Can "Accept cookie" button in a website be malicious?

Technically, browsers do not have to ask the user a question in order to use cookies. Furthermore, they are not technically bound to the answer given by the user.

Legally, that is another matter. In the European Union, the websites are now required to ask the user for their consent before using tracking cookies or other means to collect personal data about the user. However, they do not have to ask for the consent of the user to use cookies necessary to provide their service (such as session cookies). Thus, if websites asks to allow cookies, it is in order to legally collect personal data about the user. This data can be considered private or sensitive, depending on the appreciation of the users.

The formulation “For better browsing experience” usually means “In order for us to provide you targeted advertisement, that will earn us more money to make better content.” or “In order for us to provide you targeted advertisement, so you will have (in theory) less irrelevant advertisements”.

A malicious website might not honor their legal obligations. They could ask for the consent and not honor the answer, or they could dispense with asking the question in the first place.

For more information on the law: GDPR on Wikipedia


A malicious website could harm you without you having to click on anything. However, the fact that the user clicked on a page element simplifies the task: for example, most browsers would automatically block unsolicited popus (which can e.g. trick users into installing malware), but allow a popup in response to a click.

And yes, in my opinion, a standardised button which users are taught to click over and over without a second thought does increase the risk.


With recent regulations around data privacy, websites are asking for express permission from users to collect their info from cookies.

Cookies do not harm PCs. The data collected from cookies could conceivably be used in ways that users do not like (Cambridge Analytica comes to mind). Those interested in more private and more anonymous browsing would want to reject cookies (but they tend to do this with browser plug-ins anyway).

Could a malicious website use a button on the site to do malicious things? Yes. But that is true for any link on any website, so this button does not increase your risk.