ShieldPage
← All articles
Data & Research · · 7 min read

How Many Cookies Does the Average Website Set? Our 2026 Report

We analyzed cookie counts across 5,000 websites by industry. The average site sets 23 cookies — but the range is enormous, and the implications for consent are significant.

Cookies have been a feature of the web since Netscape introduced them in 1994. Three decades later, the average website sets more cookies than most users — and most developers — realize. We analyzed cookie loads across 5,000 websites spanning 12 industries to produce the most granular public dataset on cookie counts, categories, and trends available in 2026.

The headline number: the average website sets 23 cookies on a visitor's first page load, before any consent interaction. But averages hide enormous variation. Media sites set more than 50. Small business sites set fewer than 10. The distribution tells a more interesting story than the mean.

Overall findings

  • Average cookies per site: 23
  • Median cookies per site: 17 (the distribution skews high due to media and advertising-heavy sites)
  • Range: 3 (minimal small business sites) to 147 (heavy advertising/media sites)
  • Essential vs non-essential split: 31% essential, 69% non-essential
  • Third-party cookies: 61% of all cookies are set by third parties (not the site owner)

The essential vs non-essential split is the number that matters most for GDPR purposes. Across all 5,000 sites, 69% of cookies require user consent under ePrivacy rules — but they're loading by default on 43% of sites before any consent is obtained (as we found in our companion EU e-commerce compliance study).

Cookie counts by industry

The variation by industry is dramatic and reflects each sector's advertising intensity and third-party tool usage:

  • Media & Publishing: 54 average cookies (range: 28-147)
  • Travel & Hospitality: 41 average cookies
  • Retail / E-commerce: 31 average cookies
  • Financial Services: 19 average cookies
  • SaaS / Technology: 14 average cookies
  • Healthcare: 11 average cookies
  • Professional Services: 9 average cookies
  • Non-profit / Education: 8 average cookies

Media sites dominate the top of the chart because they monetize through programmatic advertising, which involves dozens of ad-tech vendors each setting their own tracking cookies. A single ad unit on a publisher's site can trigger 15-20 cookie-setting events across as many vendors.

Financial services and healthcare come in lower due to a combination of stricter regulatory environments and more conservative marketing stacks. SaaS companies are surprisingly lean — product analytics tools (Mixpanel, Amplitude) set fewer cookies than traditional web analytics, and the developer-heavy audience creates cultural pressure to minimize tracking.

Essential vs non-essential breakdown

We categorized every cookie in our dataset as essential or non-essential based on its documented purpose. The breakdown across all 5,000 sites:

  • Session management and authentication: 8%
  • Shopping cart and checkout state: 5%
  • Security (CSRF tokens, fraud prevention): 7%
  • Consent record storage: 4%
  • Load balancing and infrastructure: 7%
  • Analytics (Google Analytics, Adobe Analytics, Matomo): 18%
  • Marketing and advertising (Meta Pixel, Google Ads, affiliate tracking): 24%
  • Personalization (product recommendations, A/B test assignments): 11%
  • Social media embeds and sharing: 8%
  • Other third-party functionality: 8%

The marketing and advertising category is the largest single non-essential category and the most consequential from a GDPR perspective — these cookies flow data to ad-tech companies with documented patterns of cross-site tracking and data aggregation. They're also the category most commonly fired before consent is obtained.

The third-party cookie picture

61% of all cookies in our dataset are set by third parties — domains other than the site being visited. This is a crucial distinction because:

1. The site owner has less control — Third-party cookies are set by external scripts. When you add a tracking pixel, you're trusting that vendor to behave as disclosed. 2. Consent disclosure is harder — Disclosing third-party cookies in a cookie policy requires knowing exactly which third-party cookies each vendor sets. This is harder to maintain as vendors update their scripts. 3. Liability is shared — Under GDPR, you're responsible for the cookies set by third-party scripts you load on your site. The "we didn't know" defense doesn't work.

  • Google (Analytics, Ads, DoubleClick): found on 78% of sites
  • Meta (Pixel, Social plugins): found on 61% of sites
  • LinkedIn (Insight Tag, Social plugins): found on 34% of sites
  • HubSpot: found on 18% of sites
  • Hotjar: found on 16% of sites
  • Intercom: found on 12% of sites

Trends over time

Comparing our 2026 data to equivalent studies from 2022 and 2024, several trends are clear:

Cookie counts are declining slightly — The average of 23 in 2026 is down from 27 in 2022 and 25 in 2024. This reflects the gradual migration away from third-party cookie-heavy advertising stacks toward first-party data and server-side tracking.

Third-party cookie share is declining faster — From 71% third-party in 2022 to 61% in 2026. Google's delayed third-party cookie deprecation in Chrome pushed many advertisers to begin the migration earlier than expected. Server-side tracking implementations don't show up in client-side cookie counts at all.

Non-essential cookie prevalence is stable despite regulatory pressure — Despite years of enforcement and regulatory activity, the share of non-essential cookies in the total has barely moved (72% in 2022, 69% in 2026). This suggests that regulatory pressure has had limited effect on the underlying marketing practices, even if it has affected consent banner design.

Consent management cookies are increasing — The category of cookies set by consent management platforms themselves (storing the user's consent record) grew from 2% to 4% of all cookies. This reflects broader adoption of CMPs — but also means that CMPs are now setting more cookies to track consent, which creates a mild irony: you now often need to set a cookie to record that someone declined cookies.

Implications for consent management

The data above has direct implications for how companies should think about consent management:

More cookies = more consent complexity — A site with 50 cookies has a more complex consent challenge than one with 8. The category descriptions, the list of third parties, and the burden on the user to make informed choices all scale with cookie count. Sites with large cookie counts should invest in genuinely clear, plain-language consent UX — not just technically compliant banner design.

Third-party cookies are your biggest liability — The 61% of cookies set by third parties represent the lion's share of regulatory risk. Regular re-scanning is essential because third-party vendors update their scripts without notifying you. A tool you added last year may now set twice as many cookies as it did at implementation.

Consent rates are lower than they look — If 69% of your cookies are non-essential and 36% of your visitors reject all non-essential cookies, you're not "losing 36% of your data." You're losing 36% × 69% = about 25% of your total cookie data. But you're also maintaining the trust of the 36% who chose privacy — a meaningful customer relationship signal.

Server-side tracking is the future, not a workaround — The gradual decline in client-side third-party cookies reflects a real migration. Server-side tracking, first-party data strategies, and privacy-preserving measurement approaches are becoming the dominant tracking architecture. Consent management infrastructure should be designed with this transition in mind — not just for the current client-side cookie model.

Methodology

We scanned 5,000 websites in January-February 2026 using automated browser sessions that loaded each site in a fresh browser profile, recorded all cookies set within the first 30 seconds of page load before any consent interaction, and then interacted with the consent banner (accepting all categories) and recorded the additional cookies set afterward. Sites were stratified by industry and country. Cookie categorization was performed using a combination of automated classification (matching cookie names against known vendor databases) and manual review for uncategorized cookies. The full dataset is available for academic and research use — contact us for access.