Cookies ‘n’ Consent: An empirical study on the factors influencing of website users’ attitude towards cookie consent in the EU.
DBS Business Review Volume 4 2021


Data Protection
Cookie Consent
Online Advertising
3rd party Cookies
Online Privacy
ePrivacy Directive.


Since GDPR came into enforcement in 2018, various firms have been found violating or circumventing the ePrivacy Directive known as the Cookie Law which lays out the cookie consent guidelines for websites. To improve the GDPR compliance rate, several conversations are going on between EU commission, Data protection agencies, business & websites owners and ad vendors regarding their cookie policy, obtaining user consent for data collection and its usage. One of the key stakeholders who are the website users, whose privacy is in question seems to be left out from the discussions. The study aimed to understand user perception towards website cookie banners, which are mandatory under GDPR, and the influence of factors like awareness of cookies, user experience, consent banner design, privacy risk, brand trust on user’s willingness for accepting all cookies, to develop recommendations to improve customer’s motivations to give consent. Using a quantitative approach, the primary data was collected from 132 internet users residing in the EU region through an online survey questionnaire shared in social media networks. The results showed that the (i) majority of respondents had more than moderate level of awareness about cookies (ii) they are more likely to accept cookies for quick access or task completion, (iii) acceptance of cookies was varied across different categories of online activity and (iv) given a choice they are more likely to opt-out of 3rd party cookies which are widely used for targeted advertising. Since 3rd party cookies will be phased out in the near future and are likely to be replaced with more advanced customer tracking technologies which are harder to opt-out of, this study proposes a framework for Consent for Advertising Directive (CAD) to go beyond the existing Cookie Law, which will improve user data protection regardless of the tracking technology used, and help brands to improve transparency about their data collection and avoid GDPR violations.


Beckett, P. (2020) GDPR: Two Years On, Alvarez & Marsal | Management Consulting | Professional Services. Available at: (Accessed: 20 August 2020).

Boerman, S. C., Kruikemeier, S. and Zuiderveen Borgesius, F. J. (2017) ‘Online Behavioral Advertising: A Literature Review and Research Agenda’, Journal of Advertising, 46(3), pp. 363–376. doi: 10.1080/00913367.2017.1339368.

Bohn, D. (2020) Google to ‘phase out’ third-party cookies in Chrome, but not for two years, The Verge. Available at: (Accessed: 20 August 2020).

Capgemini Research Institute (2019) Report_Championing-Data-Protection-and-Privacy.pdf. Available at: (Accessed: 4 April 2020).

Cavoukian, A. (2010) ‘Privacy by Design The 7 Foundational Principles’, p. 5.

Chapman, S. and Dhillon, G. S. (2002) ‘Privacy and the Internet: The Case of the DoubleClick, Inc.’, in Social Responsibility in the Information Age: Issues and Controversies. IGI Global, pp. 75–88.

Chellappa, R. and Sin, R. (2005) ‘Personalization versus Privacy: An Empirical Examination of the Online Consumer’s Dilemma’, Information Technology and Management, 6, pp. 181–202. doi: 10.1007/s10799-005-5879-y.

Cofone, I. N. (2016) ‘The way the cookie crumbles: online tracking meets behavioural economics: Table A1’:, International Journal of Law and Information Technology, p. eaw013. doi: 10.1093/ijlit/eaw013.

Cranor, L. F., Byers, S. and Kormann, D. (2003) ‘An analysis of P3P deployment on commercial, government, and children’s web sites as of May 2003’, Washington, DC: Federal Trade Commission.

Data Protection Commission (2020) Report by the DPC on the use of cookies and other tracking technologies.pdf. Available at: (Accessed: 28 June 2020).

Davis, F. D. (1989) ‘Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology’, MIS Quarterly, 13(3), p. 319. doi: 10.2307/249008.

Engberg, S. (2015) When Consent does not makes sense, Security by Design must be required, FUTURIUM - European Commission. Available at: (Accessed: 18 August 2020).

GDPR.EU (2019) GDPR fines after one year: Key takeaways for businesses, Available at: (Accessed: 3 April 2020).

Help University, Malaysia and Lai, P. (2017) ‘THE LITERATURE REVIEW OF TECHNOLOGY ADOPTION MODELS AND THEORIES FOR THE NOVELTY TECHNOLOGY’, Journal of Information Systems and Technology Management, 14(1). doi: 10.4301/S1807-17752017000100002.

Hoban, P. R. and Bucklin, R. E. (2015) ‘Effects of Internet Display Advertising in the Purchase Funnel: Model-Based Insights from a Randomized Field Experiment’, Journal of Marketing Research, 52(3), pp. 375–393. doi: 10.1509/jmr.13.0277.

