Cookies are an important part of today’s internet but all is not well with cookie consent. Various designs and defaults settings are being used to influence consent to store third party cookies and tracking cookies on user devices. Dark patterns, complex options to reject cookies and privacy-infringing default settings are being used to manipulate users into tracking, profiling and behavioural advertising. User privacy is suffering and there is a clear need to curtail the use of cookies. This article proposes that cookies can be curtailed by default using an important principle under data protection law which is data protection by default. The article looks at the present and proposed law on cookies, recent decisions in respect of cookies, and the requirements of data protection by default. The article proposes data protection by default settings for browsers and websites in respect of cookies. It also makes recommendations for the upcoming cookie law in the EU, the proposed ePrivacy Regulation.