Cookie Rejection Should Be One Click Away
Refusing cookies on most websites still takes more effort than accepting them. A large "Accept All" button sits front and centre, while the option to decline hides behind a smaller link, a different colour, or a second layer of menus. EU regulators have spent the past three years making clear that this imbalance breaks the law.
The principle is straightforward: if a visitor can accept all non-essential cookies with a single click, refusing them should require exactly the same effort. This concept, often called button parity, is now enforced by multiple data protection authorities and forms a core part of the European Commission's proposed Digital Omnibus package.
Where the Legal Requirement Comes From
Button parity is not a single regulation you can look up in one place. It draws from several overlapping legal sources.
Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device, unless the cookie is strictly necessary. The GDPR then sets the standard for what counts as valid consent under Article 7: it must be freely given, specific, informed, and unambiguous. The EDPB Cookie Banner Taskforce report, published in January 2023, confirmed that most EU supervisory authorities consider the absence of a first-layer reject button an infringement of these rules.
The French data protection authority, CNIL, has been the most aggressive enforcer. Since 2022, CNIL has issued formal notices and fines against organisations whose banners lacked a clearly visible "Reject All" option on the first screen.
CNIL's Enforcement Track Record
CNIL's enforcement actions show how seriously regulators treat reject-button design.
In September 2025, CNIL fined SHEIN approximately 150 million euros for a banner whose "Reject All" button appeared to function but failed to stop tracking cookies from loading. The fine targeted both the visual deception and the technical failure. Google also received a substantial penalty as part of the same enforcement wave, bringing the combined total to roughly 475 million euros.
Earlier enforcement rounds saw CNIL issue formal notices to dozens of website publishers for dark patterns in cookie banners. The authority identified specific non-compliant practices: a prominent "Accept" button paired with a small text link for rejection, ambiguous wording like "Continue without accepting" placed far from the main buttons, and multi-step rejection flows that required navigating through settings pages.
CNIL's position is unambiguous. "Refuse All" and "Accept All" must appear on the same layer with comparable size, colour, and visual weight.
The Digital Omnibus Proposal: Browser-Level Consent
On 19 November 2025, the European Commission published the Digital Omnibus Regulation proposal. This package proposes amendments to the GDPR and ePrivacy rules, with a direct focus on reducing cookie banner fatigue.
The proposal includes three changes relevant to reject buttons and consent design:
- One-click accept and one-click reject must sit at the same level on every cookie banner, with no multi-layer rejection flows
- Browsers and operating systems should allow users to set their consent preferences once, transmitting a machine-readable signal (similar to Global Privacy Control) to every site they visit
- Websites must not re-prompt a visitor for at least six months after a refusal
The browser-level signal concept borrows from the same thinking behind GPC, but the Digital Omnibus envisions a standardised EU mechanism rather than a voluntary browser feature. If adopted, this could reduce the number of banner interactions a typical user faces by over 90%.
The proposal must pass through the European Parliament and the Council of Member States. Optimistic timelines suggest adoption by late 2026, with enforcement beginning in 2027 at the earliest. Significant debate is expected, particularly around the technical standards for browser signals and whether legitimate interest processing would still apply.
What Button Parity Looks Like in Practice
Meeting the button parity standard requires more than adding a reject button. The design details matter.
Visual Equivalence
Both buttons must share equal visual prominence. A filled, brightly coloured "Accept All" next to an outlined, grey "Reject All" does not meet the standard. Regulators assess each banner individually, but the principle holds: neither option should visually dominate the other.
Placement and Wording
The reject option must sit on the first layer of the banner. Placing it inside a "Manage Preferences" panel fails the one-click test. Wording should be direct: "Reject All" or "Refuse All" rather than vague alternatives like "Continue browsing" or "Maybe later".
Technical Enforcement
Clicking "Reject All" must actually block non-essential cookies. The SHEIN fine demonstrated that a cosmetic reject button - one that looks functional but does not prevent tracking scripts from firing - attracts even harsher penalties than having no reject button at all. Verify your implementation by checking that cookies like _ga, _fbp, and other tracking identifiers are absent from the browser after rejection. A cookie audit will confirm whether your banner does what it claims.
