Conducted by NordVPN, the survey shows that almost half of the web users from the US invariably always hit the accept button whenever they run into a cookie notification, with just about 7% exercising the option to decline them.  “The statistic doesn’t really surprise me,” Paul Bischoff, privacy advocate at Comparitech, told Lifewire in an email. “Cookie notifications are often intrusive, so they have to be addressed to continue to the site.”

NordVPN conducted the global survey to highlight the dangers of web cookies, arguing that while they are vital to the internet, they also make users vulnerable to privacy intrusions.  “Because of cookies, websites remember you, your logins, shopping carts, and even more. But they can also be a treasure trove of private information for criminals to spy on,” explained Daniel Markuson, a digital privacy expert at NordVPN, in a press release sent to Lifewire. Recognizing the dangers of web cookies, the European Union (EU) made it mandatory for websites to display the now-familiar cookie popup notification as part of its General Data Protection Regulation (GDPR) privacy law. The idea behind the notification is to inform users of the cookies the website employs and ask for the visitor’s consent to enable those cookies to collect data.  However, the survey revealed that only a handful of users choose to deny websites permission to store cookies. While the figure hovers around 7%  in the US, it’s about 5% in several EU countries, including Germany and France, and plummets to just over 4% in Canada and New Zealand and under 2% in Spain. Like Bischoff, Caroline Wong, author of the book “Security Metrics, A Beginner’s Guide,” and Chief Strategy Officer at Cobalt, isn’t surprised at the dismally low figures either. In an email exchange with Lifewire, she said she feels that in their haste to get to the website’s consent, most web users just click the “allow cookies” button without even consciously making the decision. Analyzing the user behavior further, Bischoff added that many people accept the cookies assuming they must do so in order to access the site, even though that may not be the case in reality. “That, combined with a general disregard for privacy in favor of convenience, leads to most people accepting cookies,” shared Bischoff.

Tracking cookies are a hotly debated topic at the moment, with Google first proposing an alternative called Federated Learning of Cohorts (FLoC) in 2021, before replacing it with Topics earlier in 2022, after receiving feedback from privacy advocates, who have once again expressed concern with the new mechanism as well. Meanwhile, Wong believes cookie notifications have improved significantly over the years, with many of them being actually pretty decent.  “In my opinion, the security concern has less to do with cookie notifications and more to do with responsible use of cookies by the company that is presenting them to users on the web,” said Wong. To that end, Wong suggests web users take a risk-based approach to dealing with cookie notifications. If you’re shopping, gaming, or using social media, it’s probably safe to use cookies. But when interacting with websites that handle sensitive data, such as online banking, she recommends spending time perusing the details about the collected data and perhaps declining them altogether. On the other hand, Bischoff advised using tracker blocker plugins like Privacy Badger, Disconnect, or Ghostery, which will block third-party cookies even if a user accepts the cookie notification.  In situations where you can’t install the extensions, such as on a mobile phone, Bischoff suggests visiting websites using the browser’s incognito mode, which will again prevent the website from placing cookies on the device. Although both experts suggested ways for users to avoid tracking cookies, they believed that in an ideal world, users shouldn’t have to. “When cookies are managed improperly, they are vulnerable to attacks by hackers,” shared Wong. “This should not be the responsibility of the average internet user to have to manage; it needs to be responsibly managed on the part of the company that is running the website.”