Introduction
In our daily life, we are asked to “accept cookies” before we can read news, shop online, or browse websites. These banners appear to offer control, but in practice they often push us toward agreement rather than meaningful privacy choice. If consent is given mainly to remove friction and continue browsing, then it becomes worth asking whether this kind of consent is truly informed, free, or meaningful at all. This blog looks at why cookie consent often feels like a form of choice, while giving users much less control than it seems to promise.
A small pop-up with a bigger meaning
Most users do not treat cookie banners as a real moment of choice. They usually click the fastest option and move on. For many people, the banner is not a chance to think about privacy. It is just one more step before reaching the page they want. This everyday habit matters because it shows a gap between how cookie consent is supposed to work and how it is actually experienced. If people agree mainly to save time and remove annoyance, then consent starts to look less like a free decision and more like a routine action.
Not all cookies are the same
So what are cookies?
A cookie is like a small note that a website leaves in your browser. This note helps the website remember something about you later. For example, it may show that you have logged in before, that you chose English, or that there are still items in your shopping cart.
Not all cookies raise the same level of concern. Some support basic website functions, while others are used for analytics, advertising, and tracking. The more serious privacy concerns usually come from the second group. These cookies can record user behaviours, collect browsing patterns, and support profiling or targeted advertising. So the problem is not cookies in themselves, but how tracking cookies are built into the online experience and presented as normal or hard to avoid. In digital platform environments, data tracking and profiling are often continuous, which makes meaningful consent harder to achieve.
Why cookie consent looks like privacy protection
Nissenbaum(2009) argues that privacy is a messy and complex subject. To make it simple, privacy is often understood in two common ways: as access or as control. In the access view, privacy means being free from unwanted observation, intrusion, or contact from others. In the control view, privacy means having some power over how personal information is collected and used. Cookie banners seem persuasive because they appear to support both ideas at once: they signal that data practices are being disclosed, and they offer users a formal choice through buttons such as “accept,” “reject,” or “manage preferences.”
However, this does not necessarily produce meaningful privacy protection. A banner may create the appearance of control, but the appearance of control is not the same as meaningful control.
The problem: consent is often designed, not freely given
It is rarely fully informed
Many cookie notices do not give users clear and simple information. Their language is often broad, technical, or legal. Users may see phrases such as “improve your experience” or “support our partners,” but these phrases do not clearly explain what data is being collected, who can access it, or how it may be used later. As a result, users may agree without really understanding the full meaning of that agreement.
This problem is not limited to cookie banners alone. Flew(2021) points out that online terms of service are often complex, vague, and legalistic, which makes real informed consent difficult to achieve. He also notes that many online services offer users an all-or-nothing choice, so consent is often given under unclear conditions rather than through genuine understanding. In this sense, cookie consent may appear to inform users, while still failing to provide the kind of knowledge needed for meaningful choice.
It is rarely fully free
Many cookie banners appear at the moment when a user is trying to access content, make a purchase, or continue browsing. In that situation, the easiest choice is often to click “Accept All” and move on. Refusing cookies may take more time, require more steps, or make the browsing experience less convenient. This means that consent is often shaped by pressure, speed, and design rather than by a calm and equal decision.
Suzor (2019) helps explain why this matters. He argues that platform rules are not negotiated between equal sides. They are written by companies and presented to users on a take-it-or-leave-it basis. Most users cannot change these terms, and in many cases the practical alternative is simply to leave the service. For that reason, the existence of a button or menu does not automatically mean that users have real freedom.
It is shaped by interface design
For example, in the United States, privacy has often been framed in terms of control and choice. That makes cookie banners look even more legitimate, because they are built around the language of consent, preference, and user decision-making. In other words, they create the impression that privacy is being respected simply because a choice is presented.
This kind of design does not simply present a neutral choice. It guides users toward the option that is faster and easier for the platform. Research supports this point. Nouwens(2020) and colleagues found that many consent pop-ups after the GDPR still used dark patterns, and that small interface changes could strongly affect user decisions. When the option to refuse was moved away from the first page, consent rates increased. When more detailed controls were made easier to access, consent rates fell. This suggests that users are not only responding to information. They are also responding to layout, effort, and visual cues.
Generally speaking, some websites I used in the past required me to click “accept” before use, or I just can’t continue. However, the websites I’ve been using recently are designed more reasonably. It’s just that we are used to this “accept all” setting, so we tend to click it instinctively. Actually, sometimes it’s fine to click on a blank interface or directly close the banner, and you can still use the website normally.
What cookie consent reveals about platform power
Cookie banners may look like simple pop-ups, but they tell us something important about how platforms work. They are not separate from the rest of the system. Platforms decide what kinds of cookies to use, how to explain them, which buttons users see first, and how easy it is to refuse. Because of this, the choice on the screen is not really neutral. The platform has already shaped it in advance.
Users also do not meet platforms on equal terms. Suzor (2019) argues that platform rules now shape everyday digital life, even though they are still presented as contracts. In reality, these rules are not mainly there to give users strong rights. They are there to protect the company and keep control in its hands. Flew (2021) makes a similar point when he writes about the information gap between platforms and users. He also shows that bundled consent and unclear data use make user control even weaker. Seen this way, cookie consent does not feel like a fair negotiation. It feels more like a process where users are asked to agree within rules that the platform has already set.
