Blog

While you read this, Europeans will click roughly seven million cookie banners.

This is a follow-up post to my earlier thoughts on Apple AI and the EU. This post was generated by Claude Fable 5 (before the model was revoked on 6/12), and I found it helpful in understanding the implications of GDPR regulations.

Right now, as you read this sentence, people across Europe are clicking cookie consent banners at a rate of roughly 13,000 clicks per second.^[2] Not per day. Per second. Every second, around the clock, for years.

Each click takes about five seconds of attention — read the banner, find the button, dismiss it, remember what you came for. Multiply that by an estimated 412 billion banner interactions a year, and Europeans collectively spend more than 575 million hours annually clicking through consent prompts. That is the working output of roughly 275,000 full-time employees, worth approximately €14.4 billion in lost productivity — every year, in the EU alone.^[1],[2]

That number is staggering on its own. But it only becomes a scandal when you ask the obvious follow-up question: what did all that clicking buy us?

The answer, supported by peer-reviewed research and now effectively conceded by the European Commission itself, is: almost nothing. The cookie consent regime — born in the EU’s ePrivacy Directive and supercharged by the GDPR’s strict consent standard in 2018 — has imposed enormous, measurable costs on billions of people while delivering privacy protection that is largely theatrical.

First, a quick correction to the popular story

Cookie banners are usually blamed on the GDPR, but the consent requirement actually comes from an older law: the ePrivacy Directive of 2002, amended in 2009 to require opt-in consent before websites store non-essential cookies. What the GDPR did in 2018 was raise the bar for what counts as valid consent — it must be freely given, specific, informed, and unambiguous.^[1] That stricter standard is what turned a quiet legal requirement into the wall of pop-ups we know today. So the fair target of criticism is the whole EU consent-banner regime: the ePrivacy rules and the GDPR consent standard working together. That’s the regime this post examines — and the distinction matters, because the EU is now trying to reform exactly this combination.

The lock that doesn’t lock

The entire premise of a consent banner is a bargain: you make a choice, and websites respect it. If that bargain fails, every banner on the internet is friction without function. And the research says the bargain fails — comprehensively.

The mechanism is browser fingerprinting. Your browser constantly reveals small technical details — screen resolution, installed fonts, time zone, graphics hardware quirks. Combined, these form a “fingerprint” that is unique for the large majority of devices, allowing a website to recognize and follow you without storing a single cookie. No cookie means the cookie-consent machinery never even gets involved.

This isn’t theoretical. A peer-reviewed study presented at The Web Conference examined how websites behave around their own consent banners, and the results are devastating for the consent model:^[3]

• 73.5% of websites that fingerprint do so regardless of what you click. Accept, reject, ignore — the tracking is identical.
• 279 sites in the study fingerprinted visitors before they touched the banner at all.
• And here is the finding that should end the debate: more sites (285) fingerprinted users after they clicked “Reject All” than before they clicked anything. The researchers concluded that fingerprinting functions as a fallback: when the law successfully blocks the cookie, sites switch to the tracking method the banner can’t touch.

Read that again: clicking the privacy-protecting button can make you more tracked, not less. The lock on the front door doesn’t lock — and jiggling it tells the burglar you’re worth following through the window.

The follow-up research is just as bleak. A 2025 study by researchers at Johns Hopkins and Texas A&M, presented at the ACM Web Conference, provided the first definitive evidence that fingerprints are used for real cross-site tracking — and found that even users who explicitly opt out under the GDPR and California’s CCPA may still be tracked.^[4] An earlier large-scale crawl found that as many as 68.8% of the top 10,000 websites show signs of fingerprinting activity.^[5] The consent regime regulates the one tracking technology that politely announces itself, while the silent alternative operates at scale, untouched.

The banners don’t even follow their own law

It gets worse. Even judged purely on its own terms, the regime fails. Multiple studies have found that 80–90% of cookie banners violate the GDPR’s requirements — no working “Reject All” button, dark patterns that make refusing harder than accepting, pre-ticked boxes, and consent extracted under conditions that are anything but free.^[1] Faced with this daily obstacle course, users have rationally given up: research finds people click “Accept All” around 90% of the time without reading anything,^[6] 76% find the pop-ups irritating, and 68% simply don’t want to deal with them at all.^[7]

This is the definition of a failed policy: a rule that nearly everyone violates, that nearly everyone resents, that conditions the public to reflexively click “yes” to surveillance — and that doesn’t stop the surveillance anyway.

