The proliferation of consent interfaces has created a form of consent fatigue, a phenomenon now firmly on the European Commission’s radar. This concern actually reveals both the success and the limits of the current model. It is a civil, economic and geopolitical issue with the feel of a European victory: through this reform ambition, the European legal framework has in fact shown that it has succeeded in imposing a standard, i.e. consent that is freely given, specific, informed and unambiguous.
Three models are now competing to shape the future of online consent. The first is the current model: heterogeneous, decentralised management, operated mainly by consent management platforms, or CMPs. The second is a model based on a centralised signal at browser level, currently being discussed as part of the Digital Omnibus. The third path is based on interoperability through a browser API, promoted by the European CMP Association. Its aim is to offer an alternative to consent fatigue by relying on competition between consent assistants, without sacrificing individual rights, business performance, or concentrating power in the hands of GAFAM.
Beyond their respective impact on consent fatigue, these three architectures redefine how the value of data is distributed across the economy, and the degree of sovereignty Europe intends to retain over its infrastructures. Here is a breakdown of the technical, economic, societal and geopolitical implications of the three models currently in competition.
The Current CMP Model: From the Success of an International Standard to the Rise of Consent Fatigue
The current model is based on a decentralised logic in which each website is responsible for collecting, transmitting and respecting consent. Consent management platforms, or CMPs, have become the operational tools used to meet this obligation following the implementation of the GDPR.
This model rests on the principle that consent must be expressed in a given context, for specific purposes, and in relation to identifiable actors. This requirement explains the very nature of the interfaces deployed since 2018. Each website becomes an autonomous collection point, responsible for explaining its own data uses through what has become the famous and now presumed guilty culprit of consent fatigue: the cookie banner.
This architecture enabled compliance to move rapidly up the list of business priorities by outsourcing its complexity to specialized solutions.
In certain markets, such as media, where the business model depends entirely on the quality and volume of data collected, it encouraged the emergence of standards such as IAB Europe’s Transparency and Consent Framework, or TCF, whose purpose is to ensure that user preferences are transmitted to all parties.
While this type of standard formalises a consent signal that can be used by third-party systems, it remains structured around a specific use case: programmatic advertising for content publishers. And in order to defend their economic interests, practices that sacrifice user experience have emerged, such as consent walls, legal purposes incomprehensible to ordinary users, and “Pay or Consent” systems. These practices have turned the consent step into a new source of frustration in the browsing experience.
This decentralisation therefore comes at a structural cost. Every user interaction becomes a potential point of friction, and the repetition of these interactions mechanically produces a saturation effect.
But this fatigue is not solely attributable to the quality of the interfaces. It also stems from technical constraints imposed by certain web giants. Privacy protection mechanisms built into browsers, such as the regular deletion of cookies resulting from Safari’s ITP and Firefox’s ETP, prevent consent choices from being saved over time.
By the same logic, embedded environments such as webviews integrated into mobile applications are separated from the main browsing environment and prevent access to previously expressed preferences. Under these conditions, the same user may be asked repeatedly for consent, even though they have already made their choice. This is without even mentioning App Tracking Transparency, or ATT, which adds a redundant step for Apple users, as the CNIL has pointed out.
This model of industrialised consent has also introduced a tension between compliance and economic performance. Publishers are encouraged to optimise their interfaces in order to maximise acceptance rates. Unfortunately, this optimisation sometimes leads to questionable design choices. But it also reflects the transformation of consent into a decisive revenue variable. In return, this ultimately creates a rather positive continuous improvement loop for end users, pushing the most exemplary websites to review and personalise their interfaces in order to improve transparency, education and user experience.
In short, this model reflects the success of the European initiative to establish free and informed consent, built on a well-distributed economic infrastructure in which each actor remains responsible for the consent relationship with its users. It is a legal victory now being exported around the world, as country after country adopts GDPR-like regulation while incorporating its own specific features. However, this success has also come with structural, technical, economic and experiential excesses which, as they have accumulated, have gradually undermined the fluidity of the user journey and contributed to the lasting emergence of consent fatigue. This has opened the debate on the future evolution of consent architecture itself.
At Axeptio, rather than seeing consent fatigue as an admission of failure, we see it as a signal that it’s time to innovate and take user preference customisation even further.
A Centralised Browser-Level Signal: The Digital Omnibus Gift to U.S. Big Tech
The idea of a single, centralised consent signal determined directly by the browser is part of a push to radically simplify the architecture of consent.
Proposed under Article 88b of the Digital Omnibus, this model promises to eliminate repeated CMP prompts by favouring a global preference expressed upstream, at browser level, “once and for all”.
Under the current model, consent is always expressed in a specific context. The user knows where they are and whom they are dealing with. They may decide, for example, to accept cookies on the website of their favourite media outlet or football club, because they trust it and understand how it uses data. Conversely, when faced with an unfamiliar e-commerce website, or an actor whose intentions are not clearly understood, they may refuse to share their data. Consent therefore becomes a decision tied to a specific actor, a purpose and a level of trust, as also demonstrated by a study conducted by the behavioral sciences unit of the DITP, which works in conjunction with the CNIL.
The browser-level centralised model proposed by Article 88b of the Digital Omnibus erases this contextual dimension. By asking the user to express a single preference before any browsing takes place, it forces them to make a uniform choice across situations in which they would not necessarily have made the same decision. Either they accept globally, at the risk of sharing their data with actors they would never have consented to; or they refuse globally, to the detriment of services to which they would have been willing to contribute.
