Capstone Chain · M5Module 5 of 6

The Consent Trap

Growth has a plan. Legal has a job.

Wednesday 4 November 2026, 16:42. Slack DM from James Okafor: "Operation Pulse Back launching Monday. Legal said LIA is fine, just reminding existing customers. Sign the form?"

Attached: a seven-line "LIA". A screenshot of the redesigned cookie banner with a big blue "Accept All" and a small grey "Manage preferences" link. A Braze plan targeting 310,000 lapsed users. Plus a deck titled "Voxly Partnership — Data-Append Boost": 18% re-engagement lift via enrichment from a health-lifestyle broker.

James is four months in. He's great at his job. He doesn't know Recital 47 is GDPR, not ePrivacy, and he thinks "analytics cookies" are strictly necessary. They aren't, under ePrivacy Art 5(3) per EDPB 2/2023 and CNIL. Fran is CC'd. €2.5M of Q4 hangs on this. Launch is Monday.

Learning Objectives

By the end of this module:

Distinguish GDPR Art 6 from ePrivacy Dir Art 13 — and apply both correctly to electronic marketing.
Apply EU cookie guidance (CNIL + EDPB) and EDPB deceptive-pattern rules to a real banner design.
Diagnose third-party data-append risk and apply Art 14 transparency.

Incident 1Wed 4 Nov 2026 · 16:42Aisha's desk — Slack

The Slack DM

Slack DM arrival · afternoon

James → Aisha · Slack DM

Hey — Operation Pulse Back launching Monday 09:00. Brief attached. Legal cleared last quarter's campaign on Recital 47 LI — reading same as this one. LIA is signed. Can you approve by EOD? Fran on CC.

The attached LIA is seven lines long. It says: Legitimate interest: re-engagement of lapsed existing customers. Necessity: alternative methods not available. Balancing: minimal intrusion, users can unsubscribe.

You know what's missing. Recital 47 lives under GDPR. ePrivacy Dir Art 13 (Ireland SI 336/2011) lives alongside GDPR for electronic-channel consent. Both need answering before Monday.

LIA Three-Part TestWed 4 Nov · 17:30

Operation Pulse Back — LIA

Four rows. Pick the correct answer per row. The output shapes what the LIA can and cannot defend on Monday.

0 of 4 answered.

Decision 1 of 3Wed 4 Nov · 18:14

The Lawful Basis Question

You've called James. He's cheerful. You've explained the two-layer issue — GDPR basis + ePrivacy consent — twice. He's still not quite seeing it.

Question: What lawful basis do you apply for the re-engagement email and SMS?

Consequence · +3 Defensibility

The Segmentation

Aisha · to James

94k of the 310k match soft-opt-in: in-retention, opt-out on every prior message, similar product. The other 216k need consent first.

James

That's… a meaningful haircut.

Aisha

Group 1 ships Monday. Group 2 gets a consent journey: slower, but higher conversion when it lands in Q1.

ePrivacy Dir Art 13 (Ireland SI 336/2011) permits "soft opt-in" for email and SMS where (a) details came from a sale or sale negotiation, (b) the marketing is for similar products, and (c) opt-out was offered at collection and every message since.

Art 6(1)(f) plus Recital 47 is the GDPR basis. ePrivacy is the separate electronic-channel layer. Art 83(5) ceiling: €20M / 4% turnover, and ePrivacy fines align via national law.

Legal Insight

Why This Was Defensible

Two layers: GDPR basis + ePrivacy consent. Only the paired analysis holds.
Google €50M (CNIL) is the baseline EU precedent and explicitly criticises opaque lawful-basis reasoning.

Consequence · +1 Defensibility

The Slow Version

Defensible — the LIA work adds evidence, but the same soft-opt-in segmentation is still required. Cost: 3-day analysis slip. Launch moves to Wednesday.

Legal Insight

Why This Is Mixed

Not wrong. Just slower than needed.
Same commercial outcome as choice-a with 3 days lost.

Consequence · −2 Defensibility

The Send

Recital 47 is a GDPR recital; it does NOT override ePrivacy Dir Art 13 (Ireland SI 336/2011). The ePrivacy Directive sits alongside GDPR, not under it — each Member State implements via national law (Ireland: SI 336/2011).

Sending to 310k where 216k are not within ePrivacy Art 13 soft opt-in is a direct ePrivacy breach, subject to Art 83(5) GDPR €20M ceiling.

Legal Insight

Why This Was Indefensible

Recital-47-only reasoning is the textbook growth-marketing mistake.
EU supervisory authorities have prosecuted this pattern through national ePrivacy implementations for over a decade.

BreatherThu 5 Nov · 11:00Marketing stand-up

The Banner

A/B dashboard · banner conversion

You walk into the marketing stand-up. Lena has pulled the A/B test dashboard for the banner redesign.

Variant B (current proposal): Prominent blue "Accept All" primary button. Grey underlined "Manage preferences" secondary link. No Reject-All at layer 1. Pre-ticked sub-toggles behind the "Manage" drawer.

