Consent Theatre — Why Your Cookie Banner Won’t Save You Under the PDPA

Imagine you walk into a bank. You want to open a savings account. The teller slides a form across the counter. It is forty-seven pages long, printed in eight-point font, written in dense legal English. Somewhere on page thirty-two, nestled between a clause about arbitration and a paragraph about promotional partnerships, is a sentence that says: “By signing this form, you consent to the bank sharing your financial data with any third party the bank deems relevant for the purposes of marketing, analytics, research, and other purposes as determined from time to time.”

You sign it. Of course you sign it. You want the savings account. You do not read page thirty-two. Nobody reads page thirty-two. The teller does not mention page thirty-two. The branch manager has not read page thirty-two.

You have just provided consent. It is freely given — nobody held a gun to your head. It is technically informed — the information was there, in the document you signed. It is unambiguous — your signature is clear.

And it is completely, utterly meaningless.

This is consent theatre. The performance of consent without its substance. The legal fiction that a signature on an unread document constitutes a meaningful exercise of autonomy and choice. And Sri Lanka is about to walk straight into it.

The Transparency Trap

The PDPA, like the GDPR before it, places enormous emphasis on consent as a legal basis for processing personal data. Section 5 of the Act requires that consent be “freely given, specific, informed and unambiguous.” This language is borrowed almost verbatim from the GDPR, and it reflects a deeply held conviction in data protection law: that individuals should have meaningful control over how their personal data is used.

The problem is that the evidence from jurisdictions that have already implemented consent-based data protection frameworks is devastating.

A 2020 study of GDPR cookie consent banners across European websites found that only 15% of implementations were actually compliant with the regulation’s requirements. The rest used dark patterns, pre-ticked boxes, confusing language, or structures that made it easier to accept all cookies than to choose which ones to allow.

A subsequent study found that 69% of users simply close or ignore cookie consent banners entirely. They do not engage with the choice being presented. They do not read the options. They click whatever button makes the banner go away fastest. Among those who do interact, the overwhelming majority click “Accept All” — not because they have made an informed decision to accept all cookies, but because it is the path of least resistance.

This is not a failure of users. It is a failure of the consent model itself.

The transparency trap works like this: the law requires that data subjects be given information and choices. Organisations respond by providing information and choices. But the information is voluminous, complex, and presented at the worst possible moment — when the user is trying to do something else entirely. The choices are structured in ways that exploit cognitive biases, making the “consent” option easiest and the “refuse” option hardest. The result is a system that satisfies the letter of the law while completely defeating its purpose.

The Sri Lankan Context

If consent theatre is a problem in Europe — where digital literacy is high, data protection awareness is widespread, and the GDPR has been in force for years — it is going to be a catastrophe in Sri Lanka.

Consider the factors that make Sri Lanka’s consent landscape uniquely challenging:

Trilingual complexity. Sri Lanka has three official languages: Sinhala, Tamil, and English. The PDPA requires that data subjects be informed about how their data is processed. In what language? The Act does not specify. If a consent form is only in English, it excludes the majority of the population. If it is in all three languages, it triples the length of an already complex document. If it is poorly translated — which, given the technical nature of data protection terminology, is almost guaranteed — it creates a new category of confusion.

Digital literacy gap. Sri Lanka has strong literacy rates — above 92% — but digital literacy is a different matter entirely. A significant portion of the population has come online via smartphones in the last decade, primarily through social media and messaging apps. These users have little experience with privacy settings, consent mechanisms, or data protection concepts. Asking them to make informed decisions about data processing based on a privacy policy written in legal English is an exercise in futility.

Cultural deference to institutions. In Sri Lankan culture, there is a strong tendency to defer to institutional authority. When a bank, a telco, or a government agency asks you to sign something, you sign it. Questioning the terms, asking for explanations, or refusing to consent is culturally unusual and, in many contexts, practically impossible — because refusing consent often means being denied the service you need.

No history of data subject rights. Sri Lankan citizens have never had formal data protection rights. They have never exercised the right to access their data, to request erasure, or to object to processing. The PDPA creates these rights, but creating a legal right and creating a population that knows how to exercise it are very different things.

The Six Failures of Consent Theatre

Based on what we have seen in other jurisdictions and what we observe in Sri Lankan business practice today, consent theatre manifests in six predictable patterns:

1. The Wall of Text

The most common form of consent theatre. The organisation provides all required information in a single, dense, impenetrable document. Privacy policies running to thousands of words. Terms and conditions that would take an hour to read. Technical language that requires a law degree to parse.

The Wall of Text satisfies the transparency requirement: the information is there. But it completely defeats the “informed” requirement, because no reasonable person will actually read and understand the information provided. The organisation knows this. The data subject knows this. Everyone participates in the fiction that disclosure equals understanding.