This model therefore conflicts with the requirements of the GDPR. Under Articles 4(11) and 7, valid consent must be specific, informed and linked to defined purposes, within the framework of a precise processing operation carried out by a clearly identified controller. A global preference, defined independently of any usage context, can no longer meet these requirements.
Beyond this legal incompatibility, the model raises major economic issues. According to the European CMP Association, estimates anticipate a fall in consent rates of up to 80% if browser signals were to replace current mechanisms. Such a decline would have immediate consequences for advertising revenues.
This model would also deepen the existing imbalance between actors. Large platforms with closed ecosystems and authenticated users, able to rely on massive volumes of first-party data, are structurally less dependent on collected consent. By contrast, European actors, which rely on explicit consent signals to operate their analytics, personalisation and customer relationship tools, would see their ability to use data directly weakened.
The question of governance then becomes central. In practice, this would mean handing the infrastructure of consent to an extremely small number of actors, most of them non-European: Google through Chrome, Apple through Safari, Microsoft through Edge, and Mozilla, whose funding depends largely on Google. Yet initiatives such as Google’s Privacy Sandbox and Apple’s App Tracking Transparency have both been subject to investigations and proceedings for anti-competitive practices, precisely because the design of their consent mechanisms favoured their own ecosystems. These precedents make it difficult to trust their ability to design a consent architecture that does not primarily serve their own interests.
This concentration also directly contradicts the objectives of the Digital Markets Act, which specifically aims to limit the power of these gatekeepers. More broadly, it raises a question of sovereignty: entrusting an infrastructure as critical as consent to non-European actors amounts to outsourcing part of the control over the data economy.
That said, the role of the browser should not be dismissed. The ability to centralise part of consent management remains a relevant avenue for tackling consent fatigue. But such centralisation can only make sense if it is part of an architecture open to competition, respectful of the granularity of user choice, and in which the browser does not become the sole point of control, but one actor among others.
But such centralisation can only make sense if it preserves the specificity required by GDPR consent, and enables as many actors as possible to offer competing solutions, so that we do not end up centralizing centralisation itself.
Interoperability, APIs and Consent Assistants: Cutting Consent Fatigue Without Losing Granularity
To address the limits of the current model and propose another form of centralisation, a third path consists in organising interoperability between the different actors in the ecosystem (browsers, websites, CMPs, third-party services and others) so that user preferences can be exchanged in a real-time standardised way, with the aim of reducing exposure to cookie banners without abandoning contextual and granular consent.
This approach is part of a broader shift in digital practices, driven by the growing adoption of AI assistants able to make decisions on users’ behalf, including when it comes to managing their personal data.
As part of this shift, a new category of tools is emerging: consent assistants. Their role is to allow users to define preference rules, then apply them automatically and contextually as they browse. Where the browser model imposes a single, global response, these assistants preserve the granularity of choice by adapting it to each situation.
In practical terms, a user could, for example, indicate that they accept audience measurement on news websites they regularly visit, refuse all advertising profiling, but allow certain forms of personalisation on services to which they subscribe. When they later visit their favourite sports media website, which they trust, the assistant applies these preferences and authorises the corresponding uses without exposing the user to a banner during their browsing session.
If there is no assistant, the process does not change: the CMP is displayed, collects consent, and ensures its storage and transmission, as it does today. The architecture therefore remains fully compatible with existing practices. But when the user has a consent assistant, consent fatigue disappears: the dialogue no longer takes place between the CMP and the user, but directly between the CMP and the assistant.
However, for this dialogue to be possible, the different actors must first be able to understand one another. This is precisely the purpose of interoperability, promoted by initiatives such as navigator.consent, which proposes a browser API serving as a coordination layer between CMPs and consent assistants.
When a website loads, its CMP registers with the browser and exposes, in a structured format, the processing purposes and the third-party services involved. If no prior consent is available, a request is made. The consent assistant can then read this information, compare it with the user’s preferences, and apply a granular decision. This decision is sent to the CMP, which adjusts the signals accordingly. Consent is established without the user interacting with the CMP, and therefore without interrupting the browsing experience.
From a technical standpoint, this architecture does not add complexity. The integration effort lies mainly with browser providers, which already manage more complex APIs. For the other actors, it fits naturally within the continuity of the current model. Companies keep their existing CMPs and tools, while users can choose whether or not to adopt a consent assistant.
From an economic and political standpoint, this approach enables the emergence of a competitive market for consent assistants, avoiding the concentration of power in the hands of a few dominant actors. It preserves the role of European infrastructures and fits naturally within the broader dynamics of data sovereignty.
Several initiatives already exist that allow users to delegate the management of their consent to a trusted assistant. Taste is the solution we have developed at Axeptio, and it has already been adopted by thousands of Chrome, Safari and Firefox users. Other solutions also exist, such as Consent-O-Matic, SuperAgent and Consenter.eu. Each takes a different architectural approach, showing that innovation is not only possible, but necessary.
For users, the message becomes simple: installing a consent assistant allows them to browse without being confronted with a succession of banners, while retaining fine-grained control over their data. For businesses, consent remains usable, traceable and compliant. For regulators, it becomes possible to reconcile the fight against consent fatigue with the commitments initiated by the GDPR.
In conclusion, where the current model is beginning to show its limits, and where the model proposed by the Digital Omnibus carries risks for European actors as a whole, interoperability makes it possible to organise the evolution of consent without abandoning its founding principles.
