Nav0

Appearance

Nav0BlogCookie Banners Are Privacy Theater
Privacy

Cookie Banners Are Privacy Theater

15 min read

Cookie Banners Are Privacy Theater

By Ketan Patil · May 22, 2026 · 8 min read

You open a news article. Before you can read the headline, a wall of text appears. "We value your privacy." Below it, two buttons. One is large and brightly colored: Accept All. The other is a tiny grey link: Manage preferences. You sigh. You click Accept All. You read the article. You forget the banner ever existed.

You have just participated in the largest, longest-running performance of consent in the history of computing.

Cookie banners were supposed to give you control over your data. What they actually gave you is a tax on attention, a UX nightmare, and a fig leaf for tracking that never really stopped.

How We Got Here

The story starts with good intentions. The EU's ePrivacy Directive in 2002, and later the GDPR in 2018, established a simple principle: websites should ask before storing or accessing information on your device, except where strictly necessary to provide the service you requested.

In theory, this is reasonable. If a website is going to drop a tracker into your browser that follows you to fifty other sites, you should get to say no.

In practice, the law didn't say how to ask. It said consent had to be "freely given, specific, informed, and unambiguous." It did not say where to put the button. It did not say the buttons had to be the same size. It did not say what the default could be.

The web industry seized that ambiguity and ran with it. The result is the cookie banner ecosystem we live in today. A click-through layer pasted onto nearly every website, designed less to inform you than to extract a tap that legally counts as "yes."

The Anatomy of a Dark Pattern

Look at a typical cookie banner closely. You will see the same tricks over and over again.

The Asymmetric Buttons

Accept is a large, brightly colored, eye-catching button. Reject is a low-contrast link, hidden behind "Manage preferences," or simply missing. A 2020 study from Ruhr-Universität Bochum analyzed 1,000 of the most popular websites and found that only 11.8% of cookie banners met the minimum legal requirements for valid consent. The rest leaned on visual hierarchy to herd users toward acceptance.

The Friction Asymmetry

Accepting takes one click. Rejecting takes three, sometimes five. Some banners require you to scroll through a "vendor list" with hundreds of advertising partners and uncheck each one individually. The asymmetry is not an accident. Every extra click is a tax on saying no.

Pre-Checked Boxes

The GDPR explicitly says pre-checked boxes do not count as consent. The Court of Justice of the European Union confirmed this in the 2019 Planet49 ruling. And yet, you can still find pre-checked tracking toggles in the wild today, especially in jurisdictions where enforcement is weak.

The Confirm-Shaming

"Are you sure? You'll see less relevant content." "Help us keep this site free." "Some features may not work properly." The banner uses guilt and uncertainty to nudge you back toward Accept.

The Permanent Pop-Up

Some sites show the banner again on every visit. Or they ignore your previous rejection and ask again next week. Or they bury the option to revisit your choice so deep that you can't find it when you change your mind.

Legitimate Interest

The banner offers you a clean rejection of "cookies." Buried below, in a separate tab, are dozens of "legitimate interest" toggles that are on by default. These cover advertising, profiling, and data sharing that the site has decided do not require your consent at all. You can switch them off, one by one, if you happen to know they exist.

What the Banner Doesn't Cover

Even if you click Reject All and the site honors it perfectly, your privacy is not protected. The banner is about cookies. Cookies are one tracking technology among many.

A typical site can still:

  • Read your IP address and approximate location
  • Read your User-Agent string, language, and timezone
  • Run JavaScript that fingerprints your canvas, fonts, audio context, and GPU
  • Load third-party scripts that do all of the above
  • Log your activity server-side under a randomly assigned session ID
  • Track you across sites using cache timing, ETags, and link decoration in URLs
  • Send your data to a "first-party" subdomain that proxies it onward to an analytics provider

We covered the depth of this problem in Your Browser Is Watching You. Cookie banners pretend the tracking ecosystem is a cookie problem. It isn't. Cookies are a symptom. The disease is a web that treats every visitor as raw material.

The Cost of Theater

If cookie banners didn't actually protect anyone, you might shrug and move on. But they aren't free. They cost something real.

They Cost Attention

A 2022 study published in Behavioral Sciences estimated that cookie banners collectively waste hundreds of millions of human hours per year across the EU. Every banner is a small cognitive interruption, a context switch from what you came to do. Multiply that by every site, every device, every session.

They Cost Accessibility

For users with cognitive disabilities, motor impairments, or screen readers, cookie banners are a barrier. A "Reject all" button that requires fine pointer control to find a 12-pixel link is not equally accessible to everyone. The friction is regressive.

They Cost Trust

When every site asks the same question in the same misleading way, users learn to dismiss the question without reading it. The banner becomes a noise wall that everyone clicks past. Even when a site actually wants to inform you of something important, it is now buried under years of trained banner-blindness.

They Cost Web Design

Look at any popular website on a phone. The cookie banner often takes up a third of the screen. Some sites render the banner before the content, blocking page paint until you tap. Others freeze scrolling. The web has been visually deformed to accommodate consent UI that no one wanted.

Why Browsers Should Be On Your Side

Here is the part of the story where the browser could have helped. And mostly didn't.

The cookie banner exists because the website does not know your preferences. Imagine if your browser could simply tell every site, on your behalf, that you decline non-essential tracking. No banner. No clicks. No theater.

