The Consent Paradox: Why 61% Accept All Cookies While 74% Fear Tracking

Two numbers from recent UK surveys should stop every marketer mid-stride.

Sixty-one per cent of UK consumers accept all cookies when prompted by a website (Statista, 2023c).

Seventy-four per cent express apprehension about brands tracking their online activities to tailor advertising (Statista, 2023d).

These numbers cannot both be true—yet they are. They describe the same population. The same consumers. The same contradiction lived daily.

This is the consent paradox: people accept what they fear. They consent to what they do not want. And in that gap between behaviour and belief lies the central ethical challenge of consumer-based digital marketing.

This article examines what the data reveals about UK consumer attitudes to online tracking, why the gap exists, and what ethical brands must do differently.

 

What the Data Actually Shows

The statistics on UK consumer behaviour around cookies and tracking tell a consistent story—but not the story most marketers assume.

• Acceptance is the default. In a 2021 survey, sixty-one per cent of UK participants confirmed they consistently accept all cookies whenever a website asks (Statista, 2023c). Only eighteen per cent reject cookies daily, while twenty-five per cent have never rejected them, and nearly six per cent are unaware of the practice entirely (Statista, 2023e).
• But concern is widespread. A cross-national survey conducted in 2022 across the UK and US found that seventy-four per cent of respondents worry about brands tracking their online activities (Statista, 2023d).
• Understanding is low. Only a quarter of respondents claimed comprehensive understanding of how brands use their personal data for online advertising (Statista, 2023d).
• The “creep factor” is real. Sixty-one per cent of UK consumers regard cookie-fuelled adverts as a “creepy” and “uncool” marketing tactic (Marigold, 2023).
• Age shapes attitudes. Thirty-eight per cent of individuals aged fifty-five and above express wariness when tracked, compared to twenty-one per cent of twenty-five to thirty-four year olds. Eighteen per cent of the younger group report feeling upset when tracked, while more than ten per cent express happiness that their data is being used (Nano Interactive, 2023).

The pattern is clear: consumers accept cookies, but they do not want to be tracked. They click “Accept All,” but they do not understand what they are accepting. Younger users are less wary—but wariness and understanding are not the same thing.

 

The Mechanics of Consent Fatigue

Why do consumers accept what they fear? The answer lies not in consumer psychology alone, but in the design of consent itself.

The Privacy and Electronic Communications Regulations (PECR) were enacted to give individuals privacy rights regarding electronic communications. They provide specific guidelines on cookies and similar technologies, requiring that users give informed consent before non-essential cookies are placed on their devices (ICO, 2022b).

The intention was protection. The outcome, for many users, has been numbness.

When every website asks the same question in roughly the same way—every time, on every visit—the question loses meaning. It becomes interface noise. Something to dismiss so the page can load and the day can continue.

But dismissal is not consent. Not ethically. And arguably, not legally either.

The UK GDPR requires consent to be “freely given, specific, informed and unambiguous.” It requires a “statement or a clear affirmative action” (ICO, n.d.). A reflex click on a banner encountered ten thousand times does not meet this standard. Yet this is the reality of most cookie interactions.

The DMA’s 2022 data report found that while seventy-seven per cent of UK consumers express openness to participating in the data economy, eighty-eight per cent want more control over the information they share (DMA, n.d.). The desire for control exists. The means of exercising it do not.

What the Law Actually Requires

Understanding the consent paradox requires understanding what the law actually demands—and where current practice falls short.

PECR and the UK GDPR establish five core requirements for valid consent:

• Informed. People must know what they are consenting to. This means clear, specific information about what data will be collected, how it will be used, and who will use it.
• Specific. Separate consent for different purposes. “Analytics” and “marketing” are not the same thing. Bundling them is not permitted.
• Unambiguous. A clear affirmative action. Pre-ticked boxes, consent by silence, or consent through inaction do not qualify.
• Freely given. Not bundled with terms of service. Not conditional on accessing the service. Genuine choice must exist.
• Revocable. As easy to withdraw as to give. If rejecting requires more steps than accepting, consent is not valid.

The ICO has enforcement powers under the Data Protection Act 2018. It can issue fines, conduct audits, and pursue criminal prosecution (ICO, 2022a). But enforcement is reactive, and the volume of non-compliant practice far exceeds regulatory capacity.

The result is a system where many cookie banners meet the letter of the law while violating its spirit. “Accept All” is bright and prominent. “Reject” is grey and hidden. Settings require three extra clicks. Consent is sought repeatedly until users capitulate.

