ABSTRACT
When lawmakers regulate new technologies, firms face a Coasean choice: whether to make compliance in-house or to buy it from specialized providers. Because compliance is costly and economies of scale exist, intermediaries have emerged in many markets to supply compliance services. We examine one such market: the collection and processing of user consent for personal data under the European Union’s General Data Protection Regulation (GDPR). Many websites, particularly smaller ones, outsource this task to Consent Management Platforms (CMPs). Although CMPs are designed to help firms meet legal obligations, prior work suggests they may also employ dark patterns or align with advertising technology firms. We analyze the role of CMPs in digital regulation using a dataset of 32,899 websites across 12 European countries in 11 languages that we observed over eight months. We find that websites adopting CMPs process less personal data and commit fewer privacy violations, on average. CMP adoption does not significantly affect the prevalence of dark patterns in consent notices. However, CMPs that pursue aggressive tracking strategies and maintain ties to ad-tech firms are disproportionately represented among providers with larger market shares. These findings suggest that while CMPs can mitigate compliance risks, the structure of intermediary markets and intermedaries’ own incentives may undermine the goals of digital regulation.
Zac, Amit and Bechtold, Stefan, Markets for Consent (January 15, 2026).
Leave a Reply