Studies consistently show that it would take the average user approximately 244 hours per year to read the privacy policies of the websites and services they use. Nobody does this. The Wall of Text works precisely because it does not work — it provides the appearance of transparency while ensuring that nobody actually becomes informed.

2. Bundled Consent

The organisation bundles consent for multiple, unrelated processing activities into a single consent request. “By creating an account, you agree to our privacy policy, which includes the use of your data for service provision, analytics, marketing, third-party sharing, and research purposes.”

The PDPA requires consent to be specific. Bundled consent is the opposite of specific — it forces the data subject to consent to everything or nothing. Want to use the service? Consent to all processing. Don’t want your data used for marketing? Too bad — it is bundled with service provision. Take it or leave it.

This directly violates the “freely given” requirement. Consent is not freely given if the data subject has no meaningful choice — if refusing consent for one processing activity means losing access to an unrelated service. The PDPA requires granular consent: separate consent for each distinct processing purpose, with the ability to consent to some and refuse others.

3. Coerced Consent

The data subject has no real choice. If you want a bank account, you sign the form. If you want a mobile phone, you agree to the terms. If you want to access a website, you accept the cookies. The alternative to consent is not “the same service without the data processing” — the alternative is no service at all.

The PDPA’s “freely given” requirement is supposed to prevent this. Consent is not free if there is a significant imbalance of power between the controller and the data subject, or if the data subject suffers a detriment from refusing consent. In practice, this means that consent is suspect as a legal basis whenever the controller provides an essential service (banking, telecommunications, healthcare, education) or occupies a dominant market position.

This is a particularly acute problem in Sri Lanka, where many markets are concentrated among a few dominant players. If all three major telcos require consent to the same processing activities, the data subject has no meaningful alternative. Consent in this context is not a choice; it is a precondition.

4. Consent as Default

Pre-ticked boxes. Opt-out rather than opt-in. Default settings that maximise data collection, with the burden on the data subject to actively reduce it. This is the dark pattern par excellence of consent theatre.

The PDPA requires consent to be “unambiguous,” which requires a “clear affirmative action.” Pre-ticked boxes are not affirmative action. Silence is not consent. Inaction is not consent. The data subject must actively do something — tick a box, click a button, make a verbal statement — to indicate consent.

This is one of the clearest requirements in the Act, and it will be one of the most frequently violated. The reason is simple: opt-in consent rates are dramatically lower than opt-out consent rates. Research shows that opt-in rates for data collection typically range from 20% to 40%, while opt-out rates (where consent is assumed unless the user actively refuses) are typically 80% to 90%. Organisations that switch from opt-out to opt-in will see their marketing databases shrink dramatically. This creates an enormous incentive to maintain opt-out mechanisms or to find ways to make opt-in feel like opt-out.

5. Irrevocable Consent

You consented once. The organisation treats this as permanent. There is no easy way to withdraw consent. The “unsubscribe” link does not work, or requires you to log into a system you have forgotten the password for, or directs you to call a phone number that is only available during business hours, or requires you to visit a branch in person.

The PDPA is explicit: consent must be as easy to withdraw as it is to give. If you can consent with a single click, you must be able to withdraw consent with a single click. If you can consent online, you must be able to withdraw consent online. The asymmetry between the ease of giving and withdrawing consent is one of the most common forms of consent theatre, and one of the clearest violations of the Act.

6. The Consent Cascade

The data subject consents to sharing their data with a controller. The controller shares the data with a processor. The processor shares it with a sub-processor. The sub-processor shares it with a partner. The partner shares it with an advertising network. Five steps down the chain, the data subject’s data is being used in ways they never imagined, by entities they have never heard of, for purposes that bear no resemblance to the original consent.

This is the consent cascade, and it is endemic in the digital advertising ecosystem. The data subject consented to one thing; their data is being used for dozens of things. The original consent, however valid, does not extend to subsequent uses by downstream parties. Each new processing purpose and each new processor requires its own legal basis.

The PDPA’s purpose limitation principle is designed to prevent this. But enforcement is extraordinarily difficult, because the data flows are complex, opaque, and span multiple jurisdictions. This is a problem that no data protection regime has fully solved, and the PDPA will not be the first.

The Behavioural Reality of Consent

The consent model in the PDPA — and in the GDPR, and in every consent-based data protection framework — is built on a set of assumptions about human behaviour that are, to put it charitably, optimistic. It assumes that data subjects:

— will read the information provided to them;
— will understand the information once read;
— will weigh the costs and benefits of consenting;
— will make a rational decision based on that analysis;
— will actively manage their consent over time, withdrawing it when circumstances change.