This is manipulation dressed as consent.

The Transparency Gap

The consent paradox persists because transparency is not working.

Jensen and colleagues (2020) define transparency as disclosing relevant information in an understandable manner. Notice the second part. “Understandable.” Information that is not understood is not transparent. It is just noise.

The complexity of modern digital marketing makes genuine transparency difficult. Complicated algorithms and autonomous decision-making processes mean that even well-intentioned marketers struggle to explain exactly how consumer data is used (Jensen et al., 2020).

But difficulty is not an excuse. Berman and Katona (2021) argue that marketers must use transparent approaches to bridge the trust gap—explaining algorithms, providing clear information, and giving customers control over their data through choice and consent management tools.

The DMA data confirms that transparency matters. Seventy-nine per cent of UK consumers in 2022 said that transparency about how data is collected and used is important to them (DMA, n.d.). Trust remains the top driver of willingness to share personal information.

Yet only a quarter of consumers feel they understand how their data is used (Statista, 2023d). When understanding falls that low, consent cannot be meaningful.

 

How Privacy Awareness Actually Happens

The consent paradox also reflects how consumers learn about privacy—and how slowly that learning occurs.

Research conducted in the UK in 2023 asked consumers what motivated them to become more privacy-conscious. The responses reveal that awareness rarely comes from cookie banners or privacy policies:

• Forty per cent became aware after being tracked by online adverts

• Thirty-one per cent developed understanding after experiencing significant data breaches

• Approximately thirty per cent were motivated by friends’ and family members’ stories (Statista, 2023a)

Notice what is missing. Regulatory changes. Privacy policies. Cookie banners. The mechanisms designed to inform are not the ones that actually teach. Experience teaches. Harm teaches. Stories teach.

This should concern every brand that relies on consumer data. Because if learning happens through negative experience, the first time a customer truly understands your data practices may be the last time they trust you.

The DMA data supports this. While sixty-one per cent of UK consumers in 2022 viewed their personal information as an asset that can be used to negotiate better prices and offers, almost seven in ten believe that businesses benefit most from data exchange (DMA, n.d.). Consumers know they are on the losing side of the exchange. They just do not know how to change it.

The Commercial Case for Better Practice

The consent paradox matters commercially, not just ethically.

Statista (2023b) found that fifty-two per cent of UK adults prefer brands that never collect or use personal information in advertising. Only eight per cent disagreed. The rest were neutral—but neutrality in this context is not loyalty.

More striking: seventy-five per cent of consumers in the UK and US said they would be reluctant to purchase from businesses that demonstrate poor personal data ethics (Statista, 2023). And eighty-nine per cent indicated they would be more inclined to buy from businesses committed to safeguarding their data online.

The Precis Digital survey of senior marketers found that sixty-five per cent of businesses struggle to use data ethically, and fifty-three per cent struggle to communicate privacy practices effectively (Precis Digital, 2022). Yet seventy-six per cent say marketing ethics is a critical priority.

The gap between intention and execution is costly. Consumers are paying attention, even if they are not acting on every banner. And when they do act, it matters.

What Ethical Brands Do Differently

If the consent paradox arises from design choices that prioritise collection over clarity, the solution lies in different design choices.

• They design for understanding, not just compliance. The average cookie banner is a masterclass in dark patterns. Ethical brands make rejection as easy as acceptance. They use plain language. They explain why cookies matter, not just that they exist. They assume users want to understand, not just to click.
• They respect frequency. Asking every single visit is not consent-seeking. It is harassment. PECR requires consent, but it does not require asking so often that consent becomes meaningless. Ethical brands set reasonable expiry periods and do not re-prompt without cause.
• They separate essential from optional. Strictly necessary cookies do not require consent. Marketing cookies do. Yet many banners bundle them together, making rejection all-or-nothing. This is prohibited under UK GDPR. Ethical brands separate clearly and let users choose.
• They educate continuously. If seventy-five per cent of users do not understand how their data is used, the solution is not smaller text. It is ongoing education. Ethical brands use email, content, and in-product messaging to build genuine data literacy.
• They build trust through transparency. Phelps and colleagues (2014) emphasise that customers today are increasingly aware of how marketers gather and use personal data, and they expect clear and accessible information about data collection processes, aims, and sharing protocols. Meeting that expectation builds trust. Failing it erodes trust.
• They balance personalisation with privacy. Baines and colleagues (2019) note that while openness is important, some marketers believe being honest about data gathering reduces personalisation efficacy. Ethical brands reject this trade-off. They recognise that trust and personalisation are not opposing forces. Trust enables personalisation. Without trust, personalisation is just surveillance.

