The blog examines real-world privacy violations that expose the shortcomings of traditional consent systems. It argues that static, one-size-fits-all consent models can erode trust and user rights, calling instead for adaptive consent management—flexible, transparent, and responsive to evolving technologies, regulations, and user expectations.
Consent has become the cornerstone of trust between organizations and individuals. Every time we download an app, sign up for a service, or even browse the web, we’re asked to give permission for our data to be collected, stored, and sometimes shared.
But too often, that “consent” is either buried in legal jargon, manipulated through dark patterns, or ignored entirely once granted. Recent high-profile GDPR rulings and fines against companies like Spotify, Vodafone, and Flightradar24 reveal how even established brands continue to mishandle user data. Sometimes this happens through negligence, sometimes through outdated systems that can’t keep pace with modern privacy challenges.
No matter why or how, these kind of cases underscore the urgent need for adaptive consent management: systems designed to evolve with user expectations, regulatory changes, and new technologies like AI.
In June 2025, Sweden’s data protection authority (IMY) reprimanded Flightradar24 AB for violating Articles 12(2) and 12(6) of the GDPR between May 25, 2018 and June 22, 2021. The issue? The flighttracking service routinely demanded aircraft owners submit official registration certificates, even when other reasonable proof of identity had already been provided. This delayed or prevented rightful erasure of their data. IMY found this violated users’ right to erasure and transparency. While the agency recognized the legitimate interest in such tracking, it ordered Flightradar24 to cease this rigid requirement and streamline verification methods within one month of the decision becoming final.
This case illustrates how even seemingly harmless default procedures can become barriers to exercising privacy rights. A system that assumes one method of verification is the only acceptable one can frustrate legitimate requests and tilt the balance toward organizational convenience over individual rights.
Also in mid2025, the Stockholm Court of Appeal upheld a SEK 58 million (approx. EUR 5.2–5.4 million) fine against Spotify AB. The court affirmed findings that Spotify’s privacy disclosures were not sufficiently clear or accessible, failing to inform users about how to exercise their GDPR rights. Additionally, Spotify omitted crucial details on how long personal data is stored and what safeguards apply when data is transferred to third countries or international organizations
By failing to translate legal obligations into plainspoken, user-friendly terms, and by withholding key structural information, Spotify effectively stripped users of meaningful control over their data. This reinforces the principle that consent isn’t just about ticking a box; it requires sustained clarity and comprehension.
In June 2025, German regulators fined Vodafone GmbH EUR 45 million (~USD 51 million)—split into EUR 15 million for poor oversight of partner agencies that misled customers into signing fictitious contracts, and EUR 30 million for authentication weaknesses that exposed eSIM profiles to unauthorized third parties via its online portal and hotline.
This case underscores that consent breaches don’t always stem from user actions or negligence but can arise from structural flaws: unclear data-sharing agreements, inadequate oversight of third parties, and insecure authentication channels can allow consent frameworks to unravel, with tangible harm.
On a broader front, privacy advocates argue that many dating apps are failing to incorporate consent in their design, even as they roll out AI-powered features. According to the Electronic Frontier Foundation, apps like Grindr, Tinder, Bumble, Hinge, and OK-Cupid are deploying AI tools, from chatbots to profile editors, often using “your most personal information to train their AI tools,” treating deeply personal data as fodder for innovation rather than requiring explicit, context specific consent.
This emphasizes the complex dynamics of consent in AI: users may consent broadly at signup, but not explicitly to their data being used to train AI or gaslight algorithms with extremely personal inputs.
Another case highlights slow or incomplete communication of erasure actions. A Hungarian authority found that a data controller erased a user’s account in November 2018 but failed to inform the user until March 2019—violating Article 12(3) (timely communication of action taken) and the GDPR’s transparency requirements. The authority imposed a fine of approximately EUR 13,244.
Even when data is eventually deleted, failure to promptly notify users can undermine trust and create confusion, effectively negating the value of the erasure right.
These real-world violations reveal that static, one-size-fits-all consent models are no longer adequate. A shift toward adaptive consent management, dynamic by design, is imperative. Here’s what makes it essential:
Rigid verification processes—like demanding a specific certificate—can block genuine requests. Consent management systems should include multiple verification pathways, dynamically chosen based on context. If a user has already supplied reliable documentation, the system should adapt and accept alternative proofs. Flightradar24’s case perfectly shows the perils of ignoring this adaptability.
User understanding of what they consent to must evolve along with system changes. Systems should adopt layered notices and adaptive interfaces that surface relevant information—like data retention periods or international transfers—at the time of data processing or request, not just buried in long legal documents. Spotify’s penalty is a wake-up call on this front.
Organizations must actively monitor and audit partners to ensure consent —and privacy protections—are preserved across the ecosystem. Vodafone Germany’s failures highlight the need for dynamic oversight, including real-time dashboards, automated audits, and quick escalation when anomalies occur.
AI and machine learning introduce new vectors of consent complexity. Using personal inputs for AI training is a secondary use, requiring explicit consent that is specific, informed, and revocable. Consent frameworks need to dynamically capture and reflect such choices. If a user opts out of AI-based macros, the system should enforce it, and surface AI tools with on-the-fly, granular consent options.
Users should be notified promptly when controllers take (or reject) actions related to their data requests. The Hungarian case shows how failure to notify users undermines control and individual rights. Adaptive systems should include automated confirmation messages with clear next steps or timelines.
The examples of Flightradar24, Spotify, Vodafone Germany, and others show that privacy violations and consent failures arise not just from malicious intent, but from static systems unprepared for nuanced, evolving realities. Whether it’s erasure requests, transparency demands, third-party risks, or AI-derived uses, consent must be fluid, context-aware, and responsive.
To safeguard fundamental rights in today’s digital ecosystem, consent management must evolve to become adaptive, transparent, user-centric, and resilient. Only then can individuals truly exercise control over personal information in a world where data is dynamic and expectations are fluid.
©2025 CookieHub ehf.
