Cookie consent banners were supposed to be the internet’s seatbelt: mildly annoying, occasionally useful and ultimately good for everyone.
Instead, they’ve become the digital equivalent of late-1990s pop-up ads begging users to click a button to claim a free vacation. They interrupt. They obscure. They train people to click whatever makes them go away fastest. They turn privacy choice into a casino game where “Accept All” glows like a jackpot and “Reject” is buried behind three menus and a tiny gray link.
Max Schrems had a less charitable description.
The “pay-or-okay” approach — pay for access or accept tracking — generates consent rates approaching 99.9%, even though Schrems said only a small fraction of users actually want to be tracked online. “I call it the North Korean consent,” he said.
Speaking last week at the European Identity and Cloud Conference in Berlin, Schrems said the real debate over consent has outgrown cookies. The panel, “Consent’s Journey from Annoying to Meaningful: Can Tech Actually Eliminate Cookie Consent Boxes?,” brought together Schrems, the Austrian privacy activist behind noyb.eu; Martin Kuppinger, founder of KuppingerCole; and Eve Maler, founder of Venn Factory and a longtime identity standards leader.
They all agreed that technology can eliminate the need for cookie consent boxes. However, the advertising economy appears in no hurry to let that happen.
Here in the U.S. is the daily deluge of cookie pop-ups we bat down with clicks; “Do Not Sell or Share My Personal Information” links, privacy toggles, app prompts and opt-out pages. Somehow these always make saying “no” feel like assembling IKEA furniture without the little wrench.
“The most obvious and visible thing privacy regulations such as GDPR have brought to us is annoying cookie consent boxes,” Kuppinger said. “We end up sharing way more than we intended to.”
As annoying as cookie banners are, the panel’s ironic takeaway was that they are not failing, rather succeeding as designed and annoying us into submission.
Where some see cookie checkbox compliance as privacy theater or worse a third-party risk surface, the advertising industry sees it as an important piece of compensating content creators.
The money behind online advertising is enormous. IAB and PwC said U.S. digital advertising revenue reached $294.6 billion in 2025. Programmatic advertising — the automated buying system that relies heavily on targeting, measurement and attribution — rose to $162.4 billion. Not all of that depends on cookies. But the industry’s aversion to adopt a simpler opt-out mechanism is easier to understand.
An Identity issue: Not just privacy
For panelists at EIC, this is where cookies become part of the identity conversation.
Identity professionals care because the cookie fight is drifting into familiar terrain: authorization, delegated access, policy enforcement and permissions.
For Maler, clicking “ok” to a cookie consent banner should be viewed as granting permission: more like how modern identity OAuth and Passkey systems actually work.
Giving a website consent to drop a cookie on your system should be specific, purpose-bound, time-limited and enforceable, she said.
A user may be fine letting a shopping site remember a cart, less fine letting dozens of ad-tech intermediaries build a profile, and deeply uninterested in seeing the same embarrassing rash-cream ad stalk them across the internet for three weeks like a very committed raccoon.
The replacement is not “no cookies.” Some cookies are useful and boring. They keep users logged in, preserve carts or remember site settings. The real fight is over tracking cookies and related identifiers used to follow users across sites, build profiles and target ads.
The alternative is moving the decision point away from individual websites and toward user-controlled systems: browser signals such as Global Privacy Control, agent-managed preferences, digital wallets and permission frameworks that can express choices once and apply them consistently.
In the U.S., that model already exists through Global Privacy Control, or GPC, a browser-level signal that broadcasts a user’s request to opt out of the sale or sharing of personal information on marketing networks. GPC is available via browsers and extensions including Brave, DuckDuckGo, Firefox and Privacy Badger, according to the GPC project.
When a user enables GPC in a browser and they visit a site, the browser sends a machine-readable opt-out request. The technical signal can be sent through the Sec-GPC: 1 HTTP header or exposed through a browser property, according to MDN and the W3C draft specification. The user may still see ads. The point is that the site should not sell or share the user’s personal information where the law makes that signal binding.
California, Colorado and Connecticut announced a coordinated enforcement sweep in September 2025 against companies that failed to honor GPC signals. California’s attorney general describes GPC as the one way consumers can submit opt-out requests under the California Consumer Privacy Act .