 

The Question of Control

The DMA data reveals a fundamental tension. Eighty-eight per cent of UK consumers want more control over the information they share with companies (DMA, n.d.). Yet the proportion who believe they have no control has decreased only slightly, from fifty-two per cent in 2015 to forty-two per cent in 2022 (DMA, n.d.).

Progress is slow because control is not built into the system. It is an afterthought. A settings page. A preference centre reached through three levels of navigation.

Ethical brands build control into the user journey. They make privacy settings part of onboarding, not a separate task. They allow users to update preferences as easily as they gave them. They treat control as a feature, not a compliance requirement.

The tools exist. Consent management platforms can provide granular choice. Preference centres can be user-friendly. The technology is not the barrier. The barrier is the assumption that users do not want control—or that giving it to them will reduce data collection.

The data suggests otherwise. Consumers who trust brands share more data, not less. They engage more deeply. They stay longer. Control enables relationship. Its absence enables only transactions.

A Better Question

The question most brands ask about cookie consent is: “How do we get users to accept?”

The better question is: “If our customers fully understood what we do with their data, would they still trust us?”

If the answer gives you pause, the solution is not better cookie banners. It is different data practices.

The sixty-one per cent who accept all cookies are not giving informed consent. They are giving up. And every brand that benefits from that surrender is building on ground that will eventually shift.

The regulators are watching. The consumers are learning—through breaches, through stories, through that creeping feeling that something is not right. And eventually, the gap between sixty-one per cent acceptance and seventy-four per cent worry will close.

When it does, brands that built on genuine trust will still be standing. Brands that built on reflex clicks will wonder what happened.

 

 

 

---

References

Baines, P., Fill, C., Rosengren, S., & Antonetti, P. (2019). Marketing (Fifth edition). Oxford University Press.

Berman, R., & Katona, Z. (2021). The role of transparency in digital marketing. Journal of Marketing Research.

DMA. (n.d.). UK Data Privacy: What the Consumer Really Thinks 2022. DMA. https://dma.org.uk/guide/uk-data-privacy-what-the-consumer-really-thinks-2022

ICO. (2022a). New UK Information Commissioner begins term. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/01/new-uk-information-commissioner-begins-term/

ICO. (2022b). ICO takes action against companies over predatory marketing calls targeting elderly, vulnerable people. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/03/ico-takes-action-against-companies-over-predatory-marketing-calls-targeting-elderly-vulnerable-people/

ICO. (n.d.). Overview – Data protection and the EU. https://ico.org.uk/for-organisations/data-protection-and-the-eu/overview-data-protection-and-the-eu/

Jensen, M. L., Yetgin, E., & Hill, J. (2020). Transparency in digital marketing: A conceptual framework. Journal of Business Ethics.

Marigold. (2023). Consumer Trends Index. https://meetmarigold.com/consumer-trends-index/

Nano Interactive. (2023). User attitudes toward personal information tracking in the United Kingdom (UK) as of February 2023, by age group. In Statista. Retrieved January 09, 2024, from https://www-statista-com.salford.idm.oclc.org/statistics/1385105/uk-personal-data-tracking-attitudes-by-age/

Phelps, J., Nowak, G., & Ferrell, E. (2014). Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy & Marketing.

Precis Digital. (2022). Marketing Ethics Survey 2022.

Statista. (2023a). *Main motivation for becoming more privacy-conscious in the United Kingdom (UK) as of February 2023*. https://www-statista-com.salford.idm.oclc.org/statistics/1384801/uk-personal-data-collection-awareness-change-motivations/

Statista. (2023b). Share of adults who preferred brands that never collected or used any personal information in their advertising to brands that did in the United Kingdom (UK) as of February 2023. https://www-statista-com.salford.idm.oclc.org/statistics/1385128/preference-brands-not-use-consumer-data-uk/

Statista. (2023c). Level of consent to cookies usage worldwide in 2021, by country. https://www-statista-com.salford.idm.oclc.org/statistics/1273012/consent-cookies-worldwide/

Statista. (2023d). Attitudes to ad data ethics in the UK & the U.S. 2022. https://www-statista-com.salford.idm.oclc.org/statistics/1327307/attitudes-advertising-data-ethics/

Statista. (2023e). Frequency of dismissing cookies in United Kingdom (UK) 2023. https://www-statista-com.salford.idm.oclc.org/statistics/1384042/uk-frequency-cookies-reject/