Case Study: Cookie Consent Banners: A Study in Theatrical Consent

"We asked for informed consent. We got a billion mindless clicks." — Attributed to a European data protection official, 2020

Overview

If you have used the internet since 2018, you have encountered them: the pop-up banners that appear at the bottom or top of nearly every website, asking you to "Accept," "Reject," or "Manage" cookies. They are ubiquitous, intrusive, and almost universally ignored. Research consistently shows that approximately 90% of users click "Accept All" without reading the text or considering the implications. The remaining 10% who attempt to exercise meaningful choice face multi-screen interfaces designed — whether by intent or incentive — to exhaust their patience.

Cookie consent banners are the most visible artifact of the notice-and-consent model of privacy protection. They were supposed to be the mechanism through which individuals exercised informed control over their data. Instead, they have become a case study in what Chapter 9 calls "theatrical consent" — a system that performs the ritual of choice without producing its substance.

This case study examines the regulatory origins of cookie consent, the design research that reveals how banners are engineered to produce acceptance, and the deeper structural question: Why does a mechanism intended to empower users end up serving the interests of the data collectors it was meant to constrain?

Skills Applied: - Analyzing the gap between regulatory intent and practical implementation - Evaluating consent mechanisms through the lens of dark patterns and design manipulation - Connecting a specific regulatory mechanism to broader theories of consent and power - Assessing the structural incentives that shape consent interfaces

The Situation

The EU Cookie Directive (2002-2009)

The story begins with the European Union's ePrivacy Directive (Directive 2002/58/EC), which first addressed the use of cookies — small text files that websites place on users' devices to track browsing behavior, store preferences, and enable targeted advertising. In its original form, the directive required that users be "provided with clear and comprehensive information" about cookies and offered "the right to refuse."

In practice, the directive was widely interpreted as permitting "implied consent" — if a user continued to browse a website after seeing a notification about cookies, consent was deemed to have been given. Websites complied by displaying perfunctory notices ("This site uses cookies. By continuing to browse, you agree.") that required no action and produced no meaningful choice. Compliance was near-universal; informed consent was near-zero.

In 2009, the directive was amended to require "prior informed consent" for non-essential cookies — a shift from opt-out to opt-in. But enforcement was inconsistent, interpretations varied across member states, and the practical effect was modest. The fundamental dynamic remained: websites wanted data, users wanted content, and the consent mechanism was a speed bump between them.

The GDPR and Cookie Consent (2018)

The General Data Protection Regulation, which took effect on May 25, 2018, transformed the legal landscape. The GDPR established consent as one of six lawful bases for processing personal data and imposed rigorous conditions: consent must be "freely given, specific, informed and unambiguous," demonstrated by a "clear affirmative action" (Article 4(11)). Pre-checked boxes were explicitly prohibited. The right to withdraw consent was required to be "as easy as to give consent."

For cookies, this meant:

• No more implied consent. Continuing to browse a website could no longer constitute consent. Users had to take an affirmative action — clicking a button, checking a box.
• No more pre-selected options. Cookies could not be activated by default; the user had to opt in.
• Granular choice. Users were entitled to consent to some categories of cookies (e.g., functional cookies) while rejecting others (e.g., advertising cookies).
• Equal ease of refusal. Refusing consent had to be as easy as giving it.

The GDPR did not specify what consent banners should look like. That design choice was left to website operators and the rapidly growing Consent Management Platform (CMP) industry.

The Consent Management Platform Industry

An entire industry emerged to help websites comply with the GDPR's consent requirements. Companies like OneTrust, Cookiebot, TrustArc, Quantcast, and Didomi developed standardized consent management tools — the banners, pop-ups, and preference centers that users now encounter on virtually every European (and many non-European) website.

The CMP industry occupies a structurally conflicted position. Its customers are website operators — companies whose business models often depend on advertising cookies and data collection. CMPs compete for these customers on features, price, and ease of integration. A CMP that makes it too easy for users to reject cookies will produce lower consent rates, making it less attractive to website operators whose revenue depends on high consent rates. The structural incentive is to design banners that technically comply with the GDPR while maximizing acceptance.

This incentive structure has produced the consent landscape users actually experience.

The Research: How Banners Are Designed

The Anatomy of a Cookie Banner

Researchers have conducted systematic analyses of cookie consent banners across thousands of websites. Their findings reveal consistent patterns:

The "Accept All" Advantage. A 2020 study by Nouwens et al. (published in CHI 2020) analyzed the 10,000 most popular websites in the United Kingdom and found that: - 88% of consent interfaces made "Accept All" more prominent than any alternative. - Only 12% offered a "Reject All" button on the first layer of the interface. - When "Reject All" was available, it was typically displayed in a less prominent color, smaller font, or less accessible location than "Accept All."

