For years, cookie banners were treated as a privacy compliance problem.
The question was usually:
"Did the user consent?"
That question is still important, but it is no longer enough.
In 2026, European regulators are increasingly looking at a broader question:
"Was the user given a real choice in a digital market where platforms, interfaces, and advertising systems shape that choice?"
On 23 April 2026, the European Data Protection Board announced a stakeholder event on the interplay between competition and data protection, organised with the European Commission. The event, scheduled for 29 June 2026, is intended to support upcoming guidelines on this topic and reflects the EDPB's wider focus on cross-regulatory cooperation.
This matters because consent is not created in a vacuum. Consent is affected by:
- interface design,
- platform dependency,
- market power,
- advertising business models,
- user lock-in,
- information asymmetry,
- data combination across services,
- dark patterns.
A consent banner can be technically present and still fail as a real choice.
1. Why competition law and data protection are now connected
Data protection asks whether personal data is processed lawfully, fairly, transparently, and with respect for individual rights.
Competition law asks whether markets are fair, contestable, and not distorted by dominant or gatekeeper power.
In digital markets, these two questions increasingly overlap.
Why?
Because personal data is not only privacy-sensitive. It can also be a competitive asset.
A company with access to large amounts of user data can improve targeting, personalization, ad measurement, product optimization, and lock-in. That can make the service better, but it can also reinforce market power if users have no realistic alternative or if competitors cannot match the data advantage.
The EU's Digital Markets Act, for example, is explicitly designed to make digital markets fairer and more contestable.
For compliance teams, the key insight is:
A consent flow can be legally risky not only because it collects personal data, but because it uses design and market position to pressure users into data sharing.
2. The consent question is becoming more economic
Traditional cookie compliance focuses on whether consent is valid under GDPR and ePrivacy-style rules.
A wider 2026 view asks whether the user's choice is meaningful in the real market context.
| Traditional privacy question | Competition-aware question |
|---|---|
| Did the user click "Accept"? | Did the user have a real alternative? |
| Was a reject button shown? | Was rejection equally easy and non-punitive? |
| Was consent specific? | Was the user forced to accept broad data combination to access a dominant service? |
| Was the banner clear? | Was the interface designed to steer users toward data sharing? |
| Was the vendor disclosed? | Does the platform's data advantage limit competition? |
| Was the legal basis recorded? | Is consent being used to legitimize market-power-driven data extraction? |
This does not mean every small website is a competition-law case.
A local business using a cookie banner is not the same as a large platform with cross-service data combination and behavioral advertising.
But the regulatory direction matters for everyone because it changes expectations around "real choice".
3. Consent or pay: the model that exposed the problem
The clearest example is the consent or pay model.
In a consent-or-pay model, users are asked to choose between:
- consenting to personal data processing, often for behavioral advertising, or
- paying a fee to access the service without that processing.
In Opinion 08/2024, the EDPB assessed consent-or-pay models implemented by large online platforms. The opinion focused on large platforms that attract large numbers of users in the EEA and process personal data for behavioral advertising.
The EDPB's concern was not simply that payment exists. The deeper concern is whether users of large platforms can freely consent when the alternative is paying, leaving, or losing access to an important service.
The opinion is especially relevant because it treats consent quality as dependent on context:
| Factor | Why it matters |
|---|---|
| Platform size | Users may depend on the service |
| Network effects | Leaving may mean losing social, professional, or commercial access |
| Fee level | A high fee can pressure users to consent |
| Behavioral advertising | The processing may be extensive and intrusive |
| Alternative service | Users may need an equivalent option without behavioral advertising |
| Power imbalance | Consent may not be freely given where the controller has strong leverage |
For website owners, the lesson is broader:
Consent is not valid just because the user clicked. The surrounding choice architecture matters.
4. The DMA pushed this issue into competition enforcement
The Digital Markets Act creates obligations for large gatekeeper platforms. Its purpose is to make digital markets fairer and more contestable.