Conversion: Variant B up 34% on accept rate.

Lena · Marketing Ops

Show me what legal has to be, I'll draft the A/B for the compliant version.

Dark-Pattern AuditThu 5 Nov · 12:40

Variant B — Mark Each Element

Seven elements. For each, mark "dark pattern" or "legitimate." ICO and EDPB references unlock as you go.

0 of 7 flagged.

Decision 2 of 3Thu 5 Nov · 14:00

The Banner Brief

Lena has pulled up her design system. James is standing next to her. Fran is watching remotely. You have three options.

Question: What banner brief do you give Lena?

Consequence · +3 Defensibility

The Rebuild

Banner Variant A · publish hover

Aisha · to Lena

Accept-All and Reject-All identical styling — same font, same colour, same weight, same layer. Manage as third equal option. No pre-ticked sub-toggles. Banner retires after a single rejection for 6 months. That's the brief.

Lena

Got it. A/B against current state — I'll bring the 6-week data to the December review.

James

Conversion's going to drop.

Aisha

Conversion measured against the wrong baseline is a number we don't need.

ICO 2019 cookie guidance — updated in the 2023 "reject all" campaign — requires equal prominence at layer 1 and no pre-ticked non-essential boxes.

EDPB 03/2022 taxonomises deceptive patterns that invalidate consent. CJEU Planet49 — pre-ticked boxes are not valid consent. Settled law since 2019.

Legal Insight

Why This Was Defensible

Art 7 — freely given consent requires genuine choice. Friction asymmetry invalidates.
There is no EU-wide "low-risk" cookie exemption. The ePrivacy Art 5(3) strictly-necessary carve-out does NOT cover behavioural-ad cookies.

Consequence · +1 Defensibility

The Compromise

Better than Variant B. Not compliant. Irish DPC / EDPB guidance uses the word "equivalent" — visual hierarchy suggesting Accept is primary fails equivalence.

Likely to pass a cursory DPC inspection but fail a complaint-triggered review.

Legal Insight

Why This Is Mixed

Half-fix. Invites a targeted complaint.
DPC's "reject all" campaign specifically pushed on sites that offered "reject non-essential" as a secondary action.

Consequence · −2 Defensibility

The Strictly-Necessary Stretch

The ePrivacy Art 5(3) strictly-necessary carve-out covers only cookies essential to the service the user explicitly requested. It does NOT cover Pulse's actual cookie stack: behavioural-ad pixels (Meta, Google), third-party marketing tags, cross-site tracking.

Banner ships. First complaint arrives within 14 days. DPC investigation notice within 45 days.

Legal Insight

Why This Was Indefensible

Misreading a specific-named exemption as a broad licence.
The dark-pattern taxonomy in EDPB 03/2022 is the DPC's reference document.

BreatherFri 6 Nov · 10:00Voxly Zoom

The Voxly Pitch

Zoom tiles · Voxly pitch

Matt Corrigan · Voxly AE

Our dataset is consented — we've got an SDK in 400+ fitness-tracker apps and their T&Cs cover partner enrichment.

Matt pitches: Voxly has self-declared fitness data on 42M UK consumers, collected via an SDK in 400+ fitness-tracker apps.

You ask where the consent sits. Matt says: "The app T&Cs authorise partner enrichment for health and wellness purposes. Standard across the industry."

You ask for a sample consent flow from one of the apps. Matt sends a pre-tick cookie-banner-tier consent page. The word "Voxly" does not appear. The word "partner enrichment" does, in paragraph 14.

You have seen this pattern before. It's the TikTok and Amazon fact pattern in a different skin.

Decision 3 of 3Fri 6 Nov · 15:20

The Enrichment Decision

€2.5M campaign revenue. 18% lift promised by Voxly. $180k contract. Cerulith's first use of a third-party data broker.

Three options. One closes the door cleanly. One tries to hold Voxly's hand while using the data. One pretends the problem isn't there.

Question: How do you handle the Voxly append?

Consequence · +3 Defensibility

The Refusal

Growth debrief · scrubbed whiteboard

Aisha · to James

Voxly's consent page doesn't mention Voxly. Enrichment without informed consent breaches Art 14. Amazon was €746M on this fact pattern.

James

Okay. Okay. What's the first-party play?

Aisha

Segment your existing base by engagement recency. Build a re-activation stream with value-add content — three-article series, lifestyle tips — before the commercial ask. 14-week cycle. Lower lift, compounding base.

Art 14 applies when data is obtained from a source other than the data subject. Relying on the third-party's consent is not a substitute for Cerulith's own transparency duties.

Amazon €746M is the controlling precedent for enrichment-based personalisation without clear lawful basis.

Legal Insight

Why This Was Defensible

Art 14 source-notification duties cannot be outsourced.
Refusing the append short-term protects a decade-long first-party data advantage.

