FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionePrivacy

Cookie Banners, Consent Strings, and the AI Personalization Question

By Basel IsmailMay 19, 2026

Cookie Banners, Consent Strings, and the AI Personalization Question

Cookie consent has been a solved problem for about five minutes. Just long enough for everyone to implement IAB TCF v2.0, get comfortable, and then realize that AI-driven personalization blows a hole through most of the assumptions baked into traditional consent frameworks. The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) was written to address the storage of information on a user's terminal equipment. GDPR layered on top with its conditions for valid consent. TCF v2.2, which became mandatory for all IAB Europe members in November 2023, tried to tighten things up further. But the gap between what these frameworks regulate and what modern AI personalization actually does is growing fast, and most consent architectures are not keeping pace.

Where Cookie Consent Actually Ends

Article 5(3) of the ePrivacy Directive is specific: it governs the storing of information, or gaining access to information already stored, in the terminal equipment of a subscriber or user. Cookies, local storage, device fingerprinting. The trigger is the act of placing or reading something on the device. GDPR Article 6 and Article 7 then govern what you do with the data once you have it, requiring a lawful basis and, where consent is that basis, meeting the bar for freely given, specific, informed, and unambiguous consent.

TCF v2.2 maps to this by defining ten specific purposes (personalized advertising, content selection, measurement, etc.) and requiring that vendors declare which purposes they rely on and under which legal basis. The big change from v2.1 to v2.2 was eliminating legitimate interest as a legal basis for purposes 3 through 6 (creating personalized ads profiles, selecting personalized ads, creating personalized content profiles, selecting personalized content). Under v2.2, those all require consent. Full stop.

So far, so clear. A user visits a site, gets a CMP (consent management platform) prompt, makes choices, and a TC String encodes those choices for downstream vendors. The system works reasonably well for a linear chain: publisher places cookie, ad tech vendor reads cookie, ad is served.

Where AI Consent Begins (and Where It Gets Uncomfortable)

The problem starts when AI models enter the picture. Consider a recommendation engine that ingests browsing behavior, purchase history, and contextual signals to generate real-time content personalization. Some of those inputs may come from cookies or local storage, which means ePrivacy applies at the collection point. But the AI model itself is doing something qualitatively different from what a cookie-based retargeting pixel does. It is generating inferences, creating new data points about the user that were never directly collected.

GDPR Recital 71 and Article 22 address automated decision-making and profiling. The EDPB's Guidelines on Automated Individual Decision-Making and Profiling (WP251rev.01) make clear that inferred data, such as a credit score or a predicted purchasing intent, constitutes personal data when it relates to an identified or identifiable person. The CJEU reinforced this in OC v. Commission nationale de l'informatique et des libertés (CNIL) (Case C-136/17), holding that even derived or calculated data can be personal data under GDPR.

Here is where the consent string model starts to strain. TCF v2.2 Purpose 3 covers "Create profiles for personalised advertising," and Purpose 5 covers "Create profiles for personalised content." But the consent is granted at a moment in time, for a described purpose, to a listed vendor. AI personalization systems are often doing something more fluid: continuously updating user models, combining data across sessions, and generating novel inferences that the user never specifically consented to having created.

The Belgian DPA's February 2022 decision against IAB Europe (Case DOS-2019-01377) is instructive here, even though it predates v2.2. The APD found that the TC String itself constituted personal data and that IAB Europe was a joint controller. The finding was largely upheld on appeal by the CJEU in November 2023 (Case C-604/22), though the Court left it to the Belgian courts to finalize the controller determination. The core issue remains: the consent infrastructure itself carries regulatory risk, and adding AI inference layers on top multiplies that risk.

The TCF v2.2 Gap

TCF v2.2 introduced "Special Feature 1" for precise geolocation and "Special Feature 2" for device scanning, both requiring opt-in consent. It also added stricter transparency requirements, mandating that CMPs display the total number of vendors and allow easy rejection. These are meaningful improvements for the cookie-and-tracking paradigm.

But the framework does not have a dedicated purpose or special feature for AI model training, inference generation, or cross-context behavioral modeling. If a vendor collects data under Purpose 5 (personalized content profiles) and then feeds that data into a machine learning pipeline that generates inferences used for a different purpose, the original consent may not cover the downstream use. GDPR's purpose limitation principle (Article 5(1)(b)) is unforgiving on this point, and the EDPB's Guidelines 05/2020 on consent make clear that bundling purposes or relying on vague descriptions does not meet the specificity requirement.

The practical result is that many organizations running AI personalization are operating in a gray zone. Their CMPs collect consent for TCF-defined purposes. Their AI systems then do things that arguably exceed those purposes. And the consent string, which is supposed to be the authoritative record of user preferences, does not capture the full scope of processing.

What the Upcoming ePrivacy Regulation Might Change

The ePrivacy Regulation has been in legislative limbo since the Commission's 2017 proposal, and the latest Council position (February 2021) still has not reached trilogue agreement. But several draft provisions are relevant. Article 8 of the proposed regulation would extend device-access rules to cover machine-to-machine communications and IoT, which could pull AI edge processing into scope. Article 16 would tighten rules on metadata processing, which is exactly the kind of data AI personalization systems thrive on. Until the regulation is finalized, the 2002 Directive remains the baseline, and national implementations vary significantly. Germany's TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz), effective December 2021, already takes a stricter approach to consent for tracking technologies than many other member states.

Practical Implications

Audit your AI data flows against your CMP consent records. If your personalization engine ingests data collected under TCF Purpose 5 but uses it to train models that serve Purpose 3 outputs, you may have a purpose limitation problem.
Treat inferred data as personal data. The CJEU has made this clear enough that assuming otherwise is a litigation risk, not a compliance strategy.
Do not rely on TCF consent strings as your sole Article 7 compliance record for AI processing. The TC String documents consent for specific, enumerated purposes. If your AI processing exceeds those purposes, you need additional consent mechanisms or a different lawful basis.
Watch the Belgian enforcement saga closely. The IAB Europe case is still producing ripple effects, and the CJEU's controller finding has implications for any organization that participates in the TCF ecosystem.
Prepare for the ePrivacy Regulation. Even though timelines remain uncertain, the direction of travel is toward stricter metadata rules and broader device-access provisions, both of which will affect AI personalization architectures.

How FirmAdapt Addresses This

FirmAdapt's architecture treats consent as a continuous, auditable state rather than a point-in-time event. When AI processing generates inferences or combines data across purposes, FirmAdapt maps each processing activity back to the specific consent record and lawful basis, flagging gaps between what was consented to and what the model is actually doing. This is particularly relevant for organizations operating within the TCF ecosystem, where the consent string may not capture the full scope of downstream AI use.

FirmAdapt also maintains purpose-level lineage tracking, so if data collected under one TCF purpose feeds into an AI pipeline serving a different purpose, the system surfaces that mismatch before it becomes an enforcement problem. For organizations in healthcare, financial services, or other regulated sectors that layer AI personalization on top of existing consent frameworks, this kind of granular mapping is the difference between defensible compliance and an unpleasant conversation with a supervisory authority.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free