Why every website wants you to accept its cookies

Avatar of Chris Coyier
Chris Coyier on (Updated on )

DigitalOcean provides cloud products for every stage of your journey. Get started with $200 in free credit!

I’m probably in the minority on this, but I’ve never ever built one of those “This site uses cookies, here’s some kind of explanation of why, and please click this OK button to accept that” bars that feels like they are on half of the internet.

Emily Stewart:

Most of us just tediously click “yes” and move on. If you reject the cookie tracking, sometimes, the website won’t work. But most of the time, you can just keep browsing. They’re not too different from the annoying pop-up ads we all ignore when we’re online.

I’m extra-ignorant in that don’t even really get why they exist, despite being a professional web site builder.

Emily does a good job of rounding up the answer. It’s probably about what you think it is: a better safe than sorry play. Better annoy some users than get sued out of existence.

It’s also interesting that it’s not just one particular regulation that has people doing this. GDPR is a big one (despite being fairly light on mentions of cookies at all), but it’s really a couple of different regulations, including likely-upcoming ones, that have people implementing these obnoxious pop-ups.

I’m probably the weirdo that would rather get sued than show a fricking cookie banner.

Speaking of cookies though, and things that I’m ignorant about, I asked this question not long ago:

My brain didn’t have an answer at the time. If I was pressed on it, I’d probably answer that it’s just snake oil, and that those checkboxes don’t actually do anything.

From the thread, the answer seems to be that most sites use cookies to store your logged-in user session. Cookies have expiration dates. The “Remember me?” option makes the cookie have a longer expiration date than if you didn’t check it.

The whole thread there is pretty fun. Lots of useful things and lots more jokes. I’m on board with the idea that anytime you check that box, some server, somewhere, plays this.


There is some fair pushback on my take above.

I’m probably the weirdo that would rather get sued than show a fricking cookie banner.

Huge thanks to Laura Kalbag for having a conversation with me about this. Here’s the situation:

As I write, this website is illegal in Europe. And maybe everywhere? I’m not quite clear on that yet.

It’s because this site sets some cookies that are “non-essential” (unlike, say, a login cookie, which is “essential”). For example, I’ve written code myself (at the request of advertisers) to include an <img src="pixel.gif"> with their display advertisement. The purpose of that image is to track impressions, but it also can and does set a cookie, and probably can and does to other things besides track impressions, like attempt to show “targetted” ads. As I write, both MailChimp and Wufoo use these “tracking pixels” in ads that are running on this site. (I’ve actually reached out to see if removing them would be a deal-breaker or not, let’s see!)

So, because of those non-essential cookies, I’m required to show UI that asks for user’s consent. And here’s an important aspect as well: before they’ve answered, or if they don’t consent, I shouldn’t be including those tracking pixels at all (because I can’t control whether or not they set a cookie). That’s some fancy coding stuff that I just haven’t done. To do it without JavaScript is even fancier dancing.

So theoretically, legal action could be taken against me for this. There is some irony to the fact that a lot of sites with cookie-consent UI don’t even implement the opt-in nature of them, making them useless. And some extra irony in that to really do this correctly, it probably also requires cookies, which you’d be required to tell them about. It’s not the existence of the UI that counts, it’s actually not setting the cookies unless you have consent. I’m not particularly worried about being sued. Apparently so far it’s not governments taking actions but individual lawyers taking out cases on behalf of people. I would guess these will gain steam in coming years.

I am more compelled by the right thing to do argument, in that if you’re going to put a cookie on someone’s computer, you should tell them what it’s for and ask them if it’s OK first.

So I’m in a predicament. I don’t want to build a cookie consent UI. It will be difficult to program, technical debt to maintain, and worse, be annoying to users. I’d rather see if we can just ditch anything setting a third-party cookie, so I’m going down that road first.

Direct Link →