We Have All Done It. Accepting All Cookies Just To Make The Pop-up Go Away.

You have seen the banner thousands of times. A pop-up appears at the bottom or top of a website the moment you arrive. It says something about cookies and privacy. It offers a button that says Accept All and a smaller, harder-to-find link that says something like Manage Preferences. Most people click Accept All without reading a word of it and move on with what they came to do.

That click — repeated across millions of websites, billions of times — is one of the most consequential habitual actions on the internet. And most people have no idea what they just agreed to.

Cookies are not inherently sinister. They were invented in 1994 to solve a legitimate problem — helping websites remember information between pages so you did not have to log in again every time you clicked a link. That original function still exists and is genuinely useful. What has happened since is the part worth understanding.

A cookie is a small text file that a website stores on your device when you visit it. It contains information the website wants to remember — your login status, your language preference, the items in your shopping cart, your location setting. When you return to the site, your browser sends the cookie back, and the site picks up where you left off.

That is the functional cookie. It serves you directly and most people would not want to lose it — it is what stops you from having to log into every website from scratch on every visit.

The problem is that cookies come in more than one variety, and the type that drives the consent banners is not the functional kind. It is the tracking kind — and the two behave very differently.

Understanding cookies requires understanding one key distinction: who set the cookie and who can read it.

First-party cookies are set by the website you are visiting. They are readable only by that website. They remember your preferences, your login, your shopping cart. They are the functional cookies that make the web usable. When you visit a news site and it remembers that you prefer the UK edition, that is a first-party cookie. These are not the privacy concern.

Third-party cookies are set not by the website you are visiting but by a third party — an advertising network, an analytics company, a social media platform — whose code is embedded in the page. When you visit a website that contains a Facebook Like button, Facebook sets a cookie on your device even if you never click the button and are not logged into Facebook. That cookie can be read by Facebook on every other website you visit that also contains Facebook code — which is a very large proportion of the internet. The same applies to Google’s advertising network, to data analytics companies, and to hundreds of other third parties embedded invisibly across the web.

The result is that as you browse the web, a network of third-party cookies builds a detailed record of your journey — which sites you visited, in what order, for how long, and what you did there. This record is not held by the websites you visited. It is held by the advertising and data companies whose code happened to be embedded in those pages.

The cookie consent banners that appear on virtually every website exist because of privacy legislation — primarily the GDPR in Europe and similar laws elsewhere — that requires websites to obtain your consent before placing non-essential cookies on your device.

The legislation is well-intentioned. The implementation has largely undermined its purpose.

Cookie banners are almost universally designed to make acceptance the path of least resistance. The Accept All button is large, prominently placed, and brightly coloured. The Manage Preferences or Reject Non-Essential option is smaller, greyed out, buried in secondary menus, and sometimes requires navigating multiple screens to complete. This design — called a dark pattern — is deliberate. Every additional click required to decline cookies reduces the number of people who do so. The easier acceptance is made relative to rejection, the higher the acceptance rate.

A June 2025 study found that nearly 50 percent of websites use what researchers called intractable cookies — tracking cookies that continue to operate even after a user has declined consent through the banner. The banner creates the appearance of control. The underlying tracking continues regardless.

For several years, the technology industry has been discussing the end of third-party cookies. Google announced plans to phase them out of Chrome — the world’s most used browser — in 2022. The deadline was pushed to 2023. Then 2024. Then 2025. In July 2024, Google reversed course entirely, announcing it would not deprecate third-party cookies after all, citing industry feedback. In April 2025 Google confirmed this position — third-party cookies remain enabled by default in Chrome with no firm plan to remove them.

The reversal followed significant pressure from the advertising industry, which generates enormous revenue from the cross-site tracking that third-party cookies enable. The privacy benefit of removing them was real. The financial cost to the advertising ecosystem was also real. The advertising industry’s interests prevailed.

Safari and Firefox have blocked third-party cookies by default for years. Brave blocks them entirely. But Chrome accounts for roughly 65 percent of global browser usage — which means that for the majority of internet users, third-party tracking cookies remain active, consent banners notwithstanding.

The increasing scrutiny of cookies has prompted the advertising industry to develop alternative tracking methods that are harder to block and harder to regulate. Understanding these is important because accepting or rejecting a cookie banner has no effect on them.

Browser fingerprinting — covered earlier in this series — identifies your device through its unique technical characteristics without using any cookies at all. It cannot be deleted, blocked by incognito mode, or addressed through a consent banner.

Supercookies — also called zombie cookies — are tracking identifiers stored across multiple locations on your device simultaneously. When you delete a standard cookie, the supercookie uses the copies stored elsewhere to restore it. A 2025 study found these present on a significant proportion of websites.

Login-based tracking — used by Google, Meta, and others — tracks your activity across the web through your account login rather than through cookies. If you are signed into your Google account, Google can track your browsing through Chrome regardless of cookie settings. This is not addressed by cookie consent at all.

Cookie management is one area where straightforward actions make a meaningful difference.

Stop clicking Accept All. Take an extra thirty seconds and find the Reject All or Manage Preferences option. In many jurisdictions websites are legally required to offer this. It is almost always available — it is just made harder to find. If a website does not offer a way to decline non-essential cookies, that is itself a regulatory violation worth noting.

Switch to a browser that blocks third-party cookies by default. Firefox and Brave block third-party cookies by default without any configuration required. Safari does as well. Switching away from Chrome as your primary browser is one of the single most effective cookie-related privacy improvements available.

Install uBlock Origin. This free browser extension blocks the third-party advertising and tracking scripts that set third-party cookies in the first place. It operates at a level below the cookie consent banner — preventing the scripts from loading at all rather than waiting for consent to be accepted or declined.

Clear your cookies regularly. Or set your browser to clear them automatically when you close it. This disrupts the continuity of tracking — each session starts fresh rather than building on accumulated history. Note that this will log you out of saved sessions and may require re-entering some preferences.

Sign out of browser accounts. As discussed in our post on browsers, being signed into Chrome while browsing enables account-based tracking that cookies and consent banners do not address. Signing out removes this layer of tracking entirely.

The cookie banner was meant to give you control. In practice it has become a ritual — a consent ceremony that most people perform without understanding what they are consenting to, designed by the people seeking consent to maximize the likelihood of receiving it. Understanding what cookies actually are and how they actually work is the only way to make that consent meaningful.

The next time a cookie banner appears, you will know exactly what it is asking. What you do with that knowledge is your choice — but at least now it is an informed one.