Meta's advertising model became one of the most visible examples of the overlap between privacy and competition. In 2025, the European Commission fined Meta €200 million under the DMA for its "consent or pay" model, finding that users were not offered a less personalized but equivalent alternative. Reuters and other outlets reported that the Commission expected users to have a meaningful choice over the combination and use of personal data for advertising.
In January 2026, Meta introduced new ad personalization options for Facebook and Instagram users in the EU, giving users a choice between fully personalized advertising and a less personalized ad experience using less data.
The important compliance lesson is not "every business is Meta."
The lesson is:
Regulators are no longer looking only at whether consent exists. They are looking at whether the design of choice preserves user autonomy and market fairness.
5. Dark patterns make consent less reliable
A dark pattern is an interface design that manipulates or steers users toward a choice they might not otherwise make.
In privacy contexts, dark patterns can make consent invalid or at least legally risky because they weaken the user's free, informed, and unambiguous choice.
Common consent dark patterns include:
| Pattern | Example | Compliance concern |
|---|---|---|
| Visual hierarchy manipulation | "Accept all" is bright; "Reject" is grey or hidden | User is pushed toward consent |
| Obstruction | Reject takes 3 clicks; accept takes 1 | Refusal is not as easy as acceptance |
| Ambiguous labels | "Continue", "OK", "Got it" | User may not understand they are consenting |
| Preselected options | Advertising or analytics already checked | Consent is not active and specific |
| Confirm-shaming | "No, I do not want a better experience" | Emotional pressure |
| Forced bundling | Analytics, ads, and personalization accepted together | Consent is not granular |
| Repeated prompts | Users are asked again and again after rejecting | Pressure and fatigue |
| Deceptive necessity | Adtech placed under "strictly necessary" | Misleading purpose classification |
These design issues are not cosmetic. They affect whether consent is valid.
For compliance teams, banner design must be tested like a product control, not reviewed only as a legal notice.
6. Market power changes the consent analysis
The same banner design can have different implications depending on context.
A small blog, a national news site, a dominant social network, and a workplace platform do not create the same user choice environment.
| Context | Consent pressure |
|---|---|
| Small optional website | User can leave easily |
| News site with paywall | User may face information access trade-off |
| Workplace software | Employee may not feel free to refuse |
| School platform | Student may have no practical alternative |
| Dominant social network | Leaving may mean social exclusion |
| Gatekeeper platform | Cross-service data control may affect markets |
| Essential service | Refusal may affect access to important services |
That does not mean consent is impossible in high-dependency contexts. But it means the controller must be more careful.
Questions to ask:
| Question | Why it matters |
|---|---|
| Can the user realistically refuse? | Freely given consent |
| Does refusal reduce core service access? | Possible detriment |
| Is there an equivalent alternative? | Real choice |
| Is the fee reasonable if payment is offered? | Avoid coercive pricing |
| Is behavioral advertising separated from basic ads? | Data minimisation |
| Can users choose less personalized processing? | Granularity |
| Is consent bundled across services? | Specificity and market power |
| Are users repeatedly pressured after refusing? | Dark pattern risk |
7. What this means for consent banners
A competition-aware consent banner should be designed around genuine choice.
Weak consent design
| Problem | Example |
|---|---|
| One dominant accept button | "Accept all" is the only obvious action |
| Hidden reject | Reject is behind "Manage options" |
| Bundled purposes | Analytics, ads, personalization together |
| Vague description | "We use data to improve your experience" |
| Vendor overload | Hundreds of vendors with no usable explanation |
| No easy withdrawal | Settings hard to find later |
| No non-tracking alternative | User must accept behavioral ads or leave/pay |
Strong consent design
| Good practice | Example |
|---|---|
| Equal first-layer choices | Accept all / Reject all / Manage choices |
| Plain language | "Advertising cookies let us measure ads and show personalized ads." |
| Purpose separation | Necessary, analytics, advertising, personalization |
| Vendor clarity | Named vendors or accessible vendor list |
| Real rejection | Reject blocks non-essential technologies technically |
| Easy withdrawal | Privacy settings link available later |
| Less intrusive alternative | Contextual ads or limited-data ads instead of behavioral ads |
| Evidence logging | Timestamped consent state and browser behavior proof |
The strongest banner is not the one that maximizes opt-in rate. It is the one that maximizes defensible consent quality.