Compliance Requirements at a Glance
| Requirement | Compliant | Non-Compliant |
|---|---|---|
| Reject button layer | First layer, next to Accept | Hidden in settings or second layer |
| Button size and colour | Equal visual weight | Accept is bold/coloured, Reject is greyed out or a text link |
| Wording | "Reject All" or "Refuse All" | "Maybe later", "Continue without", or no label |
| Technical effect | All non-essential cookies blocked | Tracking scripts still fire after rejection |
| Re-prompting | Respect refusal for 6+ months | Banner reappears on every visit |
| Close button behaviour | Treated as refusal (no cookies set) | Treated as acceptance or ignored |
How Other DPAs Are Approaching Reject Buttons
Not every EU member state enforces button parity identically. The Spanish AEPD, for example, has historically accepted a "Manage Settings" link on the first layer as a sufficient alternative to a dedicated reject button, provided the settings page offers a clear rejection path. The German conference of data protection authorities (DSK) and the Austrian DPA, by contrast, align closely with CNIL's stricter approach.
The EDPB Taskforce report noted this divergence but signalled that a first-layer reject button is the safest approach for cross-border compliance. If your website serves visitors from multiple EU countries, designing to the strictest standard - CNIL's - reduces regulatory risk across the board.
Practical Steps to Prepare Your Website
Regardless of whether the Digital Omnibus passes on schedule, the current enforcement environment already demands button parity. Here is what to do now.
Audit Your Current Banner
Open your website in a private browsing window. Check whether "Reject All" appears on the first screen alongside "Accept All". If it does not, your banner is non-compliant under the standards applied by CNIL, the EDPB Taskforce, and most other EU authorities. Use a cookie scanner to verify that rejected cookies are genuinely blocked.
Update Banner Design
Ensure both buttons share equal styling. Review cookie banner design best practices for guidance on achieving visual parity without harming consent rates. Transparent design does not have to mean lower acceptance - research consistently shows that users respond better to banners they perceive as honest.
Test the Technical Layer
After clicking "Reject All", open your browser's developer tools and verify that no non-essential cookies are set. Check the Network tab for outgoing requests to third-party tracking domains. A banner that visually rejects cookies but technically allows them is worse than no banner at all from an enforcement perspective.
Prepare for Browser Signals
The Digital Omnibus proposal will likely require websites to respect browser-level consent signals. If you already support GPC signals, you have a head start. Monitor the legislative progress and ensure your consent management setup can interpret standardised signals when they arrive.
Frequently Asked Questions
Is a "Reject All" button legally required on cookie banners in the EU?
Most EU data protection authorities, including CNIL and the majority of EDPB members, consider the absence of a first-layer reject button a violation of the ePrivacy Directive and GDPR consent requirements. The safest approach is to include "Reject All" on the first screen.
What happens if my reject button does not actually block cookies?
A non-functional reject button attracts severe penalties. CNIL fined SHEIN approximately 150 million euros in 2025 partly because its "Reject All" button failed to stop tracking cookies from loading. Regulators treat this as worse than having no reject option.
How long must a website remember a visitor's cookie refusal?
Under the proposed Digital Omnibus rules, websites must respect a refusal for at least six months. Current best practice, even before the proposal is adopted, is to avoid re-prompting users who have already declined.
Will browser-level consent signals replace cookie banners entirely?
The Digital Omnibus proposal envisions browser-level signals reducing banner interactions, but banners will likely remain for users whose browsers do not transmit a preference. The transition period is expected to be gradual.
Does the "Reject All" button need to look identical to "Accept All"?
Identical styling is not strictly required, but both buttons must carry equal visual prominence. A bold, coloured "Accept All" next to a faint, outlined "Reject All" does not meet the standard set by CNIL and the EDPB Taskforce.
Can I use "Continue without accepting" instead of "Reject All"?
CNIL has accepted "Continue without accepting" as an alternative in some cases, provided it appears with equal prominence on the first layer. "Reject All" is clearer and carries less regulatory risk.
Take Control of Your Cookie Compliance
If your cookie banner still hides the reject option behind extra clicks or muted styling, the window for voluntary correction is narrowing. Kukie.io detects, categorises, and helps you manage every cookie on your site, making it straightforward to offer visitors a genuine, one-click choice.
