Back to Blog
cookiesGDPRePrivacy Directivetrackingprivacyadvertisingconsentdark patternsthird-party cookiesdata collection

Cookie Banners Were Supposed to Protect Your Privacy. They Made Tracking Worse.

Snugg Team|February 13, 2026|11 min read
Cookie consent popup covering website content


Dark patterns are illegal, but 77% of websites still use them. Here's how companies exploit the law designed to protect you.

I just loaded a recipe website to find out how long to roast chicken.

Before I could read a single word, three things popped up:

1. A newsletter signup banner
2. A cookie consent popup
3. A "notification permission" request

I clicked "Accept All" on the cookie banner without reading it.

You know why?

Because I just wanted the damn recipe.

That's the problem.

In 2009, Europe passed the ePrivacy Directive—a law requiring websites to ask for consent before tracking you with cookies. The GDPR strengthened enforcement in 2018 with fines up to €20 million.

The law was well-intentioned. The execution created a monster.

Cookie banners are now on 90%+ of websites. And instead of protecting privacy, manipulative designs trick users into accepting tracking they don't want.

Let me explain how we got here, why companies get away with it, and what cookies actually do.

What Cookies Are (And Why They Exist)

Here's the thing: cookies were invented to solve a legitimate problem.

In 1994, a Netscape programmer named Lou Montulli created cookies to help websites remember you between page loads.

The original use case? Online shopping carts.

Think about it: HTTP (the web protocol) is "stateless"—meaning each page request is independent. Without cookies, if you added an item to your cart and then clicked to another page, the website would forget what you just did.

Cookies solved this. They're small text files stored in your browser that say: "This is User #12345, they have a shirt in their cart."

That's actually useful.

Other legitimate uses of cookies:

  • Session cookies: Keep you logged in as you browse

  • Preferences: Remember your language, dark mode settings, etc.

  • Security: Prevent fraud and verify you're the account owner


These are called "first-party cookies"—set by the website you're visiting for functionality that benefits you.

Nobody has a problem with these cookies.

The problem started when advertisers realized: If cookies can remember shopping carts, they can remember everything else too.

How Tracking Cookies Work (The Surveillance Part)

In 1996, DoubleClick (now owned by Google) had a breakthrough realization:

If they placed ads on thousands of websites, they could track people across the entire internet.

Here's how it works:

Step 1: You visit NewsWebsite.com
Step 2: The page loads an ad from DoubleClick
Step 3: DoubleClick sets a cookie in your browser with ID: User_ABC123

Step 4: Later, you visit RecipeWebsite.com
Step 5: That page also loads a DoubleClick ad
Step 6: DoubleClick reads your cookie: "Oh, it's User_ABC123 again"

Now DoubleClick knows:

  • User_ABC123 reads news and cooking sites

  • They visited at these specific times

  • They looked at these specific articles

  • They're probably interested in [assumptions based on behavior]


These are called "third-party cookies"—set by companies you didn't choose to interact with, for purposes that don't benefit you.

This is surveillance.

By 2010, advertising companies had built empires on this tracking. Google, Facebook, and hundreds of data brokers were following people around the internet, building profiles, selling access to advertisers.

And most people had no idea it was happening.

Enter the Cookie Law: ePrivacy Directive

In 2002, the European Union passed the ePrivacy Directive—legislation specifically targeting electronic communications and privacy.

Article 5(3) of the ePrivacy Directive is the actual "cookie law." It states:

  • Websites must inform users about cookies they use

  • Users must explicitly consent before non-essential cookies are set

  • Consent must be "freely given" (not forced)

  • Users can refuse cookies without being blocked from the site


This was amended in 2009 to require consent before setting cookies, not after.

Then in 2018, the GDPR came into force with:

  • Stricter definition of what counts as valid consent

  • Violations can cost €20 million or 4% of global revenue

  • Enhanced enforcement across EU member states


The GDPR and ePrivacy Directive work together: ePrivacy sets the cookie rules, GDPR sets the consent standards.

Companies took it seriously. Meta got fined €1.2 billion. Amazon got hit with €746 million.

The law had teeth.

So websites did what the law required: they added cookie consent banners.

And that's where things went wrong.

What Actually Happened: Dark Patterns Are Illegal But Everywhere

The law said websites needed consent.

It also said consent must be "freely given"—meaning no manipulation, no pressure, no deceptive design.

Dark patterns are illegal.

The GDPR explicitly requires consent to be "freely given, specific, informed, and unambiguous." Dark patterns violate all of these.

European Data Protection Authorities have confirmed dark patterns breach the law. They've issued massive fines:


So why do you still see them everywhere?

Because enforcement is inconsistent. And studies show 56-77% of websites still use illegal dark patterns.

