How many vendors does 'accept all' actually consent to?

Most IAB Transparency & Consent Framework banners list between 150 and 300 vendors. The industry average in the 2025 IAB Europe audit was 228 vendors per major publisher. A single click gives all of them access to read your device, create a profile, and share it with their own partners.

What's the difference between 'reject all' and 'manage preferences'?

'Reject all' denies consent to every vendor in one click, which is the equivalent of 'accept all' for the opposite outcome. 'Manage preferences' shows the actual vendor list and lets you opt in selectively, typically across 12 purpose categories defined by the IAB TCF. Most users who click 'manage' end up rejecting everything because the interface is designed to be exhausting.

Does 'accept all' actually increase page weight?

Yes, measurably. Adbloat's 2026 crawl of 500 news sites found the median page with 'accept all' clicked was 2.8 MB heavier than the same page with 'reject all' clicked, and fired 94 additional HTTP requests. On a mid-tier mobile plan this is roughly 5 cents of data per article read.

Are cookie banners required by law to offer 'reject all'?

Under GDPR and the 2024 CJEU rulings, yes: if 'accept' is available as a one-click option, 'reject' must be equally prominent and equally one-click. The French CNIL, the Italian Garante, and the Irish DPC have all fined publishers that hid 'reject' behind a secondary menu. Enforcement is inconsistent but the law is clear.

What happens if I just ignore the banner?

It depends on the site's implementation. Roughly 35 percent of sites treat ignored banners as implicit rejection and block tracking by default. The other 65 percent fire trackers anyway while the banner is visible, which is technically a GDPR violation but rarely enforced. The safest behavior is to click 'reject all' explicitly.

Why "Accept All Cookies" Is Worse Than You Think

The cookie banner is five years old, annoying, and deeply misunderstood. The single click that most users reflexively use to make it disappear — "Accept All" — typically authorizes around 228 ad-tech vendors to profile you across the web. This piece walks through the mechanics: what gets collected, what it weighs, and why "Reject All" is the only rational click.

Updated 2026-04-22 · 10 min read · Adbloat editorial

What you're actually consenting to

The framework behind every "Accept All" button on a major publisher site is the IAB Transparency & Consent Framework (TCF). TCF is an industry standard maintained by the Interactive Advertising Bureau that defines 12 consent "purposes" — categories like "store and access information on a device," "measure ad performance," "create profiles for personalized advertising" — and a registered list of vendors that can claim consent for those purposes.

A TCF-compliant banner must list every vendor that will receive your consent. In practice that list is buried two clicks deep. The main banner shows a friendly three-bullet summary; the actual vendor disclosure is behind "Manage preferences," which opens a scroll-heavy interface listing between 150 and 300 vendors. The 2025 IAB Europe audit of the 100 largest European publishers found a median of 228 registered vendors per banner.

Clicking "Accept All" signals consent for all 12 purposes across every one of those vendors, simultaneously, in one click. The consent signal is encoded into a string (TCF v2.2 consent strings are about 200-400 bytes) and passed to every vendor's SDK on the page as JavaScript runs the ad-tech pipeline.

The measurable cost in page weight

The Adbloat test suite measures exactly how much extra data a page loads between "accept all" and "reject all" clicks. The methodology is to load the same article URL twice, record all HTTP requests in each case, and report the delta. The 2026 quarterly crawl covered the 500 largest English-language news publishers.

Metric	Accept All (median)	Reject All (median)	Delta
Total bytes	4.9 MB	2.1 MB	+2.8 MB
HTTP requests	241	147	+94
Third-party domains	89	14	+75
JS execution time	3.2 s	0.8 s	+2.4 s
Cookies set	117	12	+105

The headline number is 2.8 MB per article, 94 extra requests, 75 new third-party domains. On an unlimited home connection this is invisible. On a metered mobile plan — and roughly 4 billion of the world's ~5.5 billion internet users in 2026 are primarily mobile — this is real money. At typical US mid-tier mobile data pricing ($8 per GB beyond plan), 2.8 MB per article reads as about 2 cents. Ten articles per day, 30 days per month, is roughly $6 per month in data spent on ad-tech that produced no value for the reader.

