Your preferences should be on the website level though, not global. And you should be asked about it on first visiting the website.
Let me explain why with an example: say you're the type of people who doesn't care about "privacy" online ("I've got nothing to hide"), or you do; and you want to "support " certain ad-supported websites you're a fan of; but not that new clickbait toilet paper your aunt sends you.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use (few will bother changing the defaults, and most mindlessly click ok).
Your preferences should be on the website level though, not global. And you should be asked about it on first visiting the website.
Preferences should be expressible in any form a user seems fitting their needs. If they want to block-all,enable-per-site or enable-all,block-per-site, or block-mask, or enable-mask, or top-down rule priority list — they should be able to. Designing preferences in any other way is a dark pattern not worth considering as a fully user-controlled mechanism.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use
Virtually any UX is better than cookie popups as they are now, cause they get designed with interests of a site owner in mind. This alone makes it the worst possible UX on average.
Why not do like with popups, and show a little toast with "x tracking cookies were blocked, click to allow"? Cookies could have to register whether they are essential or not. It's really wild how much work must have been created by distributing this problem to every website on earth instead of doing it in the browser.
Lynx, back in the day, forced you to explicitly accept/reject each cookie offered by the server while loading the page. Modern browsers silently accept them all by default. Browsers have regressed.
The important part here is that it's at the browser level, IMO. Then it's the user's choice to either reject/accept all by default or get prompted once per page. I'd guess that 99.9% want to set it globally and never think about it again.
It's been on the browser level for ages. It's the DoNotTrack http header. The websites simply ignore it and hope the users will simply keep pressing the consent button.
Let me explain why with an example: say you're the type of people who doesn't care about "privacy" online ("I've got nothing to hide"), or you do; and you want to "support " certain ad-supported websites you're a fan of; but not that new clickbait toilet paper your aunt sends you.
I can't think of any way to have a good UX to opt in or out of "tracking" cookies which people would actually use (few will bother changing the defaults, and most mindlessly click ok).