Cookie banners: what you are really agreeing to
Cookie banners explained in plain English: what accept, reject and manage preferences mean, and the 5 privacy checks UK readers need before clicking.
Cookie banners are easy to treat as digital wallpaper. They pop up, you want the page, and the quickest button wins. But that choice can decide whether a website only does what it needs to work, or whether it also measures, profiles and shares signals about how you behave.
The Short Version
- A cookie is a small file a website can place on your device, but modern banners often cover a wider family of storage and access technologies.
- In the UK, PECR generally requires clear information and prior consent for non-essential storage or access, unless an exception applies.
- Strictly necessary cookies are different from analytics, advertising and social media tracking tools.
- Accept all usually gives the site permission to use a wider set of tools. Reject all should switch off non-essential tools where the banner is working properly.
- Manage preferences is often the best option when you want the site to work but do not want every tracking purpose switched on.
What A Cookie Banner Is Asking
A cookie is not magic. It is a small piece of information that a website can ask your browser to keep and send back later. That can be useful. A shopping basket can remember what you added. A login session can keep you signed in. A language setting can stop a website asking the same question every time you visit.
The confusing part is that cookie banners are no longer only about cookies. The Information Commissioner’s Office uses the broader phrase storage and access technologies because the same idea can show up through tracking pixels, scripts, tags, web storage, link decoration and device fingerprinting. Some tools store information on your device. Others read information from it. Either way, the website or one of its partners is learning from your interaction.
That is why a banner can matter even if it looks boring. A simple site might need one or two essential cookies to remember that you are logged in or to keep a service secure. A busier commercial site might also use analytics tools, advertising tags, embedded social media tools, affiliate tracking, heat maps and other services that help it understand or influence behaviour. These are not all equal. Some are about making the page work. Others are about measuring you.
Why Consent Matters Under UK Rules
UK rules sit mainly under the Privacy and Electronic Communications Regulations, usually called PECR, with UK GDPR applying where personal data is involved. The practical version is this: for most non-essential storage or access technologies, a website should tell you what it wants to use, what those tools do, who else is involved and how long access or storage lasts. It should get consent before using those non-essential tools, unless an exception applies.
The word before is important. Consent is not supposed to be something a site assumes because you carried on reading. Nor is it supposed to be hidden inside a vague line of legal text. The ICO says consent should involve a clear positive action, and that users should be able to refuse non-essential storage and access as easily as they can accept it. In plain terms, a banner that only makes accepting easy is asking you to make a privacy choice with one hand tied behind your back.
Necessary Cookies Versus Tracking Tools
The most important split is between necessary and optional. Necessary cookies are the ones a service genuinely needs in order to provide what you asked for. A cookie that keeps your basket alive while you shop is a good example. So is a security cookie that helps protect a login. These are not a free pass for tracking everything. They are narrow tools for a specific job.
Analytics can feel harmless because it helps a site understand traffic, broken journeys and popular pages. From your side, analytics can still record behaviour across pages, sessions and sometimes devices. Some setups are privacy-preserving. Others are more intrusive. The label alone does not tell you enough.
Advertising and social tracking are usually the clearest cases. If a website uses partners to build audiences, measure ad performance, retarget visitors or connect visits to social media, the banner may be asking whether those partners can store or read information from your device. That is where the choice feels less like housekeeping and more like permission.
This connects directly with how data brokers can build profiles from fragments of personal information. A single cookie rarely tells the whole story. The concern is what happens when many signals are combined: device details, browsing behaviour, location hints, purchases, interests, email interactions and advertising identifiers. Each fragment may feel small. Together, they can become a picture of you.
What Accept, Reject And Manage Mean
The three buttons people usually see are not identical. Accept all is the broadest permission, assuming the banner is accurate. It may switch on analytics, advertising and partner tools in one click. Reject all usually refuses non-essential tools. Manage preferences lets you separate purposes, such as necessary, analytics, personalisation and advertising.
Manage preferences sounds tedious, but it is often the most honest button. It lets you say yes to useful features without agreeing to every partner and every purpose. If you have landed on a page once from a search result, rejecting optional tracking is a reasonable default.
What Privacy Tools Can And Cannot Solve
A VPN can hide some network-level information from parts of the internet path, but it does not make cookie choices vanish. If you log into a site, accept tracking, or allow your browser to store identifiers, the site can still recognise the account, device or session in other ways. Privacy is rarely one tool. It is a stack of habits.
The rules are still moving around the edges. The ICO says its public cookie guidance is under review after the Data (Use and Access) Act came into law on 19 June 2025. That does not make today’s banners meaningless. It means readers should treat cookie consent as an active privacy choice.
A Worked Example
Imagine you visit a fictional UK news site. The banner offers three options: accept all, reject all and manage preferences.
If you press accept all, the site can use its necessary cookies, but it may also switch on analytics, advertising measurement and partner tools. The page works, but more parties may learn something about your visit.
If you press reject all, the site should still load and use the tools it genuinely needs to provide the page. It should not switch on non-essential analytics or advertising technologies before you have agreed to them. You may lose some convenience, but the basic content should still be available unless the site has a separate lawful model for access.
If you choose manage preferences, you might leave necessary tools on, allow basic analytics, and refuse advertising partners. That is a more deliberate choice than clicking the biggest button because you are tired.
What This Means For You
The practical rule is simple: do not treat every banner as the same. On a banking site, a public service site or a shop you use often, you may care most about function and security. On a random site you visit once, you may prefer to reject optional tracking and move on.
When you do open the preferences panel, look for purposes rather than brand names. Necessary, analytics, personalisation and advertising usually tell you more than a long list of vendors.
It is also worth clearing old site data from time to time, especially if you have spent years accepting banners without thinking. That will not erase every profile that already exists, but it can reduce stale identifiers sitting in your browser.
Most of all, remember that consent is not a personality test. You are not being difficult by rejecting optional tracking. You are making a normal choice about how much of your browsing behaviour you want to turn into data.
In Plain English
A cookie banner is asking what a website and its partners may store on your device, read from it, or learn from your visit. Some tools are needed to make the site work. Others are there for analytics, advertising or profiling. Accept all is quick, reject all is usually the privacy-friendly default, and manage preferences gives you the most control when you have a minute to spare.