Meaning matters: privacy is about appropriate information flows
Nissenbaum (2018) gives a useful way to think about privacy. She argues that privacy is not only about secrecy or control. It also depends on whether information is used in ways that fit the situation where it was first given. She calls this contextual integrity. In simple terms, privacy is protected when information flows match the norms of a specific context.
This idea helps explain the cookie issue quite well. When people visit a news website, they usually just want to read the news. When they go to an online store, they want to look at products or buy something. In these situations, users may accept that some basic data is needed for the website to work. But tracking cookies often go much further. They can turn ordinary browsing into behavioural profiles, cross-site tracking, targeted ads, or sharing with third parties. That can go beyond what users normally expect in that setting.
So clicking “accept” is not the whole story. Even if a user agrees, that does not mean every later use of the data is appropriate. If data from a simple reading or shopping activity is later used for hidden profiling or wider tracking, then the problem is not just weak consent. The problem is that the data has moved beyond the situation where it was first given.
A recent enforcement case makes this problem easier to see in practice.
Case Study–SHEIN 2025 fined by French CNIL for placing cookies without valid consent
A recent case involving SHEIN makes the issue easier to understand. In September 2025, the French data protection authority, the CNIL, fined SHEIN’s Irish subsidiary 150 million euros over the use of cookies on the shein.com website. According to the CNIL, the company broke French cookie rules in several ways. Some cookies, especially advertising cookies, were placed on users’ devices as soon as they entered the site, before they had made any choice. The banners also failed to explain the purpose of these cookies clearly. One banner included options such as “Cookie settings,” “Reject all,” and “Accept,” but did not say that some cookies were used for advertising. Another pop-up only offered an acceptance button and still gave no clear explanation. The CNIL also found that the site did not clearly identify the third parties likely to place cookies. Even more seriously, when users clicked “Reject all” or later withdrew consent, new cookies were still placed and existing ones could still be read.
What makes this case important is that it shows how weak a cookie banner can be in practice. The issue was not that SHEIN had no consent interface at all. The issue was that the banner did not lead to valid consent. Users were not properly informed, tracking started too early, and refusal was not fully respected. The CNIL also noted the scale of the practice, pointing out that around 12 million people in France visited the site each month. So this case suggests that a website can look compliant at first glance while still failing to meet the legal standard in the way it actually handles user data.
Why this matters for digital rights
This issue matters because digital rights should mean more than being shown a button on a screen. If users cannot easily understand what they are agreeing to, cannot refuse without extra effort, and cannot stop tracking even after saying no, then their rights exist in a very weak form. In that situation, consent becomes more like a formal step in the browsing process than a real exercise of control. A system like this may look fair because it asks for permission, but the actual power still remains with the platform.
This is also why the problem should not be treated as only a matter of personal responsibility. Users do make choices, but those choices are shaped by interface design, limited information, and strong dependence on digital services. Chen and Cheung’s (2018) discussion of the privacy paradox on WeChat helps explain this point. They show that users may care about privacy but still remain in the system because the platform is tied to social connection, daily communication, study, and work. In that kind of setting, staying in the system often feels more practical than protecting privacy in a strict way. The same logic can also be seen in everyday web use. People may dislike tracking, but they still click “accept” because they want to move on, reach the content, or avoid inconvenience.
For this reason, digital rights cannot depend only on users making better choices under bad conditions. If platforms keep asking users to agree while tracking stays built into the system, then privacy rights start to look more symbolic than real. A stronger approach would require clearer information, easier refusal, and tighter limits on how tracking data can be collected and used.
Conclusion–So what can be done?
What platforms should change?
Platforms can improve this situation in several basic ways. They can explain cookie purposes in clearer language, make refusal as easy as acceptance, and reduce the use of non-essential tracking cookies. If consent is supposed to matter, then users should not need extra time and effort just to protect themselves.
What regulators should watch?
Regulators also have an important role. They can require that refusal mechanisms are as easy to use as acceptance, place stronger limits on tracking cookies and third-party data sharing, and pay closer attention to dark patterns. More importantly, they should not treat the presence of a banner as proof of valid consent. They should look at whether refusal is respected in practice and where the data actually goes afterwards.
What users can still do?
Users can take some small steps, such as avoiding “Accept All” by default, changing browser privacy settings, or using ad blockers.
References
Chen, Z. T., & Cheung, M. (2018). Privacy perception and protection on Chinese social media: a case study of WeChat. Ethics and Information Technology, 20(4), 279–289. https://doi.org/10.1007/s10676-018-9480-6
Flew, T. (2021). Regulating platforms. John Wiley & Sons.
Nissenbaum, H. (2009). Privacy in context : Technology, policy, and the integrity of social life. Stanford University Press.
Nissenbaum, H. (2018). Respecting Context to Protect Privacy: Why Meaning Matters. Science and Engineering Ethics, 24(3), 831–852. https://doi.org/10.1007/s11948-015-9674-9
Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020). Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influencehttps://doi.org/10.1145/3313831.3376321
Suzor, N. P. (2019). Lawless: The Secret Rules That Govern our Digital Lives. Cambridge: Cambridge University Press.
Be the first to comment