The line that matters sits buried in the mechanics of a consent box: a $49 cookie banner plugin that creates a compliance checkbox without protecting the data signals that advertising platforms need to function. It is sold as legal cover. It behaves like a switch.
The effect shows up elsewhere first. A marketing dashboard reports half the conversions it used to. The explanation lands with a bluntness agencies recognise: remarketing audiences shrunk by 60% last quarter. When Google Ads optimization stopped working, the instinct was to blame strategy. It wasn’t. The culprit isn’t campaign strategy. The system had been starved of the data it was built to ingest.
Regulation trimmed the system without dismantling it, leaving a thinner but still functional data flow
That starvation was not the intention of the rules now shaping the market. The study explores the impact of the General Data Protection Regulation (GDPR) on the trackers that follow users across the web. It compares publishers inside and outside its reach over 32 months from May 2017 to December 2019. The conclusion is precise: online tracking increased everywhere, but the rise was less significant where GDPR applied. In practice, the GDPR reduced about four trackers per publisher. Not a purge. A trim.
The detail matters because it exposes what the regulation actually did. It did not dismantle the tracking economy; the GDPR was particularly effective in curbing privacy invasive trackers—the most aggressive forms of data extraction—while leaving the broader system intact. The pipes still run. They just leak less.
What has changed since is not the volume of data, but the conditions under which it moves. The industry has moved away from the cookieless future toward a hybrid reality with user choice as a basis for cookie activation or blocking. The turning point came when Google decided to keep cookies active but introduced a "User Choice" experience. Control did not disappear into the browser. It moved onto the screen.
Consent becomes friction as control shifts to the interface and regulators target its design
That shift rewired incentives. If users now are given clearer, more persistent controls to opt out of tracking, the moment of consent becomes a point of friction, not a formality. Regulators have noticed. Regulators worldwide are cracking down on dark patterns, and the European Commission wants to require one-click reject buttons. The interface itself is becoming the battleground.
Companies have responded by building an industry around that interface. The consent management market is witnessing rapid growth as organizations prioritize compliance with GDPR and its equivalents. It is not a fragmented ecosystem. The consent management market is highly consolidated, with leading vendors such as OneTrust, TrustArc, and BigID dominate the market and hold the majority of share. Compliance has scale economics.
But the product they sell carries a contradiction. The same systems that document consent also gate the flow of data that underpins digital advertising. When they fail—or are implemented as a box-ticking exercise—the effect is immediate. 67% of Consent Mode v2 setups fail to meet compliance standards. The gap is not theoretical. It sits between what is recorded as permission and what is technically usable.
The industry’s top line suggests none of this has broken the model. U.S. digital advertising revenue hit $258.6B in 2024, up sharply, while Europe logged another year of acceleration with Social, Video, and Retail Media leading the way. Growth has not stalled. It has shifted. Commerce media, CTV, AI adoption and first-party data strategies now drive expansion. The system adapts.
Growth continues but the distribution of usable data tilts toward those with direct user relationships
That adaptation depends on something increasingly fragile: reliable access to user data at the moment of consent. When a consent layer blocks signals, the loss is not evenly distributed. Platforms built on aggregated, first-party data can absorb it. Those reliant on third-party tracking cannot. The architecture of the market starts to tilt.
The enforcement record shows where regulators draw the line. In Italy, a €3.3 million fine was issued after Sky Italia improperly processed and used customer data for promotional purposes. Customers received unsolicited telemarketing calls that did not stop. The sanction went further: Sky Italia may no longer use third-party contact lists without proof of consent. Consent is not a banner. It is evidence.
That requirement collides with the way much of the industry still operates. Browsing data and other information are collected through tracking technologies like cookies, pixels, fingerprinting, web storage, and scripts. At the same time, companies state openly that they may also access and store information without consent when necessary to provide their services and ensure their security. The boundary between necessary and optional is where enforcement now sits.
What looks like strength in this system—continued revenue growth, consolidated compliance vendors, persistent tracking—rests on an assumption that is already under strain: that the act of asking for consent does not materially degrade the data being asked for. The evidence says otherwise. When consent is made explicit, measurable portions of users refuse it. When refusal is easy, more do.
The consequence is not a collapse in advertising. It is a reallocation of who can see what. The companies that own direct relationships with users can still ask—and sometimes receive—permission. Those that depend on invisible tracking cannot ask without revealing themselves. The consent layer does not remove data. It redistributes it.
That redistribution is already visible in the systems built to manage it. A market dominated by a handful of vendors now sits between users and the data flows that determine advertising performance. They record consent, enforce it, and increasingly decide what counts as compliant signal. They are not just intermediaries. They are gatekeepers.
The pressure lands there. A consolidated layer of consent platforms controls whether data exists in a usable form, while regulators demand stricter proof that the data should exist at all, and users are given clearer tools to refuse. The advertising market can still grow under those conditions—as the revenue figures show—but it grows on data that is thinner, more conditional, and unevenly distributed. The system has not lost its dependence on tracking. It has lost its certainty that the tracking will be there.
