Between 2018 and today, the average internet user has clicked through thousands of cookie consent banners. Most clicked "Accept All" because it was the largest, most colourful button on the screen. Some clicked "Manage Preferences" and spent thirty seconds toggling switches that didn't fully correspond to anything they understood. A few clicked "Reject All," assuming that ended the tracking.
It did not. Cookie consent, as implemented across the modern web, is a compliance exercise that satisfies regulators without meaningfully changing how users are tracked. The banner exists because GDPR and ePrivacy regulations require it. The tracking continues because cookies are only one mechanism among many, and increasingly not even the primary one.
How Cookie Consent Became Theatre
The original idea behind cookie consent was straightforward. Websites store small text files on visitors' devices. Some of these files are necessary for the site to function (session tokens, shopping cart contents, language preferences). Others exist solely to track the visitor across sites for advertising purposes. The regulation said: ask before setting the non-necessary ones.
What happened next was predictable. The compliance industry built an entire infrastructure of consent management platforms (CMPs) that sit between the website and the visitor. These platforms generate the banners, record consent choices, and theoretically prevent tracking scripts from firing until consent is given. In practice, they became a UX obstacle designed to steer visitors toward clicking "Accept All."
The dark patterns are well documented at this point. The "Accept All" button is bright green and large. The "Reject All" button is grey, small, or hidden behind a second click. "Manage Preferences" opens a panel with dozens of toggles, most pre-checked, with descriptions written in legal jargon that nobody reads. Some banners don't include a reject option at all on the first screen. The visitor has to click through to settings, untoggle everything manually, and then click "Save." The whole process takes 15 to 30 seconds, which is roughly 14 to 29 seconds longer than most people are willing to spend.
Research from Ruhr University Bochum found that only about 0.1% of visitors actively manage their cookie preferences when presented with a CMP. Everyone else either accepts everything or ignores the banner entirely. The regulation created a speed bump, not a barrier. And even for that 0.1% who do reject cookies, the protection is narrower than they think.
What Cookies Actually Do (and Don't Do)
Cookies are text files stored in the browser. First-party cookies are set by the site being visited. Third-party cookies are set by domains other than the one in the address bar, typically advertising networks, analytics platforms, or social media embeds.
First-party cookies are mostly functional. They keep users logged in. They remember preferences. They maintain shopping carts. Blocking them breaks basic site functionality, which is why cookie banners don't usually ask about them.
Third-party cookies are the tracking mechanism that consent banners primarily address. An advertising network sets a cookie when a user visits Site A, then reads that same cookie when the user visits Site B, building a cross-site browsing profile. This is what people generally mean when they talk about "being tracked by cookies."
Rejecting third-party cookies through a consent banner tells the website not to load the scripts that set those cookies. If the website complies, the advertising network never gets its cookie set, and that particular tracking vector is blocked. That's genuine protection, as far as it goes. The problem is that it doesn't go very far.
Beyond Cookies: Tracking That Consent Banners Don't Cover
Browser fingerprinting doesn't use cookies at all. It builds a profile based on the characteristics of the browser and device: screen resolution, installed fonts, WebGL renderer, canvas rendering output, audio context properties, timezone, language settings, and dozens of other attributes. Combined, these attributes are often unique enough to identify a specific browser across sessions without storing anything on the device. No cookie means no consent banner. The visitor is tracked regardless of what buttons they clicked.
The EFF's Cover Your Tracks tool (formerly Panopticlick) demonstrates this effectively. Most browsers produce a fingerprint that is unique among the hundreds of thousands in the tool's dataset. That fingerprint persists across sessions, across cookie clears, across incognito mode. The consent banner has nothing to say about it because there's no cookie to consent to.
Server-side tracking is another vector entirely. When a user clicks a link that includes UTM parameters or other tracking identifiers in the URL, the tracking happens server-side. The click data is logged by the destination server. No client-side script fires. No cookie is set. The consent banner is irrelevant because the mechanism doesn't involve the browser's storage at all.
First-party tracking that masquerades as functionality is common too. A site might set a first-party cookie that technically serves a functional purpose (it tracks the user's session) but also feeds data into an analytics pipeline that profiles the user's behaviour across visits. Because it's classified as a "necessary" cookie, the consent banner doesn't ask about it. The tracking happens under the functional exemption.
CNAME cloaking takes this further. An advertising tracker operates under a subdomain of the first-party domain (e.g., track.example.com points via CNAME to an ad network's servers). The browser sees it as a first-party request. The cookie it sets is technically first-party. The consent banner doesn't flag it. The tracking is functionally identical to a third-party cookie but architecturally invisible to the consent framework.
Login-based tracking doesn't need any cookies at all in the traditional sense. A user who logs into Google, Facebook, or Amazon and then browses the web while logged in is tracked through their authenticated session across every site that embeds those platforms' scripts. The tracking is tied to the account, not to a cookie. Rejecting cookies on a news site that embeds a Facebook "Like" button doesn't stop Facebook from knowing the logged-in user visited that page.
The Cookie Deprecation Illusion
Google spent years announcing the deprecation of third-party cookies in Chrome, then reversed course in 2024, then proposed a user-choice model instead. The back-and-forth created a false impression that "cookies are going away," and that the tracking problem was solving itself.
