The EU's own website has a cookie banner. Two buttons: "Accept all cookies" and "Accept only essential cookies." No "Reject." The institution whose regulations created these banners couldn't bring itself to use the word on its own site.

Technically compliant — "Accept only essential cookies" is functionally a reject button. But the bureaucratic linguistics tell you everything about how the EU relates to its own regulation.

The legal chain goes back further than most people realize. The ePrivacy Directive (2002) introduced the framework. A 2009 amendment turned "right to refuse" into "prior informed consent" — the legal basis for popups. Then GDPR (2018) raised the penalties and tightened what counts as valid consent, triggering the explosion of cookie banners we know today. The EU tried to replace the whole thing with a modern ePrivacy Regulation starting in 2017. In February 2025, they formally abandoned the effort, citing "no foreseeable agreement" and noting the proposal was "outdated." The 2002 directive, amended in 2009 and supercharged by GDPR, remains the legal backbone.

In the meantime, the banners have become a global productivity catastrophe. The math is straightforward, and the numbers are large enough to be absurd.

How many websites do you actually visit?

The most widely cited cost estimate comes from a Legiscope analysis that assumes EU internet users visit 100 unique websites per month. Their source for that number is a blogging statistics article. It's in the same ballpark as Nielsen's 2013 measurement of 90 unique domains per person per month for online Americans — so the estimate isn't unreasonable for 2013.

But browsing behavior has changed. Crichton et al. (2021), observing 257 US home computer users through Carnegie Mellon's Security Behavior Observatory, found an average of 20 unique websites per day — roughly 600 per month. That's six times the Nielsen/Legiscope figure, measured eight years later.

I checked my own Chrome history to see where I land. Over the last 90 days — after filtering out localhost, auth callbacks, and email — I averaged about 95 unique external domains per day, or roughly 80 on days without research-binge outliers. I'm a developer, so my usage is heavier than the academic average. The tall spikes below are days I was systematically evaluating AI tools and scraping plugin marketplaces — not normal browsing. But even my quiet weekend days land at 25–50 unique domains.

The 2013 Nielsen measurement and the 2026 Legiscope estimate nearly overlap at the bottom of the chart — about 3 unique sites per day. The 2021 academic measurement is 6x higher, and still sits well below my lightest browsing days.

The math

With 404 million EU internet users, the cost calculation is straightforward: users × sites per month × banner rate × seconds per interaction × hourly wage. The question is which inputs to trust.

Using the Legiscope assumptions (100 sites/month, 85% with banners, 5 seconds each), you get 575 million hours and roughly €14 billion per year. Use actual per-country Eurostat wages instead of a flat €25 average and it rises to about €18 billion. But the 100 sites/month figure is almost certainly too low by a factor of 6 — and the Vice reporter who spent 3 days trying to reject cookies averaged 12 minutes per day on just 25 sites, far worse than 5 seconds each.

Use the academic measurement of 600 sites/month instead and the numbers get absurd. The exact figure matters less than the order of magnitude: cookie banners are consuming somewhere between hundreds of millions and several billion hours of human time per year in Europe alone.

For reference: Clay Shirky and IBM estimated the entire history of Wikipedia — every edit, every talk page argument, every language edition — at roughly 100 million hours of collective human labor. Even with the most conservative inputs, the EU's cookie hours exceed that every year.

A Harvard/NBER study by Chiara Farronato put the per-person cost at roughly $4/week for a US worker earning an average wage. The paper's more important finding: browser-level consent — a single setting that applies everywhere — would deliver far larger welfare gains than the current per-site popup system.

Who pays most

The cookie banner is a regressive tax. Every EU citizen sees the same popups, but a Luxembourger's time costs €50.70/hour while a Bulgarian's costs €8.20. Same annoyance, 8x the economic damage.

Germany alone accounts for roughly 25% of the EU total — €4.6 billion — because it combines 84 million people, 93% internet penetration, and €41/hour labor costs. The Netherlands, with just 18 million people, outspends Poland (37 million) because Dutch wages are 3.4x higher.

The top five countries — Germany, France, Italy, Spain, and the Netherlands — account for 72% of the total cost. The per-capita view tells a different story: Switzerland (€73.60/person/year), Luxembourg (€71.60), Norway (€69.90), Denmark (€65.40), and Belgium (€62.10) bear the heaviest individual burden. Bulgaria, at €9.20 per person, sits at the bottom. All figures use Eurostat 2024 population, 2023 internet penetration, and 2023 hourly labor costs.

It doesn't even work

A 2022 study of 81 German websites found that 79% loaded third-party trackers before the user interacted with the cookie banner at all. An average of 3 trackers were already active before any click. After clicking "Reject all," an average of 4 trackers remained active. Google accounted for 47.3% of pixel-tracking violations without valid consent.

A larger 2025 study of 254,148 websites found that 89% of cookie banners violate applicable law. Only 15% meet minimum GDPR requirements.