Europe is moving toward a related idea through Article 88b of the Digital Omnibus proposal. Legal analyses describe Article 88b as requiring websites to support automated, machine-readable signals that allow users to give or refuse consent and exercise objection rights.
The logistics are not complicated. A user sets preferences once in a browser, wallet or agent. In many cases, there is no banner because there is no need for one. The site already has the instructions.
Today, the website controls the moment of consent. It controls the colors, buttons, language, defaults and friction. GPC and Article 88b move that choice upstream, closer to the user. The banner no longer gets to bully the click out of us.
Schrems said industry-wide versions of this “last mile” solution have been proposed for roughly two decades. The technology is not the hard part, rather it’s the business model that is difficult.
“That friction is intentional by the businesses that want to be able to process data in situations where generally the answer is no (opt out),” he said. “And the only way that we can do that is consent.”
AI elixor
Kuppinger said agentic AI could make the shift more practical because an agent could handle the avalanche of yes-or-no decisions humans are tired of making. Schrems agreed that the task does not require frontier AI. Much of the tracking ecosystem still relies on old, machine-readable purpose categories defined by the ad industry. A relatively simple agent could ask users a handful of upfront questions once and apply those choices across sites.
Schrems used a recipe site to make the point. If someone visits a page once for an apple strudel recipe, they probably do not want to negotiate privacy terms with a random website. If they visit a newspaper every week, a more meaningful choice may make sense.
The point is not to eliminate choice. It is to make choice contextual and durable instead of a ritualized click performed under banner fatigue.
Maler was more cautious about technology as a cure-all and puts more faith in standards. She pointed to “My Terms” and IEEE 7012, a machine-readable privacy-terms standard designed to let individuals set conditions before a third party attempts to access their data.
The IEEE standard is far from becoming the Wi-Fi of privacy. Standards can take years to become products. But, Maler said, it is a real attempt to flip the default: users set terms first, instead of reacting to terms drafted by someone else.
Industry doesn’t like change
The market may not welcome that flip.
Google’s long-running Privacy Sandbox effort showed how hard it is to move the web away from third-party cookies. Google spent years trying to replace them in Chrome with alternative advertising APIs, then delayed and retreated amid pressure from regulators and industry players worried about competition and market power. Adweek reported in October 2025 that Google officially retired much of Privacy Sandbox. The Center for Democracy and Technology argued the decision left Chrome users exposed to continued tracking and profiling.
The publisher argument also makes a strong argument for the status quo. The ad industry argues tracking funds quality content and keeps it free.
Schrems said the economics are messier: tracking does not simply fund publishers. It also lets advertisers find a premium publication’s readers elsewhere for less, shifting value away from the publisher and toward the platforms that control the targeting.
“Privacy is not going to solve quality journalism,” Schrems said.
And then there is the security hangover.
Every third-party script running on a corporate website is code executing in a customer’s browser under the company’s brand. Session cookies can also become targets for attackers trying to bypass passwords or multifactor authentication. Cookie theft and session hijacking remain recurring security concerns, as CloudSEK has documented.
For companies, the compliance issue is already practical. Businesses subject to state privacy laws that recognize GPC need to detect and honor browser-level opt-out signals and ensure downstream ad-tech and analytics partners respect them. This is not limited to companies physically located in California, Colorado or Connecticut. If a business serves covered consumers and meets statutory thresholds, the signal matters.
California’s $2.75 million settlement with Disney in February 2026 showed how regulators are beginning to treat opt-out design as an enforcement issue, not a UX footnote. The complaint described an opt-out process fragmented across devices and services (Disney+, Hulu and ESPN+), even as Disney allegedly associated those same devices with users for advertising purposes.
Disney agreed to a stipulated judgment resolving California’s allegations without admitting liability.
The larger question is whether the cookie banner’s replacement becomes real user control or just better-dressed theater.
Browsers matter because they sit between users and websites. But the browser is no longer the whole story. Mobile apps, SaaS platforms, device identifiers, identity graphs and OAuth-style app connections do not all depend on browser cookies. They raise the same governance question: who manages permission when data moves across systems?
That is why the EIC panel’s cookie question was really a narrower version of a bigger one. Can the internet move consent away from manipulative interfaces and into systems that reflect what users want?
Kuppinger’s phrase for that future was simple: “privacy without pain.”
The hard part is not imagining it. The hard part is getting an industry built on pain to give it up.