8. Behavioral advertising is the pressure point
Behavioral advertising sits at the center of this debate because it often depends on:
- persistent identifiers,
- cross-site tracking,
- profiling,
- data combination,
- auction systems,
- large vendor ecosystems,
- measurement pixels,
- retargeting.
That creates both privacy and competition questions.
From a privacy perspective:
| Issue | Concern |
|---|---|
| Profiling | Users may be categorized and targeted |
| Cross-site tracking | Data is collected beyond one website |
| Vendor complexity | Users cannot understand who receives data |
| Consent fatigue | Users click without understanding |
| Sensitive inference | Interests may reveal sensitive attributes |
| Data minimisation | Large-scale tracking may exceed necessity |
From a competition perspective:
| Issue | Concern |
|---|---|
| Data advantage | Larger platforms can collect and combine more data |
| Market dependency | Publishers and advertisers depend on dominant ad systems |
| Lock-in | Users and businesses cannot easily switch |
| Self-preferencing | Platforms may favor their own ad services |
| Consent leverage | Dominant services can pressure users more effectively |
This is why the EDPB and European Commission are working on the interplay between competition and data protection.
9. How to audit consent design scientifically
A modern consent audit should examine both UI and browser behavior.
Step 1: Capture the interface
Record:
| Evidence | Why |
|---|---|
| First banner screenshot | Shows initial choice architecture |
| Button labels | Detects ambiguity |
| Button styling | Detects visual pressure |
| Click path | Measures effort to reject vs accept |
| Category defaults | Detects preselection |
| Vendor list access | Tests transparency |
| Mobile layout | Mobile banners often differ |
| Dark pattern notes | Documents manipulation risk |
Step 2: Measure choice parity
Compare accept and reject flows.
| Metric | Good result |
|---|---|
| Clicks to accept | 1 |
| Clicks to reject | 1 |
| Visual prominence | Comparable |
| Language clarity | Clear |
| No preselected optional purposes | Yes |
| No repeated pressure after reject | Yes |
| Settings available later | Yes |
A simple rule:
Rejecting non-essential tracking should be no harder than accepting it.
Step 3: Test technical enforcement
After each choice, scan:
| State | What to test |
|---|---|
| Pre-consent | Non-essential tools blocked |
| Reject all | Ads, analytics, pixels, tags blocked |
| Accept all | Tools load only after consent |
| Granular choice | Categories behave separately |
| Withdrawal | Tracking stops after revocation |
Evidence should include cookies, localStorage, sessionStorage, network requests, scripts, tags, and pixels.
Step 4: Check market-pressure factors
For larger platforms or essential services, add:
| Question | Why |
|---|---|
| Is there a free alternative without behavioral ads? | Real choice |
| Is the paid option priced reasonably? | Avoid coercion |
| Is refusal punished by loss of core service? | Detriment |
| Are users locked into the platform? | Dependency |
| Are services bundled? | Specificity |
| Is data combined across services? | Consent scope |
Step 5: Produce a consent defensibility score
A practical score might include:
| Area | Weight |
|---|---|
| Interface fairness | 25 |
| Technical enforcement | 25 |
| Transparency | 20 |
| Granularity | 10 |
| Withdrawal | 10 |
| Market pressure review | 10 |
This gives teams a way to compare banners beyond opt-in rate.
10. Common findings and fixes
Finding 1: Reject is hidden behind settings
Risk: Users are steered toward acceptance.
