ads are the only free option

Risk: Consent may not be freely given, especially for large platforms or important services.

Fix: Offer a less intrusive free alternative, such as contextual advertising or limited-data advertising.

Finding 4: User rejects, but pixels still fire

Risk: Consent UI is misleading and technical controls fail.

Fix: Block ad and analytics tags until the relevant consent category is active.

Finding 5: Consent is repeatedly requested after refusal

Risk: Repetition creates pressure and fatigue.

Fix: Respect refusal for a reasonable period and allow the user to reopen settings voluntarily.

Finding 6: Vendor list is too complex to understand

Risk: Consent may not be informed.

Fix: Use layered notices: purpose summary, key vendors, full vendor list, search, and plain-language explanations.

11. Practical checklist for 2026

Use this checklist before deploying or updating a consent banner.

QuestionGood answer
Is "Reject all" visible on the first layer?Yes
Is rejecting as easy as accepting?Yes
Are optional categories off by default?Yes
Are analytics, ads, and personalization separate?Yes
Are vendors clearly named or accessible?Yes
Does the browser match the consent choice?Yes
Are pixels and tags blocked before consent?Yes
Does withdrawal stop future tracking?Yes
Is behavioral advertising separated from contextual or basic advertising?Yes
Is there a less intrusive alternative where appropriate?Yes
Is the banner readable on mobile?Yes
Are dark patterns documented and removed?Yes
Is the consent log backed by technical evidence?Yes
Have you assessed power imbalance or service dependency?Yes, where relevant

12. Why this matters for compliance tools

Consent auditing tools should evolve beyond "cookie found / cookie not found."

A serious 2026 scanner should test:

LayerWhat to detect
UI designDark patterns, reject parity, preselection
Browser storageCookies, localStorage, sessionStorage
NetworkPixels, beacons, third-party calls
Scripts and tagsGTM, ad SDKs, analytics SDKs
Purpose mappingAnalytics, advertising, personalization, security
Vendor mappingNamed vendor vs observed domain
Consent statePre-consent, reject, accept, withdrawal
Market contextLarge platform, workplace, school, essential service
EvidenceScreenshots, HAR, storage dumps, timestamps

This is where privacy engineering meets product ethics.

A banner that gets a 90% opt-in rate may be a business success but a compliance risk if it achieves that rate through pressure, opacity, or broken rejection.

Conclusion

Consent is no longer just a checkbox.

It is a design system, a technical control, a market interaction, and a regulatory risk area.

The EDPB's 2026 work on the interplay between competition and data protection shows that regulators are looking beyond isolated privacy notices and toward the wider environment in which people make data choices.

For companies, the practical rule is:

Consent must be real, not merely recorded.

That means:

  1. no dark patterns,
  2. equal reject and accept paths,
  3. clear purpose separation,
  4. honest vendor disclosure,
  5. technical blocking before consent,
  6. working rejection and withdrawal,
  7. careful review of behavioral advertising,
  8. extra caution where market power or user dependency exists.

The future of consent compliance is not just whether the user clicked.

It is whether the user had a fair choice.

Sources

  1. EDPB, Stakeholder event on competition and data protection, 23 April 2026.
  2. EDPB, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, 17 April 2024.
  3. European Union, Digital Markets Act, official overview.
  4. The Guardian, EU fines Apple and Meta for breaching fair competition rules, 23 April 2025.
  5. The Verge, Facebook and Instagram will let European users see fewer personal ads, January 2026.
NEXT STEP

Ready to automate your compliance?

Complicer scans your website, identifies compliance issues, and generates evidence packages — all in under 5 minutes.

START FREE AUDIT →
ComplicerAUDIT GRADE

Outcome-driven GDPR compliance — banners that actually work, evidence you can show your auditor.

GDPR-ALIGNED · SHA-256 · Ed25519 · EU-W1
PRODUCT
Free scanUse casesMethodologyEU AI ActPricingDocsBlog
COMPANY
ContactSecurity
LEGAL
PrivacyTermsComplaint
EVIDENCE CHAIN INTACT · SHA-256 · Ed25519 · RFC 3161-READY© 2026 COMPLICER