Cookie consent mechanisms function through the deployment of banners or popups that prompt users to make informed choices regarding data storage upon visiting a website. Empirical studies indicate that these interfaces typically offer three principal actions: (1) global acceptance, (2) global rejection, and (3) granular selection of cookie categories (Urs et al., 2020; Degeling et al., 2019). Most implementations distinguish between strictly necessary cookies—which are exempt from consent under GDPR—and other categories such as analytics, marketing, and functional cookies (European Data Protection Board, 2020).
Observed user choices:
- A significant proportion of users accept all cookies due to interface design or "accept all" prominence (Nouwens et al., 2020).
- Granular controls are often less visible or require additional clicks, reducing the likelihood of nuanced consent.
- Strictly necessary cookies are enabled by default, while other categories require explicit opt-in (or opt-out, depending on jurisdiction).
Consent withdrawal mechanisms:
- Cookie banners frequently include a persistent widget or button, enabling users to revise their preferences at any time, as mandated by Article 7(3) GDPR (Voigt & Von dem Bussche, 2017).
- However, research highlights inconsistent implementation—while some sites honor withdrawal by promptly updating cookie settings, others delay changes or retain tracking scripts, raising compliance concerns (Sørensen & Kosta, 2019).
Design and compliance challenges:
- Variability in banner design affects user comprehension and autonomy. For instance, "dark patterns" may nudge users toward broad consent (Gray et al., 2018).
- The effectiveness of granular control is compromised when "reject all" or customization options are less accessible than "accept all" (Urs et al., 2020).
Findings from recent audits:
- An analysis of over 10,000 EU websites revealed that only 11.8% provided an equally accessible “reject all” option alongside “accept all” (Degeling et al., 2019).
- Persistent consent widgets are present on 65% of compliant websites, but usability varies significantly.
Key points extracted from the literature:
- Cookie consent is binary and/or granular, with user agency shaped by banner design.
- Withdrawal is legally required but inconsistently facilitated.
- Usability and design have direct impacts on privacy outcomes.