That standard was actually built. It's called Global Privacy Control (GPC), and it is a single HTTP header that sites are legally required to honor under laws like the California Consumer Privacy Act. Some sites honor it. Many ignore it. Most mainstream browsers don't ship it by default. Some don't support it at all.

There was also Do Not Track, a similar header from 2009. Browser vendors added it. Websites unanimously ignored it. The W3C eventually shut down the working group in 2019 because nobody was using it. DNT became a tombstone in the history of web privacy: a polite signal that asked the industry to please stop, and was met with a shrug.

A browser that genuinely worked for you wouldn't need permission from advertisers to protect you. It would:

  • Block third-party cookies by default, removing the legal justification for most banners in the first place.
  • Strip tracking parameters from URLs you click, so cross-site identifiers can't ride along.
  • Hide known cookie banners with cosmetic filters from community-maintained lists.
  • Refuse to load known advertising and analytics scripts, regardless of what the page wants.
  • Not depend on the cooperation of the very industry whose business model it is interrupting.

This is the philosophy behind Nav0's ad blocker. It uses the EasyList, EasyPrivacy, and Peter Lowe lists by default, which include filter rules for the most common cookie banners. It blocks third-party cookies by default. It does not need the website's permission to do this, because privacy is not something a website grants to you. It is something your browser enforces on your behalf.

The Banner Was Never the Goal

It is worth remembering what the GDPR actually requires. The law does not say "show a banner." The law says: if you process personal data, you need a lawful basis. Consent is one of six possible lawful bases. The others include contract, legal obligation, vital interests, public interest, and legitimate interest. Most websites could simply not collect non-essential data and would not need to ask for consent at all.

A site that doesn't track you doesn't need a banner.

That's the part the cookie banner industry would rather you didn't notice. The banner is not the law. The tracking is the law's target. The banner is what websites built when they decided that tracking was non-negotiable and consent was a checkbox to clear on the way to monetization.

The simplest privacy improvement the web could make is not better banner design. It is less tracking.

What You Can Do Today

If you are tired of the banners, here is what actually helps.

  1. Use a browser that blocks third-party cookies by default. This eliminates the legal need for most consent banners. Nav0 does this out of the box. We covered the default privacy settings in detail.

  2. Use a content blocker with a cookie banner list. Most modern blocklists (EasyList Cookie, "I Don't Care About Cookies," "Annoyances") include cosmetic rules that hide banner DOM elements before you ever see them. Nav0's ad blocker uses these by default.

  3. Reject, don't manage. When you do see a banner, prefer the explicit "Reject all" button if it exists. Avoid "Manage preferences," which is often where the dark patterns live. If there's no reject button, the banner is not legally valid consent regardless of what you click.

  4. Don't sign in to sites that don't need it. Cookies are one identifier. An account is a stronger one. We wrote about the sign-in problem in more depth.

  5. Report the worst offenders. EU data protection authorities accept complaints from anyone. The French CNIL has issued tens of millions of euros in fines specifically for non-compliant cookie banners. Enforcement is slow, but it is real, and complaints accelerate it.

Frequently Asked Questions

The EU's GDPR and ePrivacy Directive require websites to obtain consent before storing or accessing non-essential information on a visitor's device. Most websites use third-party trackers, advertising cookies, and analytics, so they show a consent banner to comply with the law. The banner is the website's attempt to transfer legal responsibility for tracking onto the user.

Not in practice. Most cookie banners use dark patterns that make accepting easier than rejecting, hide the reject button, or pre-check non-essential options. Studies have found that the vast majority of banners do not comply with GDPR requirements for genuine consent, and many sites continue tracking users even when they decline.

You can install a content blocker that hides cookie banners using cosmetic filtering rules like the EasyList Cookie list. A privacy-focused browser with a built-in ad blocker can also hide most banners automatically. The most effective long-term fix is to use a browser that blocks third-party cookies by default so that sites have less reason to show the banners in the first place.

A dark pattern is a user interface deliberately designed to trick people into choices they would not otherwise make. In cookie banners, this includes hiding the reject button behind extra clicks, making accept a bright button while reject is a faint link, pre-selecting tracking options, or framing consent as required to view the site.

If I reject cookies, am I really not being tracked?

Often not. Rejecting cookies only addresses cookie-based tracking. Sites can still track you through browser fingerprinting, IP address, server-side identifiers, and tracking pixels that do not technically require consent. Cookie banners only cover the parts of tracking that the law happens to mention by name.

The Bigger Picture

Cookie banners are what happens when a regulator tries to reform an industry without changing its incentives. The advertising-funded web wants to track you. The law says it has to ask first. So the industry asks, badly, on purpose, a million times a day, until you stop reading the question.

The fix isn't a better banner. It isn't a smarter "manage preferences" page. It isn't even a stricter law, though that would help. The fix is a web where less data is collected in the first place, served by browsers that enforce that boundary on your behalf instead of asking you to enforce it click by click.

Your time is not infinite. Your attention is not a renewable resource. A browser that respects you should not be silently complicit in burning both.

Nav0 is a minimal, privacy-focused browser that collects zero data. It's open source, free, and built on the belief that your browser should do one thing well: let you browse the web. Get started.

Released under the MIT License.