Back to HomeBlog
Back to Blog

The Cookie Banner Disaster

When Good Intentions Create Hell

9 min readLessons from DHH
++

Full disclosure: This post was written by a human (me), polished by an AI (it fixed my grammar and made me sound smarter), then reviewed by me again (to make sure the AI didn't make me sound too smart). Any remaining errors are 100% organic, artisanal, human-made mistakes.

DHH called cookie consent banners "a monument to good intentions leading straight to hell." Every website you visit now greets you with a popup asking about cookies. Nobody reads them. Nobody cares. And yet, after nearly a decade, we can't get rid of them. How did we get here?

The Noble Goals

The EU's GDPR and ePrivacy Directive had genuinely good intentions:

What GDPR Tried to Achieve

  • • Give users control over their personal data
  • • Require informed consent for tracking
  • • Increase transparency about data collection
  • • Hold companies accountable for data breaches
  • • Create a framework for digital privacy rights

These are reasonable goals! Users should know what data is collected and have a choice about it. Companies shouldn't track people secretly. The problem isn't the goals—it's the implementation.

The Implementation Disaster

"It's a universal plague on the internet. Everyone hates it. It provides zero benefit to anyone. And somehow, we've been unable to get rid of it for almost a decade. That's a monument to regulatory failure."

— DHH on cookie banners

Problem 1: Nobody Reads the Banners

Studies show that users click "Accept All" in under 2 seconds without reading. The banners don't inform—they're just obstacles to the content users came for. Consent without comprehension isn't meaningful consent.

Problem 2: Dark Patterns Everywhere

Companies quickly learned to game the system. "Accept All" is a big green button. "Customize" or "Reject" requires multiple clicks through confusing interfaces. The regulation meant to empower users created new ways to manipulate them.

Problem 3: Compliance Theater

Sites display banners to avoid fines, not to genuinely respect user privacy. Many continue tracking regardless of user choice. The banner becomes a legal checkbox, not a privacy tool.

Problem 4: Degraded User Experience

Every website now has a popup covering content on first visit. Mobile experiences are especially awful—banners can cover half the screen. The internet got measurably worse for users.

Why We Can't Fix It

The worst part? Everyone agrees the current system is broken. Users hate it. Developers hate it. Even regulators admit it's not working as intended. Yet it persists.

Regulatory Inertia

Changing legislation takes years. The original directive took years to implement. Updates take even longer. Meanwhile, the broken system remains in place.

Fear of Fines

GDPR fines can reach 4% of global revenue. No company wants to risk being the example. So they implement cookie banners defensively, even when the law's intent might not require it.

Consent Management Industry

A whole industry now exists to sell cookie consent solutions. These companies lobby to maintain the status quo. The problem created its own defenders.

What Could Work Better

The original problem—users being tracked without consent—had simpler solutions:

Browser-Level Consent

Set privacy preferences once in your browser. Sites respect those settings. No per-site popups needed. This is how Do Not Track was supposed to work (before it was ignored).

Strict Default Rules

Ban cross-site tracking by default. No consent required because tracking simply isn't allowed. Safari and Firefox already do this with Intelligent Tracking Prevention.

Both approaches achieve the privacy goals without destroying user experience. But they require either browser cooperation or stricter enforcement—neither of which happened.

Lessons for Tech Legislation

1. Test User Experience Before Mandating

Did anyone user-test cookie banners before requiring them? Did regulators consider how actual humans would interact with consent dialogs? Apparently not.

2. Consider Second-Order Effects

Regulations create incentives. The cookie requirement created incentives for dark patterns, compliance theater, and a new industry profiting from the problem.

3. Build in Sunset Clauses

If regulation isn't working, there should be mechanisms to adjust or remove it. Cookie consent requirements have no automatic review—they persist indefinitely.

4. Technical Problems Need Technical Solutions

Privacy is a technical problem. Legal notices don't solve it—technical enforcement does. Safari blocking trackers achieves more privacy than millions of cookie banners.

What Developers Can Do

You can't opt out of cookie requirements, but you can minimize the damage:

  • Don't use tracking cookies if you don't need them: If you're not running ads or detailed analytics, you might not need consent at all.
  • Use privacy-respecting analytics: Plausible, Fathom, and similar tools don't require cookie consent because they don't track individuals.
  • Make rejection easy: If you must have a banner, make "Reject All" as easy as "Accept All." Don't be part of the dark pattern problem.
  • Question every third-party script: Each tracking pixel and analytics tool adds to your consent obligations. Are they worth it?

The Cautionary Tale

Cookie consent banners will likely be remembered as one of the great failures of tech regulation. Not because privacy isn't important—it is. But because the implementation made the internet worse while failing to actually protect privacy.

DHH's frustration resonates with anyone who uses the web. We created a universal annoyance that helps no one, and we can't undo it. That's a failure of process, not intent.

The next time someone proposes tech regulation, remember the cookie banner:

Good intentions aren't enough. Implementation matters. User experience matters. And once a bad solution is mandated, it's incredibly hard to fix. The road to hell is paved with consent dialogs.

Related Articles

Chrome's Antitrust Case: Is the DOJ Wrong?

Chrome won through quality, not unfair practices. Why the open web needs billion-dollar champions, the risks of browser monoculture vs. breaking up Chrome, and unintended consequences of tech regulation.

Read more

The Complexity Industrial Complex: Who Profits From Overengineering?

Why consultants and tool vendors love complicated architectures. The career incentives that promote unnecessary complexity, how to resist the pressure to overcomplicate, and simplicity as a competitive advantage.

Read more

JavaScript's Dark Ages: How We Lost Our Way (2010-2020)

The era of constant framework churn, build tool complexity, and 'npm install' becoming a full-time job. How React, Webpack, and tooling fatigue burned out a generation of developers—and how we're finally escaping.

Read more