The bill, itemized

So the benefit side of the ledger is approximately zero. What’s on the cost side? Three things, in sharply descending order of magnitude.

1. Human time: the headline cost

The numbers from the opening bear repeating, because they are the heart of the case. Legiscope’s analysis works from simple, checkable inputs: roughly 404 million EU internet users, visiting about 100 sites a month, with about 85% of sites showing a banner, at roughly five seconds per interaction. The product is 575 million hours per year — the equivalent of 275,000 full-time jobs spent doing nothing but dismissing pop-ups, valued at about €14.4 billion annually at average European wages.^[1],[2]

And that is the EU-only floor. Because websites over-comply globally rather than build separate versions per jurisdiction, banners now confront users far beyond Europe. If the rest of the world’s internet users encounter banners at even a fraction of the EU rate, the global figure plausibly runs to billions of hours every year.

2. Money: an industry built on friction

A banner is the visible tip of a software stack. Behind it sits a “consent management platform” (CMP) — software whose only job is to display banners, record choices, and block or fire trackers accordingly. An entire industry now exists to sell this. Market analysts size the global consent-management market between roughly $1 billion and $3.5 billion per year depending on definitions,^[9],[10] and the largest vendor, OneTrust, alone generates an estimated $1.2 billion in annual revenue.^[11] For small businesses, compliance costs can exceed €10,000 a year once legal review and implementation are counted.^[6] None of this spending makes a product better, a page faster, or a user safer. It is pure regulatory overhead — a multi-billion-euro tax on the act of having a website.

3. Energy and data: real, but honestly small

Every banner is also code: scripts that must be downloaded, executed, and answered on every page load. A French web-performance audit of eleven major CMPs found they transfer up to tens of kilobytes per page load before the user touches anything, and measurably degrade Core Web Vitals — the loading and responsiveness metrics that define how fast the web feels.^[12],[14]

What does that cost in energy? Here we’ll show our math rather than hide it, because nobody has published a definitive study:

Back-of-envelope, EU only, per year: 412 billion banner interactions × 30–100 KB of consent-related transfer ≈ 12–41 petabytes of traffic. At commonly used network-energy coefficients (which are genuinely contested, with estimates up to 0.066 kWh/GB at the high end^[13]), plus the marginal device power burned during 575 million hours of banner-clicking, the total lands in the range of roughly 10–25 GWh and a few thousand tonnes of CO₂ per year — on the order of taking on the low thousands of cars’ worth of emissions and a few million euros of electricity. Treat these as order-of-magnitude estimates only.

We could have inflated this number. We didn’t, because honesty is the point: the energy cost is real but it is a rounding error next to the human cost. The chart below puts all three on one (logarithmic) scale.

Even Brussels agrees now

Here is the remarkable part: this is no longer a contrarian argument. In November 2025, the European Commission published its Digital Omnibus proposal — a sweeping package to simplify the GDPR and ePrivacy rules. In its own explanatory memorandum, the Commission acknowledges that consent fatigue and the proliferation of cookie banners have become a problem whose regulatory solution is, in its words, long-overdue.^[8] As one law firm dryly observed, that is a remarkable self-description for a problem created by EU law itself.^[8] The Commission has been blunter still about the clicking ritual, admitting: This is not a real choice made by citizens to protect their phones or computers.^[7]

The proposed fix — fewer consent triggers, mandatory one-click rejection, and eventually machine-readable preference signals set once in your browser and honored everywhere — is a tacit admission that two decades of per-site banners failed.^[8],[15] Whether the reform survives the legislative process intact, and whether it actually ends banner fatigue, remains genuinely uncertain; legal analysts are skeptical.^[8] But the verdict on the existing regime has been delivered by its own author.

