Does My Cookie Banner Need a Reject Button? What UK and EEA Law Actually Says

Written By Chloe Christine

If you've ever Googled "do I need a reject button on my cookie banner," you've probably landed on a page written by a law firm that somehow turned a yes/no question into 4,000 words of legalese.

So let's keep this simple.

TL;DR - yes. If your website targets visitors in the UK or the EEA (European Economic Area), your cookie banner needs to give people a genuine, equally visible option to reject non-essential cookies. Not hidden behind "Manage Preferences." Not tucked into a settings page. Right there on the first screen, looking exactly as clickable as the Accept button.

Here's why, what the law actually says, and what most websites are still getting wrong.

The Short Answer

Whether you're operating under UK law or EU/EEA law, the principle is the same: rejecting cookies must be as easy as accepting them.

That means if your banner has a big, bold "Accept All" button and a tiny grey "Customise" link underneath it - that's not compliant. The visual weight of both options needs to be equal. Same size, same styling, same prominence.

This isn't a grey area. It's been explicitly stated by regulators on both sides of the Channel, and it's actively being enforced.

What Law Governs This?

This is where it helps to know which bit of legislation you're actually dealing with, because it's not just "GDPR" - even though that's what everyone defaults to.

In the UK, the law that specifically covers cookies is PECR - the Privacy and Electronic Communications Regulations 2003. PECR sits alongside the UK GDPR, and it's enforced by the ICO (Information Commissioner's Office). PECR is the one that says you need consent before setting non-essential cookies, and the UK GDPR defines what valid consent looks like: freely given, specific, informed, and unambiguous.

In the EU/EEA, it's the ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) that handles the cookie-specific rules, with the GDPR (Regulation 2016/679) underpinning the consent requirements. Each EU member state has its own national data protection authority (DPA) that enforces these rules, the CNIL in France, the AEPD in Spain, the BfDI in Germany, and so on.

FWIW, the laws aren't identical across all of these jurisdictions, but the core principle, that rejecting cookies must be as easy and as prominent as accepting them, is consistent across all of them.

What the Regulators Have Actually Said

This isn't just theoretical guidance buried in a PDF somewhere. Regulators have been very specific, and increasingly aggressive, about enforcement.

The EDPB (EU-wide)

The European Data Protection Board published its Cookie Banner Taskforce Report in 2023, following on from its Guidelines 03/2022 on deceptive design patterns. The key finding was clear: if there is an "Accept All" option on a certain layer of the cookie banner, there must also be a "Reject All" option on the same layer. A "vast majority" of the participating authorities agreed on this point.

In other words: you can't put "Accept All" on the first screen and then make someone click through to a second screen to find "Reject All." Both options must be available at the same level.

The CNIL (France)

France's data protection authority has been the most aggressive enforcer on cookie compliance in Europe. Between December 2022 and December 2024 alone, the CNIL issued combined fines of over €139 million for cookie consent violations under Article 82 of the French Data Protection Act.

In December 2024, the CNIL issued formal notices to multiple organisations specifically about dark patterns in cookie banners - including cases where the reject option was styled as a less prominent link, or where the accept option appeared multiple times while reject appeared only once.

And the fines keep getting bigger. In 2025, Google was fined €325 million by the CNIL for cookie violations - up from €150 million in 2021 and €100 million in 2020. Shein received a €150 million fine the same year.

The ICO (UK)

The ICO has taken a slightly different approach, less headline-grabbing fines, more direct engagement. In 2024 and 2025, the ICO carried out a review of UK websites' cookie compliance and began writing directly to organisations whose banners didn't meet the standard.

The ICO's guidance is clear on several points: the "Accept" and "Reject" buttons must be of equal visual prominence, all non-essential cookie categories must be toggled off by default, and no non-essential cookies should fire before consent is given. They've also emphasised that withdrawing consent must be as easy as giving it, so if it takes one click to accept, it shouldn't take five clicks to change your mind later.

What Most Websites Are Still Getting Wrong

Here's the thing - even knowing all of this, the majority of websites I audit are not fully compliant. The banner might look fine on the surface, but when you dig in, there are usually a few issues hiding underneath.

The button design isn't equal. This is the most common one. A coloured "Accept All" button next to a plain text "Manage Cookies" link is not equal weight. Both options need to look equally clickable.

There's no "Reject All" on the first screen. Some banners only offer "Accept All" and "Customise." That's not compliant if the only way to reject is to click Customise, manually toggle everything off, and then save — that's three steps versus one. The reject path needs to be just as short as the accept path.

Non-essential cookies fire before consent. This happens more often than you'd think. The banner appears, but tracking scripts are already loading underneath it. This is usually caused by scripts hardcoded into the website theme or by third-party embeds, YouTube videos, chat widgets, and marketing plugins, that set their own cookies the moment they load, regardless of what your consent platform says.

The banner isn't connected to anything. I've seen this more than once: a perfectly designed cookie banner that doesn't actually control any of the tracking on the site. The banner exists, visitors click their preference, and absolutely nothing changes behind the scenes. Everything fires regardless.

Third-party tools bypass the consent flow entirely. Plugins and embeds like Klaviyo, HubSpot, YouTube, Vimeo, Google Maps, and live chat widgets can inject cookies through your site independently of your tag manager. Your consent platform can only gate what it knows about - if a cookie is being set outside of that system, it's being set without consent.

What Should You Actually Do?

If you're not sure whether your site is compliant, the simplest thing you can do right now is open your website in an incognito window, don't touch the cookie banner, and check what cookies have already been set (right-click, Inspect, Application tab, Cookies). If there are cookies there before you've made a choice, that's problem number one.

Beyond that, a proper tracking audit will show you exactly what's running on your site - not just what's in your tag manager, but everything. Every script, every embed, every cookie. That's the only way to know for certain what your banner is and isn't controlling.

Getting this right isn't just about avoiding fines (although those are getting harder to ignore). It's about trust. Your visitors are being asked to make a decision about their data. The least you can do is make sure that decision actually means something.

Written by Chloe Christine. If you're not sure where your website stands on cookie compliance, get in touch - a tracking audit will tell you exactly what's going on under the surface.

Chloe Christine
Next

Google Tag Gateway: What It Is, When You Need It, and When You Don't