You know that cookie banner you just clicked through without reading? What if it didn’t actually do anything?

For millions of web users, these pop-ups have become one of the internet’s most irritating interruptions. But behind the scenes, the problem runs deeper: many banners give the illusion of choice while still allowing cookies to be set and data to be collected in ways that aren’t transparent — even to the site owner. Managing user consent on today’s websites is more complex than ever, especially for merchants who rely on third-party apps and services.

One of the biggest hurdles is accurate cookie classification. Many third-party tools set cookies, but the vendors of those tools rarely disclose exactly how these cookies function. As a result, merchants are left to make educated guesses about their true purpose. This lack of transparency turns cookie classification into a high-stakes guessing game, where misclassifying a cookie could risk legal repercussions or disrupt site functionality.

The challenge grows when a single cookie serves multiple purposes. For example, a cookie storing a user ID might be necessary for a core service like login authentication while simultaneously supporting analytics or advertising tracking. This creates a difficult ethical and technical dilemma:

• If a visitor opts out of tracking, should core site features also be disabled?
• Are users unintentionally consenting to tracking when they accept “essential” cookies?

Unfortunately, merchants often have no way to answer these questions because the underlying logic is controlled by third-party providers — not the site owner.

Faced with these uncertainties, many merchants default to categorizing ambiguous cookies as “Essential” to avoid breaking their sites. While this preserves functionality, it reduces consent banners to little more than performative compliance — offering the illusion of choice while sidestepping meaningful user control. This approach not only erodes consumer trust but also contradicts the spirit — and in some cases, the letter — of privacy regulations like GDPR or CCPA, which prioritize transparency and user agency.

In short, the burden of compliance currently falls disproportionately on merchants, who are caught between compliance and practicality. Without greater transparency from third-party providers — and clearer standards for how multi-purpose cookies should be handled—consent management will remain a fractured process. Until then, merchants and users alike are left navigating a system where privacy protections often exist in name only.

This needs to change. Privacy legislation must evolve to recognize that responsibility shouldn’t rest solely on the shoulders of site operators. Browsers should provide built-in mechanisms that allow JavaScript authors to declare — in a standardized, machine-readable way — the specific purposes of any cookies or local storage data they set.

These classifications should be enforceable at the browser level, with user preferences managed directly in the browser’s own privacy settings, rather than through intrusive, performance-sapping pop-ups on every site. If a script author fails to accurately classify their cookies, the legal burden should fall to them — not the merchant who integrates the tool.

By moving classification responsibility upstream and shifting enforcement to the point where the data is created, we can replace today’s performative compliance with genuine user choice and accountable data practices.