Cookies Insolence

I am tired of cookie banners.

Not in the way you're tired of a bad song on the radio. In the way you're tired of someone lying to your face, every single day, and knowing they know you know they're lying, and watching them do it anyway because there are no consequences.

When the EU passed the GDPR in 2016, the promise was: you own your data, and companies need your permission to collect it and be strictly transparent about how they use it. That was the spirit of the law. Stop the invisible surveillance machine that follows people across the web, builds dossiers on their behavior, and auctions off access to the highest bidder. Simple enough. Reasonable, even.

What we got instead was cookie banners and pop-ups.

They Made Privacy Annoying on Purpose

The publishing and ad tech industries should have redesigned their systems around privacy. Instead, the trillion-dollar surveillance economy made compliance so obnoxious that users would surrender their rights, just to make the noise stop.

"Accept All" is a big green button. One click. Done. Back to your article. Rejecting cookies? That's three screens deep, behind a grey link labeled "Manage Preferences," through a wall of 147 toggles sorted under categories like "Functional," "Performance," and the deliberately vague "Legitimate Interest." You'd need a law degree and 40 minutes of free time to opt out of tracking on a single website. And you visit dozens a day.

This is not incompetence. This is strategy. Nouwens et al. (2020) found that only 11.8% of cookie consent implementations met the GDPR's minimum legal requirements. Eighty-eight percent of them were already breaking the law. Nobody cared. The fine, if it ever comes, is a rounding error.

And naturally, a whole industry sprang up to service this dysfunction. Consent Management Platforms like OneTrust became a multi-billion-dollar market, selling companies the appearance of compliance. Not actual privacy. The appearance. They're selling indulgences, except instead of getting into heaven, you get to keep harvesting people's data. Nice work if you can get it.

The Banners Are a Distraction. That's the Point.

Here's what actually makes me angry: while we were all busy clicking "Accept All" 47 times a day, or hunting for Reject all if you're like me, cursing under our breath, the industry quietly moved to tracking techniques that don't involve cookies at all. The cookie banner isn't just annoying. It's a magic trick. Look over here at this pop-up while we surveil you through the back door.

Browser fingerprinting is the big one. Your browser leaks hundreds of data points: screen resolution, installed fonts, GPU model, audio processing quirks, how your device renders invisible test images. Combined, these form an identifier so unique that the EFF's Panopticlick study found 84% of browsers produce a one-of-a-kind fingerprint, rising to 94% when Flash or Java were enabled. No cookie stored. Nothing in your settings. Nothing to delete. You can clear your cookies, run your ad blocker, browse in private mode, and they can still identify you. Isn't that fun?

Google reversed its longstanding ban on fingerprinting across its ad platform. The company that controls Chrome, Android, and the dominant ad network just told the entire industry: go ahead. The UK's Information Commissioner called this "irresponsible". Google did not seem bothered.

CNAME cloaking is even dirtier. Third-party trackers disguise themselves as first-party subdomains of the website you're visiting, using DNS aliases. Your browser trusts it. Your ad blocker waves it through. It's a tracker wearing the website's name tag, and it works because nobody checks the badge.

Server-side tracking cuts your browser out entirely. The website's server collects your behavior and sends it straight to ad platforms. Google, Meta, and TikTok all offer server-side APIs for exactly this purpose. You can't block what never runs on your device. Your ad blocker is irrelevant. You never had a chance.

Login-based tracking is the most brazen. When you sign into Google or Meta, you've given them a persistent, cross-device identifier that no tool can strip. They don't need cookies. They have your account. You consented to the terms of service, remember? All 47 pages of them.

And now there's AI-driven behavioral fingerprinting: machine learning models that identify you by your mouse movements, scroll speed, typing rhythm. No identifier stored anywhere. Your behavior is the identifier. You are the cookie now.

Regulators Are Fixing the Wrong Thing

Some governments have noticed the dark pattern problem. Germany's TDDDG now requires cookie banners to show a "Reject All" button on the first screen, equally prominent as "Accept All". No more burying the reject option three layers deep. Progress, right?

Except think about what this actually concedes. The entire regulatory effort is now focused on making the cookie banner fairer. Not on the fact that cookies are yesterday's tracking mechanism and the banner is theater. Germany spent years of legislative energy ensuring that the pop-up interrupting your morning news has a slightly more honest button layout. Meanwhile, browser fingerprinting, server-side tracking, and CNAME cloaking carry on unbothered. It's like passing a law that muggers have to say "please" first.

California's CCPA takes a different approach: an opt-out model. Companies must display a "Do Not Sell or Share My Personal Information" link. In theory, you click it and tracking stops. In practice, the CPPA's largest fine to date was $1.35 million against Tractor Supply in September 2025, largely for opt-out mechanisms that simply didn't work. Broken links. Forms that went nowhere. A right that existed on paper and evaporated on click.

The CCPA also now requires businesses to honor Global Privacy Control signals, and in September 2025 California, Colorado, and Connecticut launched a joint investigation into whether anyone actually does. The answer, predictably, is: not enough of them. And even when opt-out works perfectly, it only covers "sale" and "sharing" of data. A company can still collect everything about you, build a profile, and use it internally. You opted out of the transaction, not the surveillance.

Both approaches share the same flaw: they're regulating the interface, not the infrastructure. One makes the banner nicer. The other adds a link. Neither addresses the fundamental asymmetry: you, alone, clicking buttons on thousands of websites, versus an industry with infinite resources to find the next loophole.

Nobody Is Enforcing the Rest

Here's what really stings. All of these techniques are illegal under GDPR. The regulation is technology-neutral. Browser fingerprints are personal data. Server-side tracking is still tracking. The law already covers this. On paper.

But enforcement requires detection, and detection requires funding, and the people who write the checks apparently don't think this is a priority. Ireland's Data Protection Commission, which oversees most of Big Tech's EU operations because they all set up shop in Dublin, runs on a budget of about 29 million euro a year. Meta's EU revenue is in the tens of billions. That's the cop-to-criminal ratio we're working with.

So what's actually happening? Small websites dutifully display cookie banners for their Google Analytics snippet. Some blogger in Portugal pays for a consent management tool. Meanwhile, the largest surveillance operations in human history run on techniques that most regulators have barely heard of, let alone investigate. The cookie banner became a compliance tax on the little guys and a PR shield for everyone else.

We Are Being Taken for Fools

The technology for real privacy exists. It has existed for years. Browser-level consent signals like Global Privacy Control could replace per-site pop-ups entirely. The W3C tried "Do Not Track" years ago, but compliance was voluntary, so the industry just... didn't comply. They saw the signal, shrugged, and kept tracking. Because why wouldn't they?

The fix was never technical. It was always about political will. Privacy regulations need to target the outcome (tracking people without real consent) instead of the mechanism (cookies specifically). Enforcement needs funding that isn't a joke. And consent needs to happen once, at the browser level, instead of being extorted from you a dozen times a day through interfaces designed to make you give up.

But none of that is happening fast enough, and in the meantime, every time you click "Accept All" just to read a recipe, just to check the weather, just to exist on the internet without being interrupted, the ad tech industry books that as informed consent. They put it in a compliance report. They show it to regulators. See? The users agreed. Look at the numbers.

We didn't agree. We got tired. There's a difference, and they know it, and they don't care.

That's what the cookie banner really is. Not a privacy tool. Not informed consent. A monument to an industry's contempt for the people it surveils, and for the laws that were supposed to stop it. We are being taken for fools, and the banner is how they rub it in.