Hoffman, D., Novak, T. and Peralta, M. (1999) ‘Building Consumer Trust Online’, Commun. ACM, 42, pp. 80–85. doi: 10.1145/299157.299175.

Jarvenpaa, S., Tractinsky, N. and Vitale, M. (2000) ‘Consumer trust in an Internet Store’, International Journal of Information Technology and Management - IJITM, 1. doi: 10.1023/A:1019104520776.

Jutla, D. and Bodorik, P. (2005) ‘Sociotechnical Architecture for Online Privacy’, Security & Privacy, IEEE, 3, pp. 29–39. doi: 10.1109/MSP.2005.50.

Kotler, P. (1984) Marketing Essentials. Prentice-Hall. Available at:

Kurtz, C., Semmann, M. and Bã, T. (2018) ‘Privacy by Design to Comply with GDPR: A Review on Third-Party Data Processors’, p. 10.

Lardinois, F. (2020) ‘Google wants to phase out support for third-party cookies in Chrome within two years’, TechCrunch, 14 January. Available at: (Accessed: 29 June 2020).

Lee, P. (2011) ‘The impact of cookie “consent” on targeted adverts’, Journal of Database Marketing & Customer Strategy Management, 18(3), pp. 205–209. doi: 10.1057/dbm.2011.20.

Leenes, R. (2017) ‘From regulatory failure to user empowerment?’, p. 20.

Legroju (2017) Proposal for an ePrivacy Regulation, Shaping Europe’s digital future - European Commission. Available at: (Accessed: 3 April 2020).

Marcus, A. (2016) Design, User Experience, and Usability: Design Thinking and Methods: 5th International Conference, DUXU 2016, Held as Part of HCI International 2016, Toronto, Canada, July 17–22, 2016, Proceedings, Part I. Springer.

McCoy, J. (2016) What are EAT and YMYL: New Google Search Guidelines Acronyms, SEMrush Blog. Available at: (Accessed: 15 October 2020).

McStay, A. (2013) ‘I consent: An analysis of the Cookie Directive and its implications for UK behavioral advertising’, New Media & Society, 15(4), pp. 596–611. doi: 10.1177/1461444812458434.

Poole, B. (2019) The end of digital marketing, Think with Google. Available at: (Accessed: 8 November 2019).

Porter, M. E. (1996) ‘What Is Strategy?’ Available at: (Accessed: 22 June 2020).

Rogers, D. L. (2016) The Digital Transformation Playbook: Rethink Your Business for the Digital Age. Columbia University Press (Columbia Business School Publishing). Available at:

Ross, J. (2014) the_business_value_of_user_experience-3.pdf. Available at: (Accessed: 24 June 2020).

San, M. S. and Camarero, C. (2009) ‘How perceived risk affects online buying’, Online Information Review, 33(4), pp. 629–654. doi: 10.1108/14684520910985657.

Saunders, M., Lewis, P. and Thornhill, A. (2019) Research methods for business students. Harlow: Pearson Education. Available at:

Schmidt-Subramanian, M. (2014) ‘The Business Impact Of Customer Experience, 2014’, p. 12.

Schofield, J. (2018) ‘What should I do about all the GDPR pop-ups on websites?’, The Guardian, 5 July. Available at: (Accessed: 4 April 2020).

Slefo, G. P. (2020) Behind Google’s decision to remove third-party cookies from Chrome. Available at: (Accessed: 20 August 2020).

Stewart, H. and Jürjens, J. (2018) Data Security and Consumer Trust in FinTech Innovation in Germany. Emerald Group Publishing Limited. Available at:

Trevisan, M. et al. (2019) ‘4 Years of EU Cookie Law: Results and Lessons Learned’, Proceedings on Privacy Enhancing Technologies, 2019(2), pp. 126–145. doi: 10.2478/popets-2019-0023.

Ur, B. et al. (2012) ‘Smart, useful, scary, creepy: perceptions of online behavioral advertising’, in Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS ’12. the Eighth Symposium, Washington, D.C.: ACM Press, p. 1. doi: 10.1145/2335356.2335362.

Venkatesh, V. and Bala, H. (2008) ‘Technology Acceptance Model 3 and a Research Agenda on Interventions’, Decision Sciences, 39(2), pp. 273–315. doi: 10.1111/j.1540-5915.2008.00192.x.

Walport, M. and Thomas, R. (2008) Data Sharing Review Report. Available at: (Accessed: 11 October 2020).

Authors who publish with DBS Business Review agree to the following terms:

a) Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons BY-NC-SA Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

b) Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

c) Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Open Access Citation Advantage).