Our policy for Security Risks specifies "Quarantine Risk" as the first action. Symantec was
deleting the tracking cookies, so the action was not being controlled by this policy, and changing this policy would not change anything.
And when I looked more closely at the logs, I found the cookies were being deleted by TruScan., not AutoProtect. When I looked at our TruScan settings, I noticed that we can specify actions for commercial keyloggers and commercial remote control operations (I have them both set to "Log"), but not for other threats detected by TruScan.
So it looks like a Centralized Exceptions policy is the only tool available to me right now. Fortunately, it seems to be working now. I deployed the policy yesterday afternoon, and I haven't seen any Tracking Cookie notifications this morning.