The Click Asymmetry. Research consistently shows a dramatic asymmetry in the number of actions required to accept vs. reject cookies: - Accepting all cookies: 1 click (the prominent "Accept All" button). - Rejecting all non-essential cookies: 3 to 7 clicks on average, requiring navigation through a secondary "Manage Preferences" screen, manual toggling of multiple cookie categories, and confirmation. - On some sites, rejection required navigating through individual vendor lists of 200+ advertising partners, each requiring a separate toggle.

The 90% Accept Rate. Multiple studies have converged on a consistent finding: approximately 90% of users click "Accept All." A 2019 study by Utz et al. found that the position, size, and wording of consent options had a dramatic effect on consent rates: - When "Accept" and "Decline" were presented as equally prominent buttons, the acceptance rate dropped to approximately 50%. - When only an "Accept" button was shown (with a text link to "More Options"), the acceptance rate exceeded 95%. - When a "Reject All" button was placed alongside "Accept All" in equal size and color, rejection rates increased significantly.

The conclusion is clear: the design of the banner determines the outcome. The 90% acceptance rate is not evidence of informed consent. It is evidence of effective design.

The Behavioral Mechanisms

Why do users click "Accept All"? Research identifies several reinforcing mechanisms:

1. Consent fatigue. Users encounter consent banners on virtually every website they visit. The cognitive cost of evaluating each one — reading the text, understanding the categories, making an informed decision — accumulates. Users learn to dismiss banners as quickly as possible, developing an automatic "Accept All" response that has nothing to do with deliberation.

2. Banner blindness. Consent banners are visually similar to advertisements and other pop-up elements that users have learned to dismiss. Years of internet use have trained users to close, dismiss, or accept any interrupting element as quickly as possible. The consent banner is processed not as a meaningful decision point but as an obstacle between the user and the content.

3. Cognitive load and defaults. Behavioral economics research demonstrates that people overwhelmingly accept defaults — whatever option requires the least effort. When "Accept All" is the path of least resistance (one click, prominent button, immediate access to content) and rejection requires effort (multiple clicks, navigation, potential content degradation), the default dominates.

4. Learned helplessness. Some users have internalized the belief that their data is already being collected regardless of what they click, making the consent banner seem pointless. This learned helplessness is not irrational — it reflects an accurate perception that the data ecosystem collects information through many channels that consent banners do not address.

5. Punishment for refusal. Some websites respond to cookie rejection by degrading the user experience: blocking content behind persistent pop-ups, reducing functionality, or displaying the consent banner repeatedly until the user relents. Users who have experienced this learn that rejection is punished, reinforcing the "Accept All" habit.

The Structural Problem

Who Designs the Interface?

The critical insight is that the entity designing the consent interface — the website operator, advised by the CMP — is the same entity that benefits from high consent rates. This is equivalent to allowing the pharmaceutical company to design the informed consent form for its own clinical trial. The structural conflict of interest is baked into the system.

The GDPR sets the legal standard but does not prescribe specific designs. Regulators have published guidance (the European Data Protection Board's guidelines on consent, for example), but guidance is not enforcement. As of 2025, relatively few enforcement actions have targeted banner design specifically, though the French data protection authority (CNIL) fined Google and Facebook in 2022 for consent interfaces that made rejection harder than acceptance — requiring three clicks to refuse cookies compared to one click to accept.

The Political Economy of Consent

The cookie consent banner reveals a deeper political economy. The advertising technology ("adtech") industry generates hundreds of billions of dollars annually from behavioral tracking enabled by cookies and similar technologies. This industry has a direct financial interest in maintaining high consent rates. Website publishers, who depend on advertising revenue, share this interest. CMPs, which serve publishers, compete partly on their ability to generate high consent rates while maintaining technical GDPR compliance.

The regulatory framework creates a formal obligation to obtain consent. The economic structure creates an overwhelming incentive to ensure that consent is granted. The result is a system optimized for compliance — satisfying the letter of the law — rather than for empowerment — enabling individuals to make genuine choices about their data.

What Would Real Consent Look Like?

If cookie consent banners were designed to produce genuine informed consent rather than to maximize acceptance rates, they would look fundamentally different:

• Equal prominence: "Accept All" and "Reject All" would be displayed as buttons of identical size, color, and placement.
• Plain language: The banner would explain, in one or two sentences, what accepting means: "Clicking Accept All allows 47 companies to track your browsing on this site and across the internet to show you targeted ads."
• One-click rejection: Rejecting all non-essential cookies would require exactly one click — the same as accepting.
• No punishment for refusal: The website would function identically regardless of the user's cookie choice.
• No repeated prompting: Once a user rejected cookies, the decision would be stored and respected on subsequent visits.

