Default cookie settings can mean two things. Browser-level: what Chrome, Safari, and Brave allow out of the box — Chrome still permits third-party cookies in 2026, while Safari and Brave block them. Site-level: what a consent banner pre-selects before the user chooses. Under GDPR Recital 32, pre-ticked boxes don't count as consent — the EDPB requires non-essential cookies off by default until the user actively opts in. CNIL and the ICO have fined sites where "Reject All" is buried or analytics tags fire before consent. CCPA flips this: the default is allowed unless the user opts out, including via Global Privacy Control.