Skip to content
Tech

Why can a regulator only catch a deceptive consent screen by reading it manually?

83

Opportunity

GDPR and FTC rules require freely given, unambiguous consent, but detection is entirely manual: investigators visit sites, walk through flows, and write reports. A 2026 arXiv study found that regulatory practitioners explicitly want automated detection but have no viable tooling to run at scale. Dark patterns shift dynamically: a service can hide opt-out paths during a review period and restore them afterward. With millions of sites and a handful of inspectors, enforcement is reactive, slow, and geographically uneven. No machine-readable standard for a consent record exists that would let an auditor replay the exact UI flow a user experienced at a given moment.

Why it matters

Automated, provable consent verification would shift enforcement from after-the-fact investigations to scalable real-time compliance checks, making dark patterns economically unviable.

How I score the opportunity

The Opportunity Score is my own read, not a measurement: how much it hurts, how often it bites, and how little exists to solve it today. Higher means I think it is more worth building.

Severity8/10

How much pain it causes when it shows up.

Frequency9/10

How often people actually run into it.

Whitespace8/10

How little good tooling exists for it today.

More problems worth solving