We categorised every cookie banner on the top 10,000 sites.

The boring answer to 'why do I see a cookie banner on every site' is that the GDPR requires informed consent for tracking, and the cheapest way to comply is to show a banner. The more interesting answer is that the banner ecosystem has fragmented into dozens of vendor implementations, each with its own quirks, and the pattern of how they're deployed reveals more about the web than we expected.

We spent six months crawling the global top 10,000 sites, fingerprinting every consent-management implementation we found, and categorising the patterns. Here's what we learned.

The top ten CMPs account for 71 per cent

The biggest consent-management platforms, OneTrust, Didomi, Cookiebot, Quantcast, Sourcepoint, Usercentrics, TrustArc, Iubenda, Osano, CookieYes, cover roughly 71 per cent of banners on the top 10,000 sites. That's a concentration that makes detection solvable: if we recognise these ten well, we cover most of the open web.

OneTrust alone accounts for about 23 per cent by installation count, though it's more prevalent in the top 1,000 sites (larger enterprises, which can afford the licence). Cookiebot dominates the 2,000-to-10,000 range (mid-market sites using a more affordable tier). The distribution isn't uniform.

The long tail is where the pain is

The remaining 29 per cent is where things get messy. We catalogued roughly 340 distinct implementations, including custom-coded banners, in-house CMPs built by ad-tech platforms for their clients, white-labelled re-skins of the major CMPs, and about 70 genuinely bespoke ones that don't match any known pattern.

The bespoke ones are a problem. If we rely purely on vendor fingerprints, we miss them. So we've built a secondary classifier that identifies cookie banners by DOM structure, text content, and positioning (bottom-of-page fixed overlays with buttons whose labels match a lexicon of 'accept', 'reject', 'cookie', 'consent', 'preferences' across 18 languages).

The secondary classifier runs on every page load. It catches the long tail. It also has the most false positives, which is a separate problem for a separate post (see Marcus's last week).

Dark-pattern distribution

We also catalogued how banners were designed. Without judging: we just counted.

• Symmetric buttons (Reject and Accept shown with equal prominence): 34 per cent
• Asymmetric (Accept styled as primary, Reject as secondary or text link): 47 per cent
• Reject buried (only 'Accept' shown, Reject requires clicking 'Customise' or 'Manage preferences'): 13 per cent
• No reject option (only Accept or X-close): 6 per cent

The last two categories are increasingly enforcement targets under GDPR and the ePrivacy Directive. Regulators in France, Germany, Italy, and Spain have started issuing fines. We expect the distribution to shift over the next year, which will require classifier updates.

What this means for Dismissmode

Our classifier now recognises all ten major CMPs, plus 38 smaller ones we've reverse-engineered, plus the bespoke tail via the DOM heuristic. Current coverage: 96.2 per cent of cookie banners on our top-10,000 test set; reject-all action succeeds on 91.4 per cent. The remaining 8.6 per cent are sites where the banner blocks content until accepted ('cookie walls'); for those, we have a separate workaround that varies by CMP.

The full methodology and findings are in our transparency report, published quarterly. If you work on a CMP and want to discuss edge cases, email hello@dismissmode.com.

The web's consent infrastructure wasn't designed to be invisible. It was designed to satisfy a regulator while being as friction-ful as possible to dissuade users from exercising their consent. Dismissmode is the counter-measure.