Consent Capital
Every brand treats consent as a liability. In the agentic commerce era, it's the only asset that compounds and the one you can't buy back.
This is the follow-up I promised in First-Party Data Theater: the essay on turning consent from a compliance checkbox into capital.
Two headlines landed in the same month. Read them together and you will see the most expensive blind spot in marketing.
In May 2026, Publicis agreed to acquire LiveRamp for $2.2 billion officially to accelerate data co-creation for smarter agents. My read: it is buying closer access to the loop where customer signals get matched, enriched, governed, and acted on.
That same month, California’s Attorney General announced a $12.75 million settlement with General Motors, the largest CCPA penalty in the state’s history over allegations that GM collected and sold drivers’ location and behavior data without proper consent.
One company spent billions to get closer to the consent-and-data loop.
Another paid a record fine for violating it.
Same asset. Two very different relationships with it.
Here is the truth hiding between those headlines: consent is simultaneously the most valuable thing a brand holds and the thing it is most likely to fumble. Most companies still treat it as a cost center, a banner, a checkbox, a DSAR queue, a fine waiting to happen while the smartest acquirers in the industry are paying billions to get closer to it.
The Asset Everyone Calls a Liability
In the last essay, I argued that almost everything brands call “first-party data” is theater rented infrastructure wearing an ownership badge.
But I flagged one genuine exception:
The customer’s consent.
In most cases, the original permission starts with you - your brand, your relationship, your promise even if the data later flows through vendors, agencies, clean rooms, and platforms.
Consent is the deed.
Everything else is the house you have quietly let someone else live in.
And yet every org chart files consent under risk.
Legal owns it. Compliance audits it. The CMO sees a cookie banner, a privacy policy, and a DSAR queue. Vendors are already shipping “consent agents” to automate the compliance grind faster, treating the asset as a chore to dispatch.
That framing is about to look very expensive.
Because the thing that made consent feel like a checkbox is disappearing.
Consent by Proxy
For twenty years, consent meant a human at a keyboard clicking “I agree.”
That era is ending faster than most org charts realize.
AI agents are already transacting. ChatGPT, Google AI Mode, Copilot, and Perplexity are moving from search and recommendation into action. In June 2026, Visa wired its payment network into ChatGPT so an agent can buy on a customer’s behalf within limits the customer sets: spend caps, approved merchant categories, and purchases that need a sign-off.
McKinsey pegs agentic commerce at up to $1 trillion in U.S. retail by 2030.
Privacy professionals already have a name for what this breaks: consent by proxy.
Notice, choice, and consent were built for a person reading a screen, not for a decision made at machine speed by something acting for the customer.
Sit with what that does to the marketing relationship.
When an agent is the one shopping, it does not see your banner. It does not read your retargeting pixel’s fine print. It acts on a standing set of permissions the customer granted to someone they trust.
The brand that holds a real, durable, permissioned relationship with that customer gets to participate.
The brand that only ever rented attention through a tag gets routed around.
In the click era, consent was a gate you made people pass through.
In the agentic era, consent is the only reason an agent lets you in the room at all.
That is the inversion.
Consent stops being the friction before the sale and becomes the precondition for being considered at all.
What Makes It Capital
Capital is something that compounds when you put it to work. Consent does exactly that if you treat it as a relationship instead of a record.
A binary opt-in is worth almost nothing. And the supply is shrinking. Banner fatigue, device-level prompts, tighter rules, and rising consumer skepticism are pushing brands into a worse tradeoff: ask for more, get trusted less. The instinct is to chase the number with more banners. Wrong lever.
Consent that is honored, remembered, and reciprocated earns more of itself:
Scope expands. Permission used well - relevantly, not creepily, earns the next grant, and each one lowers the cost of the one after it.
It travels on your terms. Captured in your own environment and mapped to your own identity, consent follows the customer relationship not the vendor login it happened to land in.
It is defensible. A competitor can copy your creative and your offer. They cannot copy a permissioned relationship the customer chose to give you.
It is a track record. When you can show what you were allowed to do and what you did with it, consent compounds into trust.