What would have worked instead

The tragedy is that the better design was always available. A browser-level signal — set your preference once, have every site legally bound to respect it — eliminates the per-site banner entirely while expressing a more genuine choice than 412 billion reflexive clicks ever could. The United States’ Global Privacy Control works on exactly this principle, and the Digital Omnibus now points the same direction.^[15] Pair that with enforcement aimed at covert tracking — fingerprinting — rather than at the one technology that politely asks first, and you get more actual privacy for a tiny fraction of the cost.

To be fair to the other side: privacy advocates argue that the consent regime, however clumsy, at least forced data collection into the open, and they warn that loosening it could legitimize even more tracking — one advocacy group memorably called the focus on cookies rearranging deckchairs on the Titanic, the Titanic being surveillance advertising itself.^[6] That’s a serious concern, and any reform should be judged on whether it actually constrains fingerprinting and surveillance advertising rather than merely hiding them. But it is not a defense of the banners. On the banners, the evidence is in.

The verdict

Judge the EU consent-banner regime as you would any policy: by its costs and its results. The costs are 575 million hours of European life per year, €14.4 billion in lost productivity, a multi-billion-euro compliance industry, and a measurably slower, heavier web. The results are banners that 80–90% of sites implement illegally, that 90% of users click through blindly, and that do nothing to stop the fingerprint-based tracking happening underneath — tracking that can actually intensify when you click “Reject.”

Thirteen thousand clicks per second. For nothing. It is one of the largest small-scale wastes of human attention ever legislated into existence — and the first step to fixing it is saying so plainly.

---

Methodology note

The headline time figures come from Legiscope’s published methodology (404M EU users × ~1,020 banners/year × ~5 seconds), which we treat as a reasonable central estimate rather than gospel; halving the per-banner time still yields hundreds of millions of hours. The energy estimate is our own and is presented as an order-of-magnitude range; we deliberately rank it as the smallest cost category. Market-size figures for consent software vary widely between analysts and are presented as a range. The fingerprinting findings are from peer-reviewed studies linked below. We have avoided counting GDPR’s broader compliance costs (data audits, DPOs, legal fees), which are real but not attributable to banners specifically.

Sources

1. Legiscope, Cookie banners: 575 million hours — the hidden productivity drain (2024). legiscope.com
2. AnythingCounter, How many cookie consent banners are clicked every day? — methodology recap of the Legiscope figures (13,054 clicks/second; €14.4B). anythingcounter.com
3. E. Papadogiannakis, P. Papadopoulos, N. Kourtellis, E. P. Markatos, User Tracking in the Post-cookie Era: How Websites Bypass GDPR Consent to Track Users, Proceedings of The Web Conference (WWW) 2021. arxiv.org/abs/2102.08779
4. Johns Hopkins University, Websites are tracking you via browser fingerprinting — coverage of the FPTrace study presented at the ACM Web Conference 2025. cs.jhu.edu
5. N. M. Al-Fannah, W. Li, C. J. Mitchell, Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking (2019). arxiv.org/abs/1905.09581
6. Captain Compliance, The EU’s Cookie Consent Saga (2025) — accept-all rates, SME compliance costs, and the EDRi position. captaincompliance.com
7. Chamber of Progress, EU’s Cure for Cookie Fatigue (2026) — user-irritation survey figures and the Commission’s “not a real choice” statement. progresschamber.org
8. Osborne Clarke, Digital Omnibus reshapes EU cookie rules but leaves banner fatigue largely intact (Dec 2025) — analysis of the Commission’s explanatory memorandum. osborneclarke.com
9. Mordor Intelligence, Consent Management Market (~$1.07B in 2026). mordorintelligence.com
10. Market Research Future, Consent Management Market (~$3.52B in 2024). marketresearchfuture.com
11. Spherical Insights, Top 20 Companies in the Consent Management Market (OneTrust revenue estimate). sphericalinsights.com
12. Agence Web Performance, CMP / Cookie Banner and web performance: comparison of 11 tools (2023). agencewebperformance.fr
13. Greenly, What is the Carbon Footprint of Data Storage? — energy-per-gigabyte coefficients (note these are contested and likely upper-bound). greenly.earth
14. DebugBear, Cookie Consent Banners, Page Speed, and Core Web Vitals (2025). debugbear.com
15. iubenda, The European Commission’s proposal for new cookie rules (2026) — overview of browser-level preference signals in the Digital Omnibus. iubenda.com