What 228 vendors actually do with your profile

The IAB TCF purpose list is the public-facing description. The engineering reality is more specific. When you click "Accept All" on a publisher running Prebid.js (the standard header-bidding wrapper in 2026), every registered vendor does some combination of the following within the first five seconds of page load:

Cookie sync. A small pixel request fires from the publisher to each vendor's sync endpoint, passing the vendor the publisher's first-party user ID. The vendor responds with their own cookie, completing an identity mapping between the two parties.
Device readout. Vendor SDK reads screen resolution, timezone, language, user agent, canvas fingerprint, and available audio devices. This data is batched to the vendor's ingest endpoint.
Bidstream participation. Publisher's SSP (supply-side platform) receives your ID, matches it to the vendor's cookie, and broadcasts a bid request containing your profile attributes to every DSP (demand-side platform) registered for the placement. A typical bid request is visible to 15 to 40 DSPs.
Profile enrichment. Each DSP that participated in the bid also records that you were on this URL at this time. That timestamp-URL tuple is stored in their cross-site profile for you, keyed to the shared ID.

The end result is that a single page view after "Accept All" has spread your identity, your device signature, and your reading interest across dozens of databases you never contacted. This is not a side effect. This is exactly what the IAB TCF framework is designed to efficiently coordinate.

"Reject All" is not a principled statement — it's a concrete action

Clicking "Reject All" sets the TCF consent string to all-zeroes. A TCF-compliant vendor (which is most of them in the EU) reads that string and either does not fire at all or fires in "contextual-only" mode, which uses only the page URL and not your identity to target ads. Contextual-only is technically legal without consent under GDPR legitimate-interest provisions.

The Adbloat measurements above are the concrete difference: 2.8 MB less data, 94 fewer requests, 75 fewer domains, 105 fewer cookies. This is not a moral claim. It is a network cost claim. The data savings alone justify the click.

The dark-pattern defenses that still work

Publishers have spent five years trying to optimize "Accept All" click-through rates. The legal ceiling is GDPR's requirement that "Reject" be as easy to find as "Accept." The practical floor is how aggressively they can violate that without triggering a fine.

Common dark patterns and the workarounds:

"Reject" hidden in a secondary menu. Illegal under GDPR since the 2024 CNIL rulings. File a complaint with the relevant data-protection authority and use a content-script blocker (Consent-O-Matic extension) that auto-clicks "Reject All" on recognized banners.
"Accept" is green and prominent; "Reject" is gray text. Legal grey area. Consent-O-Matic handles this automatically.
"Continue without accepting" that does not actually reject. Increasingly common. The text implies rejection but the banner stores a neutral-state consent string that vendors interpret as "legitimate interest" consent, which is TCF-legal for most purposes. Always click "Reject All" explicitly when it is available.
"Pay or consent" walls. Dominant pattern on German and French publishers since 2024. Reject and they paywall you; accept and you get the ad-loaded site. Legal status contested, Meta has been fined repeatedly. Choice becomes: subscription, leave, or use an archive mirror.

Automating "Reject All" with browser tooling

For practical use, three tools close the attention gap:

Consent-O-Matic (Firefox/Chrome). Open-source extension from Aarhus University that auto-clicks "Reject All" on approximately 2,500 recognized banner implementations. Handles the majority of TCF-compliant banners without user interaction.
"I don't care about cookies." Different approach: it hides the banner without clicking anything, which is faster but does not always produce a "reject" consent string.
uBlock Origin with annoyance lists enabled. Suppresses the banner DOM entirely. Consent string is whatever the site's default is (typically neutral).

The three tools in combination produce roughly a 94 percent reduction in banner-interaction friction measured across Adbloat's audit set. The remaining 6 percent are publishers with custom banner implementations not yet in the ruleset; these require manual "Reject All."

Frequently asked questions

How many vendors does "accept all" actually consent to?: Most IAB TCF banners list between 150 and 300 vendors. The 2025 IAB Europe audit found a median of 228 per major publisher. A single click gives all of them access to read your device and create a profile.
What's the difference between "reject all" and "manage preferences"?: "Reject all" denies consent to every vendor in one click. "Manage preferences" shows the actual vendor list and lets you opt in selectively across 12 IAB purpose categories. Most users who click "manage" end up rejecting everything because the interface is designed to be exhausting.
Does "accept all" actually increase page weight?: Yes, measurably. The Adbloat 2026 crawl of 500 news sites found a median page was 2.8 MB heavier and fired 94 more HTTP requests after "accept all" compared to "reject all."
Are cookie banners required by law to offer "reject all"?: Under GDPR and the 2024 CJEU rulings, yes: if "accept" is one-click, "reject" must be equally prominent and equally one-click. French, Italian, and Irish regulators have fined publishers that hid "reject" behind a secondary menu.
What happens if I just ignore the banner?: It depends on the site. Roughly 35 percent treat ignored banners as implicit rejection. The other 65 percent fire trackers anyway while the banner is visible, which is technically a GDPR violation but rarely enforced.