The Vice experiment quantified the user experience: a reporter spent three working days trying to reject cookies on every site she visited. Results: 14 minutes on day one, 13 on day two, 9 on day three. The quickest banner took 2.6 seconds. The longest took over 5 minutes before she gave up. Her overall success rate for actually opting out: 46%. On more than half the sites, she either couldn't find the reject option, hit a dead end, or wasn't sure if it had worked.

The consent rates tell the dark pattern story in aggregate. Didomi's CMP telemetry shows 85–94% consent rates across most EU countries — people overwhelmingly click "Accept." But etracker's German data shows that when the reject button is equally prominent, consent drops to about 40%. The gap between 85% and 40% is the measured effect of dark patterns.

France is the outlier at 73% in Didomi's data — because France's CNIL actually enforces banner design rules, requiring the reject option to be as visible as accept. Germany sits at 85% on Didomi but 54% on etracker's fair-design banners. YouGov survey data — where people self-report their behavior — shows only 44% of Germans say they always accept. People know what they want. The banners are designed to make them do something else.

The Advance Metrics study tracked the trend from 2018 to 2023: 76% of users ignored cookie banners entirely in 2018. By 2023, that dropped to 33.6% — people are engaging more, not less, which means spending more time on these dialogs. Of the 0.4% who actually open cookie settings to customize, only 28.3% save their choices. The rest give up.

The consent-industrial complex

The Consent Management Platform market exists because the EU created a problem only software could handle. OneTrust, the market leader, reported ~$500M in annual recurring revenue in October 2024. Usercentrics (which acquired Cookiebot in 2021) has over 100,000 paying B2B customers. The total CMP market is somewhere between $800 million and $1.2 billion per year, depending on how broadly you count.

A billion-dollar industry exists to help websites comply with cookie consent law. And yet, across the web, 89% of cookie banners still violate that law. The CMPs provide the tools — compliant templates, granular controls, audit trails. But the tools don't determine how they're configured. Site owners choose the dark patterns: burying the reject button, pre-checking tracking categories, requiring five clicks to opt out. The CMP industry sells compliance. What gets deployed is compliance theater. And the industry's business model depends on cookie banners remaining legally mandated and technically annoying. A browser-level solution would wipe it out overnight.

The fix that already exists

In 2009, the Do Not Track header was proposed. All major browsers adopted it. The ad industry ignored it. There was no legal requirement to honor it. The W3C abandoned the standard. Safari and Firefox eventually removed the header entirely.

Global Privacy Control (GPC) is the successor, and this time it has teeth. As of 2026, 12 US states require businesses to honor GPC signals: California, Colorado, Connecticut, Montana, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Delaware, Oregon, and Texas. Sephora was fined $1.2 million in 2022 for ignoring GPC. Healthline Media was fined $1.55 million in July 2025 — the largest CCPA settlement to date.

California's "Opt Me Out" Act (AB 566), signed in October 2025, goes further: starting January 2027, all browsers operating in California must include built-in opt-out signal functionality. Chrome, Safari, and Edge will be forced to implement it.

The EU finally proposed something similar in the Digital Omnibus Package in November 2025. Users would set cookie preferences once in browser or OS settings; websites would have to respect them automatically. But analysis of the proposal suggests it "leaves banner fatigue largely intact" — the timeline is adoption in 2026 at earliest, with browser-level implementation around 2028. The regulation that created the problem won't have its browser-level fix for over two decades. California, which didn't create the problem, will solve it in 2027.

What the banners actually achieved

An empirical study published in 2025 found that GDPR reduced overall tracking by 14.79%. A study of French websites showed sites with six or more third-party cookies dropped from 24% to 12% between 2021 and 2022. Sites with zero third-party cookies rose from 20% to 29%. Companies were forced to audit their data practices — many discovered tracking they didn't even know existed. Privacy awareness became mainstream.

Those are real gains. A 15% reduction in tracking is not nothing.

But set it against the costs. Even using the most conservative browsing estimates, cookie banners consume hundreds of millions of hours per year — more than it took to write all of Wikipedia. Use the measured figures and it's several billion hours. A billion-dollar compliance industry. Banners that violate the law 89% of the time. Sites that track you before you click anything 79% of the time. Consent rates that double when dark patterns are removed. And a user experience so hostile that a trained reporter succeeded at opting out less than half the time.

The ePrivacy Directive was written to protect EU citizens' privacy online. It has generated a multi-billion euro annual tax on productivity, a billion-dollar parasitic industry, and a universal daily annoyance — while achieving a 15% reduction in the tracking it was supposed to prevent. Browser-level consent would have done more, at near-zero cost, and the technology has existed since 2009. California will mandate it by 2027. The EU might get there by 2028.

Until then, every time you click a cookie banner, you're contributing to the most expensive confirmation dialog in human history.

Sources and methodology: Browsing behavior from Nielsen (2013), Crichton et al. (2021), and personal Chrome history data. Per-country economic data from Eurostat. Compliance data from ignite.video and Advance Metrics. Consent rates from Didomi, etracker, and YouGov. EU Digital Omnibus from the European Commission. Legal timeline from EUR-Lex.