How companies trick you into giving up your data
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
You open a webpage. Before you even get a glimpse of the content, a message blocks your screen: “We value your privacy. Accept all cookies to continue.” You hesitate. You know enough about data protection to realise what’s happening. You don’t want to hand over your personal data so easily, so you click “Manage Preferences.”
The next page presents another set of choices: “Accept All” or “Save Preferences.” But here’s the catch — you haven’t actually set any preferences yet. You know better than to fall for that. So you dig deeper, opening more menus, expanding more options, only to find something suspicious. The website is nudging you towards giving away your data, presenting pre-checked boxes that assume your agreement. But you haven’t actually consented to anything. You’re simply being funnelled into the illusion of choice.
Consent is supposed to be an affirmative action, something freely given, specific, informed, and unambiguous. It should require clear action from you, not silent acceptance. That’s your right. But companies have found ways to bend the rules. They design interfaces that trick you into giving up your data without you realising it. And if you refuse? They invoke a different excuse — legitimate interest.
It’s the new favourite loophole in data protection. Instead of obtaining your consent, companies argue that they have a legitimate reason to process your data without it. They claim they need to track you, collect your information, and share it with vendors because it’s essential for their business. After all, a company has to make money. And while that may be true, must it always be at the expense of the individual?
Some businesses treat “legitimate interest” as a blank cheque to override consent mechanisms. They carefully craft cookie banners and privacy notices that look compliant while doing the exact opposite. You think you’re rejecting tracking, but in reality, vendors are still being placed on your device. You believe you’ve opted out, but your data is still being shared. The system is designed to give you the illusion of control while keeping things exactly as they want them.
This isn’t just about misleading interfaces — it’s about the systematic exploitation of consent. Many companies intentionally make it harder for you to refuse tracking. Some websites block content unless you agree to cookies, forcing you into a pay-with-your-data model. Others require you to navigate through multiple screens just to reject tracking, hoping you’ll give up out of frustration. And the worst offenders automatically place cookies on your device before you’ve even had the chance to opt out, making the entire process meaningless.
The solution? Stop letting them manipulate you.
A true consent model requires double opt-in—you don’t just click a button once and move on. Instead, you confirm your choice through a second action, ensuring that your decision is deliberate and recorded. This approach is already used in email marketing to prevent spam — so why shouldn’t it apply to data collection? A proper opt-in system should default to rejecting cookies, not pre-selecting them on your behalf. It should require explicit confirmation before any tracking begins. If companies genuinely valued your privacy, they wouldn’t make it difficult for you to say no.
But many don’t. Because in some industries, “legitimate interest” is just another term for deception. The law allows companies to rely on it only if the individual’s rights and freedoms are not overridden. But too often, that balance is ignored. The burden is placed on you to constantly defend your data, to resist misleading consent banners, and to fight against invasive tracking. And while regulators step in where they can, the responsibility often falls on individuals to recognise the tricks and push back.
If a company truly believed in transparency, they wouldn’t need dark patterns to obtain consent. If they genuinely cared about user trust, they wouldn’t hide tracking settings behind multiple layers of deception. But many don’t care. Because they know most users won’t fight back.
So next time you’re faced with a misleading cookie banner, don’t just click through. Recognise the game being played. Read between the lines. And remember: just because a company claims to value your privacy, doesn’t mean they actually do.
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com