You land on a news site to read one article. Before you can see a single word of it, a banner fills half the screen. "We value your privacy." There are three buttons: Accept All, Manage Preferences, and something like "Continue without accepting" that's grey and tiny and hard to find. You click Accept All because you just want to read the article. This happens roughly a dozen times a day for most people using the web.
Most people treat these banners the way they treat airplane safety cards: a ritual to get through, not information to absorb. But there's a real reason these banners exist, a real technical mechanism behind them, and real consequences to what you click. This post explains all three.
Why the banners exist at all
Cookies have existed since 1994. For the first decade or so, nobody asked permission. Websites dropped whatever cookies they wanted: session identifiers, tracking pixels, behavioral profiles. Users had no practical way to know, let alone object.
The European Union changed that with two pieces of legislation. The ePrivacy Directive (2002, updated 2009) required informed consent before storing or accessing anything on a user's device. Then the General Data Protection Regulation (GDPR) arrived in 2018 and tightened the rules significantly: consent had to be freely given, specific, informed, and unambiguous. Pre-ticked boxes no longer counted. "By continuing to use this site you agree..." no longer counted. Silence no longer counted.
Together these rules apply to any website that serves users in the EU, regardless of where the website itself is hosted. A company in California with European visitors has to comply. A company in Singapore with European visitors has to comply. That's why you see these banners everywhere, not just on European sites.
Other jurisdictions followed with their own frameworks. California's CCPA (2020) gives residents the right to opt out of the sale of their personal data. Brazil's LGPD, Canada's updated PIPEDA, the UK's post-Brexit PECR — the direction of travel globally has been more consent requirements, not fewer.
What a cookie actually is
A cookie is a small piece of text that a website instructs your browser to store and send back with every subsequent request to that domain. That's the entire mechanism. When you log in to a site, the server sets a cookie containing a session token: a random string that maps to your authenticated session on the server side. Every request your browser makes to that site includes the cookie, so the server knows who you are without you having to log in on every page.
That original use case, keeping you logged in, is entirely benign. The consent problem arose when advertisers realized the same mechanism could be used to track users across the web. If a third-party ad network serves ads on thousands of different websites, and each page loads a tracking pixel from that network, then the same cookie is sent with every single one of those requests. The network can now build a detailed profile of your browsing habits across the entire web: which sites you visit, how often, what you read, what you buy. You never directly interact with them, but they know you well.
First-party cookies stay within a single domain. Third-party cookies follow you across unrelated sites, building a cross-site profile.
This cross-site tracking is the core privacy concern the consent frameworks are targeting. Not session cookies. Not the cookie that keeps you logged in. The network of invisible third-party trackers that builds a profile of you across the entire internet without your knowledge.
The cookie categories — what you're actually consenting to
Modern consent banners break cookies into categories. These categories are not arbitrary; they map to different purposes, different legal bases, and different levels of privacy risk. The most widely adopted categorization comes from the IAB Europe Transparency and Consent Framework (TCF), but the concepts are consistent across implementations.
Strictly necessary cookies
These do not require consent. The legal basis for them is legitimate interest: the site literally cannot function without them. Session cookies that keep you logged in, shopping cart identifiers, load balancer cookies that route you to the right server, security tokens that prevent cross-site request forgery. You'll notice that the "Reject All" button on a consent banner doesn't switch off strictly necessary cookies, because it can't.
Performance cookies
Performance cookies collect anonymous data about how visitors use a site: which pages they visit, how long they stay, where they drop off, what errors they encounter. The data goes to analytics tools like Google Analytics, Adobe Analytics, Hotjar, and Mixpanel. The site owner uses it to understand what's working and what isn't. No individual is identified; the data is aggregated.
The key distinction from tracking cookies is that performance data stays with the site owner. It's not shared with ad networks or used to serve targeted ads. If you reject performance cookies, the site still works; you just won't be counted in the analytics dashboard.
Functional cookies
Functional cookies remember choices you've made to customize your experience: your preferred language, your region setting, whether you've dismissed a particular notification, the theme you've selected. They're not strictly necessary; the site works without them. But they make it noticeably better. Rejecting them means the site forgets your preferences every time you visit.
Targeting / advertising cookies
These are the category the regulations were primarily written to address. Targeting cookies track your browsing behavior across multiple sites, using third-party networks, to build a profile that advertisers use to serve you ads based on your inferred interests. They're what makes an ad for running shoes follow you around the internet for a week after you searched for running shoes once.