Here's what that looks like:

Dark Pattern #1: The Big Green Button

╔══════════════════════════════════════╗
║  We value your privacy               ║
║                                      ║
║  [          ACCEPT ALL           ]   ║  ← Big, bright, obvious
║                                      ║
║  [Manage preferences]                ║  ← Small, gray, hidden
╚══════════════════════════════════════╝

The "Accept All" button is huge, green, and says YES.

The "Reject" option is buried in tiny text that says "Manage preferences," which takes you to a second screen with 47 toggles you have to individually disable.

Nobody does that.

Dark Pattern #2: The False Choice

We use cookies to improve your experience!

[ Accept ] [ Reject non-essential ]

Sounds reasonable, right?

Except "Accept" means "Accept ALL tracking, advertising, and data sharing."

And "Reject non-essential" means "Disable some tracking but not all, also your experience will be degraded."

There's no button that says "Reject All" in big green letters.

Dark Pattern #3: The Checkbox Wall

You click "Manage preferences" and see this:

☐ Advertising cookies (127 partners)
☐ Analytics cookies (43 partners)
☐ Social media cookies (18 partners)
☐ Functional cookies (always active)
☐ Performance cookies (91 partners)
☐ Targeting cookies (204 partners)

They're all checked by default.

To reject them, you have to:
1. Scroll through this list
2. Find each category
3. Uncheck each one individually
4. Then click through to "Vendors" (the 483 companies)
5. Uncheck each vendor individually
6. Then save settings

Or you could just click "Accept All."

Which takes one click.

Dark Pattern #4: The Guilt Trip

We use cookies to keep this site FREE for you!

By rejecting cookies, you won't get personalized content,
and we might have to start charging for access.


[ I understand, Accept All ] [ Reject and Ruin Everything ]

This is emotional manipulation disguised as information.

The Result: Manipulation Works Despite Being Illegal

Here's what actually happens:

Acceptance rates depend entirely on banner design:

Studies show:

  • Fair banners with equal "Accept" and "Reject" buttons: 45% rejection rate

  • Manipulative banners hiding the reject option: under 10% rejection rate


A 2024 behavioral study tracking 1.2 million users found:
  • 25.4% accepted all cookies

  • 65.5% opened settings to customize (but only 28.3% actually saved changes)

  • 34% ignored the banner completely


Translation: When reject is made difficult, most people either accept or give up.

Another study of US consumers found 43% accept all cookies—down from 50% in 2021, showing increasing resistance to tracking.

Only 12% of users read cookie notices. The rest just want the banner gone.

The problem isn't that users don't care about privacy.

81% of Americans say they're concerned about how websites use their data.

The problem is dark patterns exploit human psychology.

When you're annoyed and just want to read a recipe, you click whatever makes the popup disappear. Companies know this. They design their illegal banners to exploit it.

So now we have a situation where:

  • Companies use illegal designs but risk of enforcement is low

  • Users feel like they "consented" (even though consent obtained through manipulation isn't legally valid)

  • Tracking happens at similar or higher rates than before the law

  • Privacy advocates can claim the law exists


Everyone wins except the users the law was supposed to protect.

What "Accepting" Actually Means

When you click "Accept All" on that cookie banner, here's what you're agreeing to:

Immediate tracking by:

  • Google Analytics

  • Google Ads

  • Facebook Pixel

  • Twitter tracking

  • TikTok Pixel

  • LinkedIn tracking

  • Amazon advertising

  • Microsoft Clarity

  • Dozens of ad networks


Data they collect:
  • Every page you visit on that site

  • How long you stay on each page

  • Where your mouse hovers

  • What you click

  • Where you came from (referrer)

  • Your device type, OS, browser

  • Your approximate location (IP address)

  • Your browsing history (if they have cookies from other sites)


What they do with it:
  • Build behavioral profiles

  • Target you with ads across the internet

  • Sell insights to data brokers

  • Share with "partners" (527 companies in some cases)

  • Keep forever unless you explicitly request deletion


That recipe website you visited? The chicken roasting time you looked up?

Logged. Profiled. Monetized.

And you "consented" to all of it with one click.

Why Browsers Haven't Fully Fixed This

You might be thinking: "Why don't browsers just block third-party cookies by default?"

Some do. Safari blocks most third-party cookies. Firefox has Enhanced Tracking Protection enabled by default.

Chrome is different.

Google first announced in 2020 they'd phase out third-party cookies "within two years."

Then it was 2022. Then 2023. Then 2024.

In July 2024, Google announced they won't block them at all—instead they'll add a "choice" prompt.

Why the delays?

Because Google makes $200+ billion per year from advertising.

And advertising depends on tracking.

Chrome has 65%+ global browser market share. Blocking third-party cookies would massively disrupt Google's ad business.

