What are cookies, and should I 'accept all' or 'reject all'?

Quick answer

Cookies are small files a website asks your browser to remember, used both for harmless things (staying logged in, keeping your cart, remembering your language) and for tracking you across sites for advertising — the legal 'accept all / reject all' banners in the EU and UK only control the tracking ones, so 'reject all' is almost always the right click.

What it's NOT

Cookies are NOT viruses or malware — they cannot run code on your computer, install anything, or steal files. And rejecting all cookies will NOT log you out or break login: the cookies that keep you logged in are 'essential' and are exempt from the banner. The banner is specifically about tracking and advertising cookies.

More context

A cookie is a small piece of text that a website asks your browser to remember and send back on every future request to the same site. That tiny mechanism is the backbone of everything that distinguishes a web of disconnected pages from a web that knows you.

There are several different things people call “cookies”, and they have very different consequences:

  • Session and essential cookies. Keep you logged in, hold your shopping cart, remember your language and theme. The site cannot work without them, you cannot meaningfully refuse them, and the law treats them as exempt. They are first-party only.
  • First-party preferences cookies. Remember non-essential settings — collapsed menus, dismissed announcements. Low risk, low value.
  • Analytics cookies. Tell the site owner how many people visited, where they came from, which pages they read. Usually first-party in 2026; some old setups still ship third-party Google Analytics.
  • Advertising / tracking cookies. Set by third parties (ad networks, data brokers, retargeting platforms) whose scripts are embedded on the page. They link your browsing across many sites and build a profile used to target ads — and, increasingly, to enrich datasets sold elsewhere. These are the cookies the EU / UK cookie banner is about.

The “accept all / reject all” banner is mandated by the ePrivacy Directive (the “cookie law”, 2002, amended 2009) and tightened by GDPR (2018). Under it, non-essential cookies require informed, freely given, specific, unambiguous consent. The CNIL in France, the ICO in the UK, and equivalents elsewhere have repeatedly ruled that “reject all” must be as easy as “accept all” on the first screen — sites that hide “reject all” three clicks deep are non-compliant and some have been fined (Google was fined €150 M and Facebook €60 M by the CNIL in January 2022 for exactly this; further enforcement followed).

What “reject all” actually does:

  • Refuses analytics and advertising cookies.
  • Does not log you out — essential cookies are unaffected.
  • Does not “break” the site visually. The site looks and works the same.
  • Does not make you anonymous: fingerprinting, account-based tracking, and IP-based tracking still work to some degree.

What “accept all” actually does:

  • Opts you into being tracked across, typically, several hundred third-party companies whose scripts the site embeds.
  • Lets those companies build a long-term profile of your interests, purchases, and movements between sites.
  • Does not affect your login state or page functionality — that is what makes “reject all” virtually free.

Practical reflex: “reject all” is the safe default for almost every visit. The only time “accept all” arguably costs you anything is on a site you visit every day and where you specifically want their analytics or personalised features — and even then, dedicated settings inside the site usually give finer control.

The cookie banner is also a useful sanity check on the site itself. If a site makes “reject all” hard to find — buried in “manage preferences”, styled as a faint grey link next to a bright “accept all” button, requiring you to toggle dozens of switches — that is a deliberate choice by the operator. It tells you something about how much they value your data versus your experience. In 2026, several browsers (Brave, DuckDuckGo, Firefox via tracking protection, Safari) auto-handle banners or auto-refuse non-essential cookies, removing the click entirely.

People also ask

What's the difference between essential, first-party and third-party cookies? +

**Essential** cookies are needed for the site to function — staying logged in, keeping your shopping cart, remembering your language. The banner does not ask permission for these because there is no choice; without them the site breaks. **First-party** cookies are set by the site you are actually visiting. **Third-party** cookies are set by other companies whose code is embedded on the page — typically advertising and analytics — and they are designed to follow you from one site to the next.

Will 'reject all' break the website? +

Almost never. The essential cookies (login, cart, preferences) are exempt from the banner and stay on regardless. 'Reject all' refuses the tracking and advertising cookies. The page will look the same and work the same; the difference is that advertisers no longer build a profile of you across the dozens of sites you visit.

If I 'reject all' do websites still know who I am when I'm logged in? +

Yes — your login is a first-party essential cookie, separate from the banner. Rejecting tracking does not affect being signed in to your bank, your email, your social network. The banner is specifically about the advertising and analytics layer that sits on top, not about your relationship with the site itself.

Why do some banners try to make 'accept all' easier than 'reject all'? +

Because the site's revenue depends on tracking. Many sites design the banner so that 'Accept all' is a big colourful button while 'Reject all' is a faint link buried under 'manage preferences'. This pattern is called a 'dark pattern' and is increasingly illegal under EU law: the CNIL in France, the ICO in the UK, and other authorities have repeatedly ruled that 'reject all' must be as easy as 'accept all' on the first screen. Some sites have been fined; many still do not comply.

Are cookies being phased out? +

Third-party tracking cookies — the ones the banners are about — are being phased out by browsers. Safari and Firefox already block most of them. Chrome, after years of delay, finally moved toward similar blocking in 2024-2025. The trackers have not given up: they are moving to fingerprinting (identifying your browser by its quirks), to first-party tracking, and to email-based identifiers like Unified ID 2.0. The cookie banner is the most visible part of a larger trend — but not its endpoint.

Also explained

What does incognito (private) browsing actually hide?

Incognito mode (also called Private Browsing or InPrivate) tells your browser not to save your history, cookies or form entries on this device — that is all; your employer, your school, your internet provider, the websites you visit and any advertising network on the page can still see exactly what you do.

What does the padlock in my browser actually mean?

The padlock means the connection between your device and the website is encrypted, so nobody on your Wi-Fi, your office network or your internet provider can read what you send or receive — but it does NOT mean the website itself is honest, legitimate, or safe to trust with your data.
← Back to everyday cybersecurity