Clicking "Accept All" on a consent banner primarily means consenting to these. Clicking "Reject All" means the site can't share your data with ad networks, and you'll see generic ads instead of personalized ones.
The four standard cookie categories, ordered by privacy risk and the regulatory focus that drove the consent requirement.
What valid consent actually requires
Under GDPR, consent isn't just a formality. It has specific legal requirements that make a lot of common banner designs technically non-compliant, even if they're still widely used.
Freely given means the user must have a genuine choice. A banner that makes it easy to click "Accept All" and difficult to click "Reject All", through color contrast, button size, or burying the reject option in sub-menus, fails this requirement. The French data protection authority (CNIL) has fined Google and Facebook hundreds of millions of dollars specifically for making accepting easier than refusing.
Specific means the user must consent to each purpose separately. One checkbox covering "analytics, advertising, and partner sharing" doesn't meet the bar. The user should be able to accept analytics and reject advertising independently.
Informed means the user must actually know what they're consenting to: who the data controllers are, what they'll do with the data, how long it will be retained. Vague statements like "we use cookies to improve your experience" don't cut it.
Unambiguous means there must be a clear, affirmative action. Pre-ticked boxes, implied consent from continued browsing, or consent bundled with terms of service are all invalid under GDPR.
Withdrawable is the requirement most sites handle worst. Consent must be as easy to withdraw as it was to give. If you clicked "Accept All" in two seconds, you should be able to find a way to withdraw that consent just as quickly; not buried in a settings panel three levels deep.
A compliant banner gives equal visual weight to accept and reject. A dark pattern makes accepting the path of least resistance.
How a Consent Management Platform works
Very few sites build their own consent mechanism from scratch. Most use a Consent Management Platform (CMP): a third-party service that handles the banner UI, stores consent records, and communicates consent decisions to the other scripts on the page.
The most widely adopted technical standard for CMPs is the IAB TCF (Transparency and Consent Framework). When a user makes a choice, the CMP encodes it into a compact binary string and stores it in a first-party cookie called euconsent-v2. Every ad tech vendor and analytics script on the page can read it via a JavaScript API to know whether they have permission to fire. A script that checks for analytics consent and finds it denied simply doesn't set its cookie or send any data. The consent decision cascades down to every dependent tool.
The CMP encodes consent into a string stored as a cookie. Scripts query the CMP API before firing; those without consent are blocked.
The CMP also has an obligation to record and store proof of consent: the timestamp, the CMP version, and the encoded string at the moment of the decision. This audit trail is what allows a company to demonstrate compliance if a regulator comes asking.
Where the system falls short
Despite the regulatory intent, the practical outcome has been mixed. Banner fatigue is real; the average user has trained themselves to click "Accept All" without reading anything, which is arguably worse for privacy than the pre-GDPR status quo, because now they've technically consented.
Dark patterns remain widespread. A 2022 study found that the majority of consent banners on major European news sites used at least one dark pattern. Regulators have been active: CNIL issued landmark fines against Google and Meta specifically for consent UI design, not data handling. But enforcement is slow relative to the scale of the problem.
Third-party cookie deprecation is also changing the landscape. Browsers have been blocking third-party cookies by default for years; Firefox and Safari have done so since around 2019 and 2020 respectively. Chrome, which represents a much larger share of browser usage, announced a deprecation plan that has since been delayed and revised multiple times. Whether or not the consent banner exists, the underlying mechanism of cross-site cookie tracking is increasingly blocked by the browser itself.
The irony is that the most privacy-protective choice — blocking third-party cookies at the browser level — requires no banner and no consent at all. The banner system was built to regulate the tracking that browsers were allowing by default. As browsers have tightened their defaults, the consent banner has started to feel like a legal overlay on top of a technical problem that's being solved independently.
Summary
Cookie consent banners exist because legislation, primarily GDPR and ePrivacy in the EU, required that websites ask permission before dropping tracking cookies on your device. The four cookie categories (necessary, performance, functional, targeting) map to different privacy risks and different legal obligations. Only strictly necessary cookies require no consent. The other three need explicit, affirmative, granular consent to be lawful.
The mechanism behind most banners is a Consent Management Platform that encodes your choices into a standardized string and broadcasts that decision to every script on the page. Scripts without consent don't fire. The system works when it's implemented honestly. The problem is that dark patterns and banner fatigue mean most users never make a real choice.
What you click on those banners does actually matter. "Accept All" on a site with a broad ad network means your browsing data flows to dozens of companies you've never heard of. "Reject All" means it doesn't. The banner is annoying. The decision behind it is real.
Part of the Explained series — concepts in tech, clearly.