That is Consent Capital: permission treated as a balance you grow, not a box you tick.
But capital needs infrastructure. Three requirements:
A consent ledger - a durable record of what the customer allowed, when, in what context, and for what use.
An identity spine - the means to connect that permission to the customer across channels, devices, and agents without handing control to whatever vendor captured the event.
A decision loop - a system that can prove what was permitted, decide what is allowed, act, and learn from the outcome.
Without those three, consent is a flag in a database. With them, it is an appreciating asset.
The Flywheel
Picture a retailer whose preference center is a live control panel, not a dead checkbox page. Every choice a customer makes changes what they actually see and that signal lands in the retailer’s own warehouse, keyed to its own identity, acted on by its own decision system.
Honor a “text me, do not email me” request once, and the next ask gets easier: Can we use your purchase history to improve size recommendations? Can we share your preferences with your shopping agent? The answer trends to yes, because the first promise was kept.
Each kept promise lowers the cost of the next grant. That is the flywheel. Banners do not build it. Behavior does.
And this is where most brands quietly burn it:
The list upload. You hand permissioned customers into a walled garden to build lookalikes, spending your consent capital to train someone else’s model, and getting a borrowed audience back.
The agency login. Permissions, suppression lists, and preference history sit in your partner’s seat. Switch partners and watch how much of “your” consent walks out the door.
The checkbox mindset. You collect consent once, store it as a flag, and never use it to earn more. A deed you file and forget is a deed you are slowly defaulting on.
Each feels efficient. Each spends the one asset you cannot buy back.
The Test
Before the next “we’ll handle your consent” pitch, run one question the agentic-era version of the test from last time:
If a customer’s AI agent showed up tomorrow acting on their behalf, could I prove what they permitted, act on it inside a system I control, and earn the next grant of permission without asking a third party for the keys?
If yes, consent is capital on your balance sheet.
If not, it is a liability on someone else’s.
Consent is the deed. The decision loop is the house you build on it.
First-party data was never the moat. Consent alone is not the moat either.
The moat is the permissioned, compounding relationship - governed, remembered, acted on, and strengthened over time.
In the agentic era, that is the one thing agents cannot route around.
Thanks for reading.
An LLM helped with research, citations, and light proofreading without changing the content. All ideas, arguments, voice, and em dashes are mine :)
Oohh…more inspiration for my articles for marketers! 😜
Thank you again for the inspiration — your posts always feel like a real treat for the mind.
I wanted to share a few reflections, perhaps shaped by a very European way of looking at things, but hopefully still useful.
Consent has always made me a bit uneasy, mostly because I often struggle to understand what I’m actually consenting to.
I’ve been working on this since the 2009 revision of the ePrivacy Directive, and the question still remains: what exactly is the purpose of my consent?
So I tend to approach it through a kind of informal risk analysis.
For organisations I don’t trust or don’t really need, I simply walk away. For those I do trust — public broadcasters, for example — I’m much more willing to share.
Not entirely rational, perhaps, but very human. Living without the major US platforms is nearly impossible, and yet we all try, negotiate, or pretend.
Trust, for me, is also tied to the idea that consent can be withdrawn.
If notice and choice is the model, then changing my mind should be part of the deal, right? Consent shouldn’t be eternal; it should expire, be renewed, and follow retention rules — like the 13‑month limit in France.
That’s why I really appreciate your point about scope expansion — it’s a brilliant concept. My only question is how it plays out in practice.
Legal notices are often drafted as broadly as possible to minimise risk, so where is the incentive to genuinely engage the user in a meaningful consent process?
I love the idea, and I’m curious about the business case behind it.
Which brings me to the main reason I wanted to reach out.
The phrase “it travels on your terms” makes perfect sense in today’s highly concentrated, walled‑garden digital ecosystem.
But it also reflects a very US‑centric view. In Europe, we tend to see consent as something the data subject owns, which is then granted to a company for a limited period of time. That’s how trust, loyalty, and even LTV are built.
I hope these thoughts are helpful in some way.
Please keep sharing your work — it’s genuinely fascinating and always gives me something new to think about.