Decades of behavioural economics research tells us that none of this is true. Humans are predictably irrational, and the consent context is particularly susceptible to cognitive biases.

Status quo bias

People have a strong preference for the current state of affairs. Whatever the default is, most people will stick with it. If the default is “consent,” most people will consent. If the default is “no consent,” most people will not consent. The choice architecture — how the options are presented — has a greater impact on the outcome than the substance of the choice itself.

This is why the PDPA’s requirement for affirmative action is so important, and why it will be so fiercely resisted. The default matters more than the information, more than the language, more than the interface design. Whoever sets the default controls the outcome.

Present bias

People systematically overvalue present benefits and undervalue future costs. The present benefit of clicking “Accept All” is immediate: you get to use the website, the app, the service. The future cost of having your data processed in ways you did not fully understand is abstract, uncertain, and temporally distant. Present bias guarantees that most people will accept now and worry later — or, more accurately, never worry at all.

Asymmetric paternalism

The concept of asymmetric paternalism, developed by Camerer and colleagues, suggests that policies should be designed to help those who are vulnerable to cognitive biases while imposing minimal costs on those who are not. A consent mechanism that requires five clicks to refuse and one click to accept is the opposite: it exploits the vulnerable while creating the appearance of choice for the sophisticated.

Good consent design should be asymmetrically paternalistic in the right direction: it should make the privacy-protective choice as easy as the privacy-permissive choice. The PDPA requires this in principle. The question is whether organisations will implement it in practice, or whether they will find ways to tilt the choice architecture in their favour.

The endowment effect

People value things they already have more than things they do not have. Once someone has access to a service, withdrawing consent — and potentially losing access — feels like a loss, even if the service was not particularly valuable to them. This makes consent withdrawal psychologically difficult, even when it is technically easy.

The implication is that initial consent decisions are stickier than the PDPA assumes. Once consent is given, it tends to remain given, not because the data subject has made a continuing informed decision, but because withdrawing consent feels like giving something up. Organisations that obtain consent early in the customer relationship benefit from this bias for the lifetime of the relationship.

What Genuine Consent Looks Like

If consent theatre is the problem, what does genuine consent look like? Based on international best practice, behavioural research, and a practical reading of the PDPA’s requirements, genuine consent has five characteristics:

Layered disclosure

Instead of the Wall of Text, provide information in layers. The first layer is a brief, plain-language summary of what you are asking for and why. The second layer provides more detail for those who want it. The third layer is the full legal text for those who need it. Each layer is accessible from the previous one, but no one is forced to wade through all of them to make a decision.

This is not a new concept. The Article 29 Working Party (now the European Data Protection Board) recommended layered disclosure more than a decade ago. It works because it respects the reality that different people want different levels of detail, and that forcing everyone through the most detailed version serves nobody.

Contextual consent

Ask for consent at the point where it is relevant, not upfront in a comprehensive consent form. When a user first creates an account, ask for consent to the processing necessary for account creation. When they first interact with a marketing feature, ask for marketing consent. When they first use a feature that involves third-party sharing, ask for third-party sharing consent.

Contextual consent is more meaningful because the data subject understands the context. They are being asked about a specific processing activity at the moment when that activity is relevant to them. This produces more informed decisions than asking about everything at once during registration.

Granular control

Provide separate consent toggles for separate processing purposes. Do not bundle. Let the data subject consent to service provision without consenting to marketing. Let them consent to first-party analytics without consenting to third-party sharing. Let them consent to email marketing without consenting to SMS marketing.

Granularity increases the administrative complexity of consent management, but it is what the PDPA requires. The investment in granular consent infrastructure pays for itself in reduced regulatory risk and increased customer trust.

Friction-free withdrawal

Make withdrawal as easy as granting. A single click. An accessible settings page. An immediate effect. No dark patterns that make the “Are you sure?” dialogue harder to navigate than the original consent flow. No requirements to call a phone number, visit a branch, or write a letter.

The PDPA is clear: withdrawal must be as easy as granting. Test this in your own systems. If it takes one click to consent and seven clicks to withdraw, you have a problem. If it takes thirty seconds to opt in and three weeks to opt out, you have a bigger problem.

Regular re-consent

Consent should not be a one-time event. Periodically remind data subjects of what they have consented to and give them the opportunity to review and modify their choices. This is not required by the Act in explicit terms, but it follows from the principle that consent must be “informed” — if the processing activities have changed, or if so much time has passed that the data subject has forgotten what they consented to, the consent is arguably no longer informed.

Re-consent is also good practice from a business perspective. It cleans up your consent database, removing stale consents and ensuring that your marketing lists reflect genuine current preferences. Smaller, more engaged lists consistently outperform larger, disengaged ones.

