Clicking "reject cookies" might not actually do anything

Daniel Sims

Posts: 2,480   +75
Staff
Bottom line: Those annoying cookie-consent banners that have flooded the internet over the past several years are supposed to give users the option to block most tracking cookies from advertisers. However, a recent California audit claims that the largest ad tech companies usually send cookies anyway, having decided that simply paying potential billions in fines is more profitable.

California-based auditor webXray reports that tech giants have continued to use cookies to track users across the internet, even when website visitors reject them. Google, Microsoft, and Meta have all disputed the findings.

The now-ubiquitous cookie banners emerged in response to European privacy laws requiring explicit consent before deploying advertising and tracking cookies.

After years of complaints about dense, manipulative prompts that users often click through without reading, regulators have begun pushing for simpler rules. Still, webXray's March 2026 audit found nearly 200 ad services ignoring opt-out signals from California users, sidestepping rules modeled on Europe's framework.

Across the sample, 55% of sites set cookies even after users declined them, and 78% of consent banners do nothing to enforce the user's choice. webXray estimates ad tech companies could pay some $5.8 billion in fines instead of complying. On sites using Google or Microsoft ad networks, the systems frequently issue commands to drop cookies even after receiving explicit rejection signals.

The audit traces this behavior directly in open network traffic, suggesting little effort to conceal it. Microsoft's network reportedly ignores about half of opt-out signals and still tracks users on 35% of client sites, resulting in an estimated $390 million in fines. Google's figures are higher, with 86% of opt-out requests ignored and tracking active on 77% of sites, for an estimated $2.31 billion in penalties.

Meta's implementation stands out for a different reason: its tracking code does not appear to check for opt-out signals at all. Among sites that do detect those signals, 69% still ignore them, with 21% actively tracking users. webXray estimates Meta may have paid as much as $9.3 billion in fines to date.

webXray founder and CEO Timothy Libert, who previously worked as a privacy engineer at Google, told 404 Media that during his time there, leadership often failed to distinguish between taxes and fines.

All three companies pushed back on the report, saying the audit mischaracterizes their technologies. Microsoft said some cookies are necessary for site functionality, while Meta argued that certain implementations allow websites to override opt-out signals.

Permalink to story:

 
Media that during his time there, leadership often failed to distinguish between taxes and fines.

If the penalty for a crime is a fine, then that law only exists for the lower class. There is no difference. It's simply a question of whether you can afford to join the rest of the criminals in their club. See Boeing passenger deaths for reference.
 
Supercookie uses favicons to assign a unique identifier to website visitors.
Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.
The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN or installing AdBlockers.
 
Todays advert for Brave...
Brave rejects the cookies at source and even refuses the cookie consent popups etc. So you neither get any cookies or see any cookie option banners. Oh and did I mention you get no adverts even in YouTube videos...
 
Cookies should be strictly opt-in - you get one after explicitly requesting it by clicking a non-intrusive, non-scrolling button.
As an additional measure, cookies should be strictly opt-in on the browser side as well.
 
There's a certain low-information segment of the population that gets gaslit so easily by media stories like this. The mere creation of a cookie doesn't indicate an advertiser is tracking you across sites.

The responses below are much more plausible than the notion that opt-out requests are "failing 77% of the time".

"...“This is a marketing ploy that mischaracterizes how GPC works," Meta told 404 Media. “GPC only restricts certain uses of third-party data and allows website operators to override GPC signals, and we offer the Limited Data Use feature to help websites indicate what permissions they have. When data is transmitted to us with the LDU flag, we restrict the use of that data, as specified in our State-Specific Terms.”

And

"...As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice,” a Microsoft spokesperson said. “Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected...."
 
Oh, and browsers should default to auto-deleting cookies when the respective window/tab is closed.
Brave has "forget me when I close this site" but you have to turn it on in Shields settings. Should be on by default, IMO. But many people would probably complain their email logged out or something. You can disable it on a per site basis which is awesome
 
It should be easy to see if sites are behaving illegally like this. They should be outed and repeatedly fined. Perhaps raising the fines each time until they take action.

I don't mind if cookie consent banners are just : Accept all, Essential only and Reject all. Instead we get 100's of options designed to trick the user into accepting something by accident. Perhaps we need a method of telling Google (etc) that we don't want to see search results from that site again.

Maybe we also need an alert that says how many cookies are being saved by a site with an option to roll them back easily. And why don't browsers remove tracking cookies automatically or offer an option to have them removed?
 
Trusting "reject cookies" to actually reject cookies is like trusting the nice girl in the chat really is a nice girl and not a nude 70-year old pervert.
This is the Internet people!
 
Oh come on now! You mean to tell me software companies had their fingers crossed when they came up with the "opt out" thingy? 🤣
 
"Whoa, I thought Google, Microsoft, and Meta were trust-worthy and wouldn't lie and cheat!!"................said no one.
 
There is no need to trust them. Use something like Rewarded Interest. It not only automatically sets your consent (bye bye consent banners) but it actively blocks the cookies you don't allow.
 
Digitrusion has been a bane for my entire computer experience after the major corporation I once worked for wanted one of its corporate lawyers communications tracked. Trying to manage cookies, et al, locally is not enough. I'm retired now but Nord VPN does it well and I stopped obsessing.
 
We all just click "accept" or "don't accept" or "reject" to just remove that damn banner, knowing very well that, even if you click "don't accept" or "reject", they're still gonna track you anyway. What a BS.
 
Back