The banner appeared again this morning. A website you've visited dozens of times asked, once more, whether you consent to cookies. You clicked through without reading. So did almost everyone else. Somewhere behind that banner, a consent management platform recorded your choice, translated it into a signal, and passed it along to an advertising system that may or may not have respected it.
That banner is the visible tip of something heavy. Beneath it sits a stack of workarounds, each one built to manage the consequences of the layer below.
It started with a session-state mechanism that let websites remember visitors between page loads. That capability turned out to be extraordinarily useful for tracking people across the web, which was never quite the intended purpose. Tracking at scale attracted regulatory attention, and in 2002 the EU's ePrivacy Directive required consent for non-essential cookies. The first attempt to put a regulatory lid on a technical capability. The lid didn't fit. Consent banners appeared on websites across Europe, and users clicked through them the way you clicked through yours this morning.
So GDPR arrived in 2018, a bigger workaround for the failure of the previous one. Explicit consent requirements. Real enforcement. Fines that could reach into the billions. But GDPR's complexity created its own problem: compliance was now too intricate for most organizations to manage alone. Consent management platforms emerged to handle the translation between regulation and implementation. They became a $900 million market. Compliance complexity, commercialized.
Then Google introduced Consent Mode to translate consent signals into ad measurement behavior, making version 2 mandatory in 2024 under pressure from the Digital Markets Act. Another layer. Another workaround stacked on top of the last.
Each layer accumulated on the ones before it. The original mechanism still runs underneath all of them.
A study of 254,148 websites across 31 EU countries found only 15% meeting minimum GDPR compliance requirements. One vendor analysis of Consent Mode v2 deployments reports 67% have technical errors, with most defaulting to "granted" before users actually choose. That figure comes from a company with commercial interest in the problem, so treat it as directional. But the pattern it describes is consistent with what compliance teams observe: misconfigured signals, tags firing despite denial, marketing data quietly diverging from reality.
The regulation meant to modernize all of this, the ePrivacy Regulation, was supposed to arrive alongside GDPR in 2018. It was still being negotiated in 2024.
In February 2025, the EU withdrew the ePrivacy Regulation entirely. The cookie consent regime now runs on a directive last amended in 2009.
GDPR fines reached €2.3 billion in 2025, up 38% year-over-year. France's CNIL fined Google €150 million specifically for dark-pattern cookie banners. Enforcement accelerating against an infrastructure showing strain at every layer.
So the picture in 2026: a session-state mechanism generated a tracking ecosystem, which generated regulation, which generated a compliance industry, which generated implementation tools, which generated new failure modes. The regulation that was supposed to clean up the whole structure was abandoned. What remains is a 2009 directive as the legal foundation beneath a billion-dollar consent infrastructure that largely fails to do what it promises.
The banner on your screen right now likely has a misconfigured signal underneath it. The system probably knows, in the way systems know things: through error logs nobody has time to read.