Cookies have been around since the early days of the internet. The “Accept All” button has become a routine reflex for many. But even the “Reject All” button disguises hundreds of so-called “legitimate interest” tracking. Now the EU wants to fix this loophole in its landmark privacy rules, claiming users
Owen Carpenter-Zehe
Cookies have been around since the early days of the internet. The “Accept All” button has become a routine reflex for many.
Now the EU wants to fix this loophole in its landmark privacy rules, claiming users would save 198 million hours a year with new changes – but will these really empower users or reshape old problems into a new form?
Underneath the delicious-sounding name, a web cookie is simply a small text file, placed on a device by a website to store and manage information.
The cookies do everything from measuring and ensuring website performance, to remembering that you have previously logged in, but it is also a money-maker for tracking users’ behaviour across the internet.
Their tracking capabilities are key and remain a go-to method for collecting users’ data that’s valuable for advertising and marketing profiling.
A web surfer in Europe must consent to cookies – barring a few exceptions – before they are placed on the computer or phone, with consent dictated by the EU’s privacy landmark laws, namely the General Data Protection Regulation (GDPR) and the e-Privacy Directive.
But it’s these consent rules the commission wants to adjust, merging the two laws to change how consent is given.
Announced in November 2025, the so-called ‘Digital Omnibus’ aims to streamline consent and reduce the ‘fatigue’ of having to choose your cookie preferences on every website.
The new law proposes multiple methods to reduce consent, including a “one-click” cookie policy, where websites must let users deny all cookies with one click.
Beyond saving businesses’ compliance costs, changes are also pitched as the pro-consumer move within the proposal.
“I think we can all agree that we have spent too much of our time accepting or rejecting cookies every time we visit our website,” said commission vice president Henna Virkkunen for technology, when she presented the package.
Despite the good intentions, experts are dubious about the real impact the changes will have on improving user experience, as they fear swapping one ill-fated solution for another.
Why block a cookie?
If a website wants to track a user, it can use a cookie to follow which pages they click on, how long they stay on each page, what they click on, and the user’s general geolocation. Which can all be information to develop a behavioural profile.
Karel Kubicek, internet privacy researcher and previously an academic, told EUobserver that cookies are still the “de facto” method for tracking.
This is for two reasons – they are easy to develop, and they can last for a while.
It only takes a few lines of code to build a cookie, and according to Kubicek, from the “perspective of the developer who is going to use tracking technology, this [a cookie] is the easiest.”
Building “persistent cookies” which don’t stop collecting when browsers like Chrome close down, rather coming back alive once the browser is opened again – last for potentially years on a device.
An example of a cookie that can last for over 2 years on a users device (Source: Screenshot)Other methods of tracking cannot as easily bridge between websurfing sessions.
The number of tracking cookies per website varies But Kubicek explained how the number of cookies is really just a “technical detail.” Some companies will use a bunch, some will use one.
“What matters is really the number of third parties that are getting your data,” he explained.
“Third-party cookies” are placed by companies that have an agreement to access the website’s users, and are a critical part of the online data economy.
Some websites have tens, while others have thousands of third-party cookie partners. If you accept all, not every partner will load cookies onto your computer, but you are agreeing to let them.
An example of a website with over 2000 third party partners, without a immediate reject all choice (Source: Screenshot)Kubicek says usually there’re “hundreds [of parties] for websites that have the advertising based on your private data.”
It is with all the data a cookie can collect that led the EU to require consent – which has created its own troubles.
Why is clicking taking up 198 million hours?
The modern iteration of the cookie banner was born with the implementation of the GDPR, which explicitly requires consent that is “freely given, specific, informed, and unambiguous.”
From these rules, modern pop-up cookie banners were developed by private Consent Management Platforms, along with organisations such as the Interactive Advertising Bureau Europe (IAB Europe), which develops the technical mechanisms and lobbies on behalf of adtech companies.
But the industry-built banners have issues, beyond the tedium of clicking every time. As they often include “dark patterns,” or interfaces designed to lead users to a desired choice.
The paradox is that while GDPR aimed to restore user control over personal data, the widespread use of cookie banners has sometimes turned consent into a routine, almost reflexive action.
One-click accept, endless to ‘reject’
Usually, it takes one click to accept all cookies, often but to reject, users must click multiple times in various checkboxes, going into a second layer of options to manually choose what they reject – with the website frequently “visually nudging” the user to the consent button.
Many of these banners already have “reject all” buttons, but Cristiana Santos, assistant professor of law and technology at Utrecht University, described to EUobserver that these buttons are deceiving too.
Other than regular consent, websites can claim “legitimate interest,” as a basis for consent-less access to a device, if its for critical functions, but the user must have a way to opt-out. There have been legal battle over whether direct marketing counts as legitimate interest.
A cookie settings menu full of checkboxes, where green is consent to all, grey is legitimate interest cookies only, and red is reject (Source Screenshot)Santos described a practice where the legitimate interest cookies are automatically preselected as “agree”, with the choice to opt-out hidden in another layer.
“Even if you click reject all in the first layer, you think that you are protecting your data and your privacy? No. You would need to go to the second layer, deselect all purposes where legitimate interest is being used,” she explained.