Research by Utz et al. and others demonstrates that when these conditions are met, acceptance rates drop from 90% to approximately 50% — suggesting that nearly half of current "consent" is a product of design manipulation rather than genuine preference.

Discussion Questions

1. Design as regulation. The GDPR sets the legal standard for consent; the CMP designs the interface that implements it. In practice, the interface determines the outcome more than the law does. Is this a failure of regulation, a failure of enforcement, or an inevitable consequence of relying on consent in a market economy? What would effective regulation of consent interface design look like?

2. The 90/50 gap. If 90% of users click "Accept All" on current banners but only 50% would accept under a neutral design, what does this tell us about the nature of the remaining 40%? Are these users who would prefer to reject but are manipulated into accepting? If so, does their "consent" have any moral or legal validity? What obligations does this create for companies that benefit from design-influenced consent?

3. Consent or tax? Some observers have compared cookie consent to a "privacy tax" — users must either pay with their data (accept cookies) or pay with their time (navigate rejection interfaces). Evaluate this metaphor. In what ways is the consent decision analogous to taxation? In what ways is it different? Does the metaphor illuminate or obscure the ethical issues at stake?

4. Beyond banners. If cookie consent banners cannot produce meaningful consent — regardless of design — what should replace them? Consider the alternatives discussed in Chapter 9: browser-level privacy settings, legitimate interest, contextual integrity norms, or regulatory prohibition of certain tracking practices. Which approach (or combination) would be most effective? What trade-offs would each involve?

Your Turn: Mini-Project

Option A: Banner Audit. Conduct a systematic audit of cookie consent banners across 20 websites. For each, record: (1) whether "Reject All" is available on the first screen, (2) how many clicks are required to reject all non-essential cookies, (3) the visual design of accept vs. reject options, (4) whether the site functions differently after rejection, and (5) the CMP provider used (often identified in the banner's footer). Present your findings in a table and write a one-page analysis. Do the banners you surveyed comply with the GDPR's requirement that consent be "freely given" and that withdrawal be "as easy as" giving consent?

Option B: Redesign Challenge. Design a cookie consent interface that prioritizes genuine informed consent over acceptance maximization. Create a visual mockup (hand-drawn or digital) of your banner and write a one-page justification explaining each design choice. Address: (1) how you achieve equal ease of acceptance and rejection, (2) how you communicate what cookies do in plain language, (3) how you handle granular consent for different cookie categories, and (4) what you sacrifice (if anything) in user experience or revenue potential.

Option C: Regulatory Analysis. Research the CNIL's 2022 enforcement actions against Google and Facebook for manipulative cookie consent interfaces. Write a two-page analysis covering: (1) what the CNIL found, (2) what fines were imposed, (3) how Google and Facebook changed their interfaces in response, (4) whether the changes addressed the underlying problems, and (5) what this case reveals about the effectiveness of enforcement as a tool for improving consent practices. Use at least three sources beyond this textbook.

References

• Nouwens, Midas, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. "Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence." Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI 2020): 1-13. ACM, 2020.

• Utz, Christine, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. "(Un)informed Consent: Studying GDPR Consent Notices in the Field." Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS 2019): 973-990. ACM, 2019.

• Machuletz, Dominique, and Rainer Bohme. "Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR." Proceedings on Privacy Enhancing Technologies 2020, no. 2 (2020): 481-501.

• Santos, Cristiana, Nataliia Bielova, and Celeste Matte. "Are Cookie Banners Indeed Compliant with the Law? Deciphering EU Legal Requirements on Consent and Technical Means to Verify Compliance of Cookie Banners." Technology and Regulation (2020): 91-135.

• Commission Nationale de l'Informatique et des Libertes (CNIL). "Cookies: The CNIL Fines Google €150 Million and Facebook €60 Million." Press Release, January 6, 2022.

• European Data Protection Board. "Guidelines 05/2020 on Consent under Regulation 2016/679." Version 1.1, adopted May 4, 2020.

• McDonald, Aleecia M., and Lorrie Faith Cranor. "The Cost of Reading Privacy Policies." I/S: A Journal of Law and Policy for the Information Society 4, no. 3 (2008): 543-568.

• Solove, Daniel J. "Introduction: Privacy Self-Management and the Consent Dilemma." Harvard Law Review 126 (2013): 1880-1903.

• Acquisti, Alessandro, Laura Brandimarte, and George Loewenstein. "Privacy and Human Behavior in the Age of Information." Science 347, no. 6221 (2015): 509-514.