Most people describe cookie banners as if the whole problem were already obvious. The boxes are ugly. The buttons are manipulative. Everyone clicks whatever makes the thing disappear.
That description is not wrong. It is too small.
The deeper problem is that a layered legal demand was turned into a public ritual of pressure, fatigue, and routing. Consent was supposed to become more legible, more specific, and more reversible. Much of the market built the opposite: a consent industry where the easiest path is often the least reflective one.
The public story is still wrong at the foundation. People say GDPR banner as if the whole thing began in 2018. It did not.
The current mess sits on at least two EU legal layers. First there is the older ePrivacy / cookie layer around storing or accessing information on terminal equipment. Then there is the GDPR layer that matters when the later tracking becomes personal-data processing. One reason the interface culture around consent became so deceptive is that these layers are repeatedly flattened into one vague performance: a box appears, a button glows, and the site pretends to have translated law into choice.
But that was never really the demand.
Directive 2002/58/EC created the special communications-privacy layer. Directive 2009/136/EC then hardened article 5(3) into the practical consent pivot people now think of as the cookie rule. So the story was never simply GDPR created banners. The EU first created a special storage/access rule and later the market had to expose that rule publicly.
GDPR made the problem denser, not simpler. Regulation (EU) 2016/679 did not replace the older layer. It added another. One layer now concerned storage or access on the device; the other concerned the later processing of the resulting data. That overlap is exactly the kind of condition bad interface design can exploit.
The legal hardening kept going. Planet49 made active consent harder to fake: no pre-ticked boxes, and real information duties around duration and third-party access. The EDPB pushed in the same direction: passive gestures like scrolling were not real consent, and cookie-wall pressure came under stronger scrutiny. Then IAB Europe widened the frame again by making it harder to pretend that the consent infrastructure itself was just neutral plumbing under the visible modal. The CMP / TCF layer entered the legal story too.
That matters because the banner is often not the whole object. It is the visible front edge of a larger routing stack.
Across the first market pass, the same pattern kept returning. Le Monde exposes a permanent Gestion des cookies re-entrypoint. EL PAÍS ties privacy logic to subscriber routing. Spiegel shows a strong Sourcepoint structure with purpose and vendor layering. Corriere mixes Google Funding Choices with its own wrapper logic. Even where the visible layer looks like one box, the surrounding architecture already suggests something larger than a simple user choice.
The first visible asymmetry is not simply accept is easier than reject. It is more specific than that. The first visible choice is often framed as accept versus some other route: subscribe, read ad-free, or enter a weaker settings path.
Le Monde is a clean example. The first layer gives the user a strong Accepter et continuer button, an alternative subscription route, and no equally visible plain rejection path. EL PAÍS does something similar: accept cookies and browse, or subscribe. Spiegel splits the box between Consent and continue and Subscribe now, with Preferences placed below the two dominant routes. Corriere is sharper still: ACCETTA E CONTINUA is the strong main action, PREFERENZE is weaker, and refusal is folded into Rifiuta e abbonati.
That alone already damages the fiction that these are neutral consent tools. But Corriere and Spiegel make the deeper structure harder to excuse.
Corriere is one of the strongest cases in the pack. Acceptance is one strong action at the first layer. Resistance means entering a deeper panel full of purpose-level Deny / Accept decisions, third-party structure behind that, and subscription logic still entangled inside the flow. The system does not literally remove resistance. It displaces resistance into labor.
Spiegel is stronger still because the layers are so legible. The first layer is simple: Consent and continue or Subscribe now, with Preferences below. But once the user goes deeper, the interface expands into explicit purpose-level Accept / Reject controls, consent required markings, long vendor lists, and then, at the bottom, the asymmetry returns again: Apply settings sits weaker than Accept all.
In both cases the shape is the same. Acceptance is a headline action. Resistance is a workflow.
That is the real diagnosis. The problem is not merely that banners annoy people. The problem is that many consent systems are asymmetric across layers.
At the first layer, one route is made operational, another is made paid, and the more resistant route is displaced into settings. Then, inside settings, choice fragments into purposes, then into vendors, and then into a weaker save or apply action. The user can resist, but only by doing more work than the user who accepts.
That is not what a readable and reversible public act of choice should look like.
An honest consent layer would not need to be pretty. It would need to be direct. It would show what exists, who set it, why it exists, how long it lives, what changes if the user refuses, and how to reverse the decision later without digging through policy fog. It would not turn refusal into a subscription path. It would not make resistance denser than acceptance. And it would not pretend that category sprawl and vendor sprawl are the same thing as meaningful control.
That later tool question comes second.
First the article has to hold the simpler line that the market failed a simpler demand. Consent was not supposed to become theater. It was supposed to become a legible public act of choice. What much of the banner industry built instead was a routing layer for fatigue.
— Dennis Hedegreen, follow the data