The Alternative to Consent

Here is the thing that many organisations miss: consent is not the only legal basis for processing personal data. It is one of several. And for many processing activities, it is not even the best one.

The PDPA provides for processing based on legitimate interests — the controller’s or a third party’s legitimate interests, provided those interests are not overridden by the data subject’s rights and interests. This is a balancing test: the controller must weigh its own interests against the data subject’s, and the processing must be proportionate and necessary.

Legitimate interest is often a more appropriate legal basis than consent for processing activities that are genuinely necessary for the business and that the data subject would reasonably expect. Fraud detection, for example. Network security monitoring. Internal analytics for service improvement. These are activities where consent is problematic — either because the data subject does not have a real choice (you cannot meaningfully consent to or refuse fraud detection), or because consent would be impractical (asking every website visitor for consent to security monitoring).

The advantage of legitimate interest over consent is that it is not dependent on the data subject’s continued agreement. If you rely on consent and the data subject withdraws it, you must stop processing. If you rely on legitimate interest, you can continue processing as long as the balance of interests supports it. The data subject has the right to object, and you must consider the objection, but you are not automatically required to stop.

The disadvantage is that legitimate interest requires more work upfront. You must conduct a legitimate interest assessment, documenting the interest, the necessity, and the balancing exercise. You must be able to demonstrate that you considered the data subject’s rights and concluded that your interests are not overridden. This is more demanding than simply obtaining a click on a consent button.

But it is more honest. And it is more durable. A legitimate interest assessment, properly conducted, creates a solid foundation for processing that does not depend on the fiction of informed consent.

The Coming Consent Infrastructure Gap

When the PDPA’s substantive provisions commence, every organisation in Sri Lanka that processes personal data will need consent management infrastructure. This includes:

A consent management platform (CMP) that records what each data subject has consented to, when, through what mechanism, and the specific version of the privacy notice they were shown. This needs to be auditable, because under the PDPA, the controller bears the burden of proving that consent was obtained.

Preference centres where data subjects can view and modify their consent choices. These need to be accessible, understandable, and functional in all relevant languages.

Downstream consent enforcement — systems that ensure consent choices are actually respected throughout the data processing pipeline. If a data subject withdraws consent for marketing, every system that processes their data for marketing purposes must stop doing so. This requires integration between the CMP and the organisation’s marketing, analytics, and data processing systems.

Consent audit trails that demonstrate compliance to the Authority in the event of an investigation. The PDPA places the burden of proof on the controller: you must be able to show that consent was valid, not just that it was obtained.

Very few Sri Lankan organisations have any of this today. Most do not even have a privacy policy that meets the PDPA’s transparency requirements, let alone a consent management system that can record, enforce, and demonstrate valid consent.

The infrastructure gap is enormous, and closing it will take time. Organisations that start building consent management capabilities now will be ready when commencement arrives. Those that wait will be scrambling to implement systems under time pressure, with all the quality and cost implications that implies.

The Deeper Question

Consent theatre is not just a compliance problem. It is an ethical problem. It is the gap between what we say we believe about individual autonomy and what we actually practice.

We say that individuals should control their personal data. Then we present them with consent mechanisms designed to extract maximum consent with minimum understanding. We say that consent should be informed. Then we bury the information in documents that nobody reads. We say that consent should be freely given. Then we make it a precondition for services that people cannot do without.

The PDPA creates an opportunity to do better. Not because the law compels it — although it does. But because genuine consent, done well, creates something valuable: trust. Customers who genuinely understand and agree to how their data is used are more engaged, more loyal, and more valuable than customers who have been tricked into consenting by a dark pattern.

The organisations that understand this will build consent systems that are genuinely transparent, genuinely granular, and genuinely respectful of autonomy. They will treat consent not as a compliance burden but as a relationship-building opportunity. They will invest in consent infrastructure not because the Authority requires it, but because it makes their businesses better.

The organisations that do not understand this will build the minimum viable consent theatre. They will deploy cookie banners and privacy policies that satisfy the letter of the law while defeating its purpose. They will spend the minimum necessary to avoid penalties and will treat data protection as a cost to be minimised rather than a capability to be developed.

Both approaches will technically comply with the PDPA. Only one will actually protect data subjects. Only one will build the kind of trust that creates durable competitive advantage.

When the Authority begins enforcement — and it will — it will not look kindly on consent theatre. The PDPA’s requirements are clear: consent must be freely given, specific, informed, and unambiguous. A court or the Authority, examining whether consent was genuinely “informed,” will not be satisfied by a forty-seven-page document that no one reads. They will look at whether the data subject actually understood what they were consenting to. They will look at the choice architecture. They will look at the defaults. They will look at whether withdrawal was genuinely as easy as granting.

The consent form won’t save you then.