Consequence · +1 Defensibility

The Notification Path

Legally tenable — Art 14 notification within the month is the correct path if the append proceeds.

Commercial cost: the required notice (specifying Voxly as the source, data categories, purposes, rights, retention) is substantial. Opt-out uptake is expected 15–25% in health-adjacent contexts. Campaign lift from enrichment likely halves.

Legal Insight

Why This Is Mixed

Compliant. Costly. Often not commercially worth it — the correct answer is frequently choice-a.
The notification itself generates regulatory goodwill.

Consequence · −2 Defensibility

The Silent Append

Art 14 is non-delegable. Voxly's consent warranty does not discharge Cerulith's duty.

Amazon €746M fact pattern. Google CNIL €50M transparency-breach pattern.

Legal Insight

Why This Was Indefensible

Non-delegable duties cannot be outsourced.
This decision becomes the third major transfer-and-transparency exhibit in Module 6.

Computing

Computing Defensibility…

Summing the three decision impacts.

The Q4 That Shipped

Soft opt-in segmentation. Compliant banner. Voxly declined.

Affected · Data subjects

94k users receive an on-brand re-engagement email on Monday 9 November. 216k users see no untargeted contact; they receive a value-first content journey over November–December. The cookie banner redesigns Dec 1; early data shows 22% reject rate, 61% accept, 17% customise.

Company · Cerulith

Q4 revenue hits 82% of the original target (€2.01M). James writes a post-mortem arguing the first-party-only approach will outperform the enrichment-based baseline within 14 weeks. Voxly contract declined cleanly.

Career · Aisha

Aisha's ePrivacy + dark-pattern primer (two pages, written after this week) becomes the growth team's onboarding doc. James asks her to lead a workshop for the new hires in Q1.

Next 50 incidents

The soft-opt-in / consent segmentation becomes the standard pre-launch gate for every campaign. Growth learns to ask "what basis" before "what segment."

System · Industry

Cerulith's banner passes the DPC's "reject all" 2027 sweep without remediation.

The Q4 That Landed

Partial mitigations. Desk-review flag. Banner rebuilt Feb 2027.

Affected · Data subjects

Campaign runs with partial mitigations. 188 user complaints about aggressive re-engagement emails in first fortnight. Banner compromise fails one DPC desk-review spot-check in Feb 2027 but is remediated before escalation.

Company · Cerulith

Revenue hits 88% of target. One user group files a collective complaint; ICO response: informal guidance letter, no MPN.

Career · Aisha

Aisha's positioning is sound but the compromise is her regret.

Next 50 incidents

Banner rebuilt Feb 2027. Campaign playbook tightens.

System · Industry

Mixed posture becomes an internal lesson.

The Q4 That Became An Exhibit

ePrivacy 4% tier fine. Voxly unwind. Three M6 exhibits.

Affected · Data subjects

Campaign runs to 310k with no ePrivacy Art 13 segmentation. DPC complaints: 2,400 in 28 days. Banner non-compliance and Voxly silent-append triggers a formal ePrivacy investigation separate from the main Cerulith DP inquiry. Three users complain that their enriched "fitness data" was medically sensitive and Cerulith was unknown to them.

Company · Cerulith

Fine issued under Art 83(5) GDPR at the €20M / 4% tier (ePrivacy national implementation applies). Voxly contract unwound at a €108k loss. Campaign ROI negative overall.

Career · Aisha

Aisha's memo opposing the ship-as-is is part of the Cerulith defence in M6.

Next 50 incidents

Growth team's entire 2027 campaign calendar is re-papered under external advice.

System · Industry

This decision feeds three separate exhibits in M6: (1) Art 5/7 consent integrity, (2) Art 14 source transparency, (3) ePrivacy non-compliance.

Module complete. Continue when you're ready. Continue to Module 6 →

Debrief

What M5 Teaches

Key Points

Five things to keep

Recital 47 ≠ ePrivacy Dir Art 13 (Ireland SI 336/2011). GDPR basis and ePrivacy consent are two separate layers.
Cookie banners must offer equal prominence at layer 1 — no pre-ticked, no friction asymmetry.
EDPB 03/2022 dark-pattern taxonomy is the DPC's reference document.
Art 14 source-notification duties are non-delegable. Third-party consent warranties do not discharge them.
No EU equivalent — full consent required is narrow — read it against your specific cookie stack.

Next module: Two months from now, on the morning of 19 January 2027, Máire Ní Bhriain will step out of a black cab at Cerulith's Dublin 2 entrance with a bound evidence binder. Everything you've done this year will be in that binder.

Knowledge Check

5 Questions

Five questions on Art 6/7/14, Recital 47, ePrivacy Dir Art 13 and Art 5(3), EDPB dark patterns, and Amazon / Google / Planet49 precedents.

Module Complete

Module 5 Complete

Defensibility score: — / 9

Quiz: —

Outcome: —

Your result has been recorded. Module 6 unlocked: The Room.

Return to Course Continue to Module 6 →