The Consent Trap

The attached LIA is seven lines long. It says: Legitimate interest: re-engagement of lapsed existing customers. Necessity: alternative methods not available. Balancing: minimal intrusion, users can unsubscribe.

You know what's missing. Recital 47 lives under GDPR. ePrivacy Dir Art 13 (Ireland SI 336/2011) lives alongside GDPR for electronic-channel consent. Both need answering before Monday.

Four rows. Pick the correct answer per row. The output shapes what the LIA can and cannot defend on Monday.

You've called James. He's cheerful. You've explained the two-layer issue — GDPR basis + ePrivacy consent — twice. He's still not quite seeing it.

Question: What lawful basis do you apply for the re-engagement email and SMS?

ePrivacy Dir Art 13 (Ireland SI 336/2011) permits "soft opt-in" for email and SMS marketing where: (a) recipient's details obtained in the course of a sale or negotiations for a sale, (b) the marketing is for similar products, and (c) an opt-out was offered at collection and in each subsequent message.

Art 6(1)(f) legitimate interests plus Recital 47 gives the GDPR basis; the ePrivacy Directive is the separate electronic-channel consent layer.

Under Art 83(5) GDPR, the tier ceiling is €20M / 4% turnover. National ePrivacy fines align with GDPR via Member State implementing law. Non-compliance sits squarely in the 4% tier.

Defensible — the LIA work adds evidence, but the same soft-opt-in segmentation is still required. Cost: 3-day analysis slip. Launch moves to Wednesday.

Recital 47 is a GDPR recital; it does NOT override ePrivacy Dir Art 13 (Ireland SI 336/2011). The ePrivacy Directive sits alongside GDPR, not under it — each Member State implements via national law (Ireland: SI 336/2011).

Sending to 310k where 216k are not within ePrivacy Art 13 soft opt-in is a direct ePrivacy breach, subject to Art 83(5) GDPR €20M ceiling.

You walk into the marketing stand-up. Lena has pulled the A/B test dashboard for the banner redesign.

Variant B (current proposal): Prominent blue "Accept All" primary button. Grey underlined "Manage preferences" secondary link. No Reject-All at layer 1. Pre-ticked sub-toggles behind the "Manage" drawer.

Conversion: Variant B up 34% on accept rate.

Seven elements. For each, mark "dark pattern" or "legitimate." ICO and EDPB references unlock as you go.

Lena has pulled up her design system. James is standing next to her. Fran is watching remotely. You have three options.

Question: What banner brief do you give Lena?

ICO 2019 cookie guidance — updated in the 2023 "reject all" campaign — requires equal prominence at layer 1 and no pre-ticked non-essential boxes.

EDPB 03/2022 taxonomises deceptive patterns that invalidate consent. CJEU Planet49 — pre-ticked boxes are not valid consent. Settled law since 2019.

Better than Variant B. Not compliant. Irish DPC / EDPB guidance uses the word "equivalent" — visual hierarchy suggesting Accept is primary fails equivalence.

Likely to pass a cursory DPC inspection but fail a complaint-triggered review.

The ePrivacy Art 5(3) strictly-necessary carve-out covers only cookies essential to the service the user explicitly requested. It does NOT cover Pulse's actual cookie stack: behavioural-ad pixels (Meta, Google), third-party marketing tags, cross-site tracking.

Banner ships. First complaint arrives within 14 days. DPC investigation notice within 45 days.

Matt pitches: Voxly has self-declared fitness data on 42M UK consumers, collected via an SDK in 400+ fitness-tracker apps.

You ask where the consent sits. Matt says: "The app T&Cs authorise partner enrichment for health and wellness purposes. Standard across the industry."

You ask for a sample consent flow from one of the apps. Matt sends a pre-tick cookie-banner-tier consent page. The word "Voxly" does not appear. The word "partner enrichment" does, in paragraph 14.

You have seen this pattern before. It's the TikTok and Amazon fact pattern in a different skin.

€2.5M campaign revenue. 18% lift promised by Voxly. $180k contract. Cerulith's first use of a third-party data broker.

Three options. One closes the door cleanly. One tries to hold Voxly's hand while using the data. One pretends the problem isn't there.

Question: How do you handle the Voxly append?

Art 14 applies when data is obtained from a source other than the data subject. Relying on the third-party's consent is not a substitute for Cerulith's own transparency duties.

Amazon €746M is the controlling precedent for enrichment-based personalisation without clear lawful basis.

Legally tenable — Art 14 notification within the month is the correct path if the append proceeds.

Commercial cost: the required notice (specifying Voxly as the source, data categories, purposes, rights, retention) is substantial. Opt-out uptake is expected 15–25% in health-adjacent contexts. Campaign lift from enrichment likely halves.

Art 14 is non-delegable. Voxly's consent warranty does not discharge Cerulith's duty.

Amazon €746M fact pattern. Google CNIL €50M transparency-breach pattern.

Summing the three decision impacts.

Soft opt-in segmentation. Compliant banner. Voxly declined.

Partial mitigations. Desk-review flag. Banner rebuilt Feb 2027.

ePrivacy 4% tier fine. Voxly unwind. Three M6 exhibits.

Next module: Two months from now, on the morning of 19 January 2027, Máire Ní Bhriain will step out of a black cab at Cerulith's Dublin 2 entrance with a bound evidence binder. Everything you've done this year will be in that binder.

Five questions on Art 6/7/14, Recital 47, ePrivacy Dir Art 13 and Art 5(3), EDPB dark patterns, and Amazon / Google / Planet49 precedents.

Defensibility score: — / 9

Quiz: —

Outcome: —

Your result has been recorded. Module 6 unlocked: The Room.