Fix: Put "Reject all" on the first layer with equal prominence.
Finding 2: Advertising and analytics are bundled
Risk: Consent is not specific enough.
Fix: Separate purposes into distinct categories and ensure technical controls follow those categories.
Finding 3: Behavioral ads are the only free option
Risk: Consent may not be freely given, especially for large platforms or important services.
Fix: Offer a less intrusive free alternative, such as contextual advertising or limited-data advertising.
Finding 4: User rejects, but pixels still fire
Risk: Consent UI is misleading and technical controls fail.
Fix: Block ad and analytics tags until the relevant consent category is active.
Finding 5: Consent is repeatedly requested after refusal
Risk: Repetition creates pressure and fatigue.
Fix: Respect refusal for a reasonable period and allow the user to reopen settings voluntarily.
Finding 6: Vendor list is too complex to understand
Risk: Consent may not be informed.
Fix: Use layered notices: purpose summary, key vendors, full vendor list, search, and plain-language explanations.
11. Practical checklist for 2026
Use this checklist before deploying or updating a consent banner.
| Question | Good answer |
|---|---|
| Is "Reject all" visible on the first layer? | Yes |
| Is rejecting as easy as accepting? | Yes |
| Are optional categories off by default? | Yes |
| Are analytics, ads, and personalization separate? | Yes |
| Are vendors clearly named or accessible? | Yes |
| Does the browser match the consent choice? | Yes |
| Are pixels and tags blocked before consent? | Yes |
| Does withdrawal stop future tracking? | Yes |
| Is behavioral advertising separated from contextual or basic advertising? | Yes |
| Is there a less intrusive alternative where appropriate? | Yes |
| Is the banner readable on mobile? | Yes |
| Are dark patterns documented and removed? | Yes |
| Is the consent log backed by technical evidence? | Yes |
| Have you assessed power imbalance or service dependency? | Yes, where relevant |
12. Why this matters for compliance tools
Consent auditing tools should evolve beyond "cookie found / cookie not found."
A serious 2026 scanner should test:
| Layer | What to detect |
|---|---|
| UI design | Dark patterns, reject parity, preselection |
| Browser storage | Cookies, localStorage, sessionStorage |
| Network | Pixels, beacons, third-party calls |
| Scripts and tags | GTM, ad SDKs, analytics SDKs |
| Purpose mapping | Analytics, advertising, personalization, security |
| Vendor mapping | Named vendor vs observed domain |
| Consent state | Pre-consent, reject, accept, withdrawal |
| Market context | Large platform, workplace, school, essential service |
| Evidence | Screenshots, HAR, storage dumps, timestamps |
This is where privacy engineering meets product ethics.
A banner that gets a 90% opt-in rate may be a business success but a compliance risk if it achieves that rate through pressure, opacity, or broken rejection.
Conclusion
Consent is no longer just a checkbox.
It is a design system, a technical control, a market interaction, and a regulatory risk area.
The EDPB's 2026 work on the interplay between competition and data protection shows that regulators are looking beyond isolated privacy notices and toward the wider environment in which people make data choices.
For companies, the practical rule is:
Consent must be real, not merely recorded.
That means:
- no dark patterns,
- equal reject and accept paths,
- clear purpose separation,
- honest vendor disclosure,
- technical blocking before consent,
- working rejection and withdrawal,
- careful review of behavioral advertising,
- extra caution where market power or user dependency exists.
The future of consent compliance is not just whether the user clicked.
It is whether the user had a fair choice.
Sources
- EDPB, Stakeholder event on competition and data protection, 23 April 2026.
- EDPB, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, 17 April 2024.
- European Union, Digital Markets Act, official overview.
- The Guardian, EU fines Apple and Meta for breaching fair competition rules, 23 April 2025.
- The Verge, Facebook and Instagram will let European users see fewer personal ads, January 2026.