It wasn't. Safari and Firefox blocked third-party cookies years ago. The advertising industry adapted. Fingerprinting adoption increased. Server-side tracking grew. First-party data strategies became the standard recommendation at every ad-tech conference. The tracking didn't decrease; it migrated to methods that are harder to detect and harder to block.
Chrome eventually keeping third-party cookies around is almost beside the point. The industry already built the alternative infrastructure. Third-party cookies are now one channel among many, and for the sophisticated trackers, not even the primary one. The consent banner is guarding a door that the burglars stopped using years ago.
Measuring Tracking Exposure
Understanding how much tracking a consent banner actually prevents requires measuring what's happening in the browser. Several tools make this visible.
The Blacklight tool from The Markup scans any URL and reports the trackers present: third-party cookies, canvas fingerprinting, session recording scripts, keyloggers, and Facebook/Google tracking pixels. Running a site through Blacklight with and without cookie consent gives a concrete picture of what the banner actually changes.
Browser developer tools show network requests in real time. Opening the Network tab and loading a page reveals every request the browser makes, including requests to tracking domains. Comparing this with cookies rejected versus accepted shows which requests are actually conditional on consent. Often, a surprising number of tracking requests fire regardless.
The Disconnect extension categorises tracking requests by type: advertising, analytics, social, content. It provides a count per page. On a typical news site, rejecting cookies through the consent banner might reduce tracking requests by 30 to 40 percent. The remaining 60 to 70 percent are first-party analytics, fingerprinting scripts, and server-side tracking that the banner doesn't touch.
That 30-to-40-percent number is worth sitting with. It means the consent banner, when it works perfectly, when the user successfully navigates the dark patterns, when the site honestly implements the consent choice, blocks roughly a third of the tracking. The majority continues unaffected.
What Actually Protects Privacy
If cookie banners are insufficient, what works better? The answer is layered, and none of it involves clicking buttons on pop-ups.
Browser choice matters more than consent choices. Firefox with Enhanced Tracking Protection blocks third-party cookies, cryptominers, fingerprinters, and tracking content by default. Brave blocks ads and trackers at the browser level without asking. Safari's Intelligent Tracking Prevention uses machine learning to identify and limit cross-site tracking. These browsers make consent banners redundant for the categories they block, and they block categories that consent banners can't address.
Extensions add granularity. uBlock Origin blocks tracking scripts before they execute. Privacy Badger (from the EFF) learns which domains track across sites and blocks them automatically. These tools operate at the network level, blocking requests to tracking domains regardless of what the cookie banner says. A tracking script that's never loaded can't fingerprint the browser, can't set cookies, can't phone home.
DNS-level blocking scales the protection to every device on a network. Pi-hole or NextDNS configured with tracking blocklists prevents devices from resolving tracking domains at all. This protects devices that don't support browser extensions (smart TVs, IoT devices, mobile apps) and catches tracking attempts that browser-level tools miss.
VPNs address the network layer. They prevent the ISP from logging browsing activity and mask the user's IP address from the sites visited. This doesn't stop cookie-based or fingerprint-based tracking, but it removes the IP address as a tracking identifier. For users on public networks, the protection against traffic interception is an additional benefit.
Compartmentalisation separates identities. Using different browsers or browser profiles for different activities (one for work, one for personal browsing, one for shopping) prevents tracking networks from linking those activities together. Firefox's Multi-Account Containers do this within a single browser. Separate browsers achieve it more thoroughly. The principle is the same: if the tracker can't correlate the sessions, the profile it builds is fragmented and less valuable.
Synthetic identities take compartmentalisation further. Rather than using real personal details when signing up for services, using generated profiles from tools like Another.IO means the data collected by trackers isn't linkable to a real identity. The tracker still tracks, but the profile it builds leads nowhere useful. The email address, name, and details attached to the account aren't connected to the user's actual identity, which limits the downstream damage of any data collection or breach.
The Hierarchy of Effective Privacy
Privacy protection works in layers, and the layers vary dramatically in effectiveness. Ranked from most to least effective for the average user:
Compartmentalise identities. Different browsers, different profiles, synthetic details for throwaway accounts. This limits the blast radius of any single tracker or breach and is the highest-impact change for users who interact with many online services.
Use a privacy-focused browser. Firefox, Brave, or Safari with default protections enabled. This handles the baseline blocking without requiring ongoing effort or configuration.
Install tracking-blocking extensions. uBlock Origin, Privacy Badger, or similar. These catch what browser defaults miss and provide visibility into what's being blocked.
Use DNS-level blocking. Pi-hole, NextDNS, or similar. This extends protection to the entire network and covers devices without browser-extension support.
Use a VPN for network-level protection. This addresses ISP tracking and IP-based identification but doesn't affect browser-level tracking mechanisms.
Manage cookie consent. Better than nothing, but the least effective layer because it only addresses one tracking vector and relies entirely on the website's good-faith implementation.
Cookie consent sits at the bottom of this hierarchy. It isn't worthless, but treating it as the primary privacy strategy misses the larger picture entirely. The tracking methods that consent banners don't address are often more invasive, more persistent, and harder to detect than the cookies they do address. The banner gives the appearance of control. Actual control requires tools that operate below the surface of what the banner can see.