So they keep "testing alternatives" and "gathering feedback" while the tracking continues.

Meanwhile, websites complain that Safari and Firefox's tracking protection "breaks functionality"—even though the "broken" functionality is usually just ad tracking.

What This Means For You

Here's the uncomfortable truth:

The current system assumes you'll be too annoyed to protect yourself.

Cookie banners aren't designed to inform you. They're designed to get you to click "Accept All" as fast as possible.

The privacy protection you think you have? It depends entirely on:
1. Whether you have the patience to navigate dark patterns
2. Whether you understand what you're agreeing to
3. Whether you trust the website to honor your choices
4. Whether they're even complying with the law (many aren't)

And even if you reject cookies on one site, you have to do it again on the next site. And the next. And the next.

It's exhausting by design.

How to Actually Protect Yourself

If you want to actually control tracking (not just feel like you do), here's what works:

Option 1: Use Privacy-Focused Browsers

  • Firefox with Enhanced Tracking Protection
  • Safari with Intelligent Tracking Prevention
  • Brave with built-in ad/tracker blocking
These block most third-party tracking automatically. No clicking needed.

Option 2: Install Browser Extensions

These give you granular control without dealing with banners.

Option 3: Change Your Cookie Settings

In your browser settings:
  • Block third-party cookies entirely
  • Clear cookies when you close the browser
  • Set cookies to expire after 30 days max
You'll have to log in more often, but you'll be tracked less.

Option 4: Just Accept That Most Sites Track You

This isn't defeatist—it's realistic.

Unless you're using privacy tools, assuming you're being tracked on most websites is probably accurate.

The question becomes: do you care enough to take action?

For many people, the answer is no. And that's okay. Just don't kid yourself that clicking "Accept All" is protecting you.

The Snugg Difference: No Tracking Means No Banner

Here's why I'm telling you all this in a blog post on Snugg's website:

We don't have a cookie banner.

You may have noticed that when you loaded this page, nothing popped up asking for consent.

That's not because we're ignoring the law.

It's because we genuinely don't track you.

No Google Analytics. No Facebook Pixel. No advertising cookies. No third-party trackers.

We use one first-party cookie for session management if you log in. That's it.

Under the ePrivacy Directive and GDPR, if you only use "strictly necessary" cookies for functionality, you don't need consent banners.

You just need to inform users what you're doing (which we do in our privacy policy).

So we don't have one.

This is what respecting privacy actually looks like.

Not a banner with illegal dark patterns designed to trick you into consenting.

Just... not tracking you in the first place.

When we build Snugg's social platform, the same principle applies:

  • No tracking cookies

  • No behavioral profiling

  • No data sold to advertisers

  • No surveillance infrastructure


We don't need to ask for consent to track you because we're not tracking you.

The best cookie banner is no cookie banner.

The Bigger Picture: Privacy Shouldn't Require Expertise

Cookie banners represent a fundamental failure of privacy protection.

Real privacy shouldn't require:

  • Reading 40-page privacy policies

  • Understanding the difference between first-party and third-party cookies

  • Navigating deliberately deceptive interfaces

  • Installing browser extensions

  • Becoming a privacy expert


Privacy should be the default.

Not something you have to actively fight for on every single website you visit.

The ePrivacy Directive and GDPR tried to fix this. They forced transparency. They created accountability. They're better than nothing.

But they also created a system where:

  • Companies can use illegal designs because enforcement is weak

  • Users feel empowered when they're actually being manipulated

  • The burden of protection falls on individuals, not corporations

  • Privacy is treated as a premium feature, not a basic right


That's backwards.

What You Can Do

If you're frustrated by this (and you should be), here are your options:

Short-term:

  • Use browsers and extensions that block tracking automatically

  • Click "Reject All" when you see it (even if it's buried)

  • Clear your cookies regularly

  • Support privacy-focused websites and services


Long-term:
  • Support stronger privacy regulations (GDPR is a start, not a finish)

  • Vote with your wallet—pay for services that respect privacy

  • Demand better from the platforms you use

  • Build or support alternatives (like what we're doing with Snugg)


And if you're tired of platforms that treat your privacy as a bargaining chip:

Join Snugg's waitlist.

We're building social media that doesn't need to track you to work. No ads. No algorithm. No cookie banners.

Because real privacy shouldn't require you to click through dark patterns on every website you visit.

It should just be how things work.

Sources & Further Reading

Laws & Regulations:


Dark Patterns & Enforcement:

User Behavior Studies:

Browser & Tracking:

Cookie History:

Legal Exemptions:

This post has no cookie banner because we're not tracking you. That's the whole point.

Share this post

Ready for Real Privacy?

Join our waitlist and be among the first to experience a truly private social platform.

Join Waitlist