A visitor lands on your website, sees the cookie banner, and clicks Reject All. From a user-experience standpoint, the page loads and life goes on. Behind the scenes, though, the consequences ripple across analytics dashboards, advertising platforms, and personalisation engines. Rejection rates have climbed sharply over the past few years - a 2026 compilation of 26 consent studies found that 50 to 65 percent of users now reject cookies when a clearly visible Reject All button is offered.
That is a lot of visitors opting out. If your site is not built to handle it, you are flying partially blind on traffic data, haemorrhaging remarketing audiences, and potentially breaking features that depend on non-essential storage.
Which Cookies Stay and Which Get Blocked
Not every cookie disappears when a user rejects consent. Under Article 5(3) of the ePrivacy Directive, cookies that are "strictly necessary" to provide a service the user explicitly requested are exempt from the consent requirement. A session cookie that keeps a shopping cart alive, an authentication token that keeps a user logged in, or a load-balancer cookie that routes traffic to the correct server - these continue to function.
Everything else stops. Analytics cookies like _ga and _gid from Google Analytics, marketing cookies such as _fbp from Meta Pixel and _gcl_au from Google Ads, and functional cookies storing language or currency preferences - all of these must be withheld if the user said no.
| Cookie Category | Example | After Reject All |
|---|---|---|
| Strictly necessary | PHPSESSID, cart token | Still set - no consent needed |
| Functional / preference | pll_language, currency selector | Blocked - preferences reset each visit |
| Analytics | _ga, _gid, _hjSession | Blocked - visit not tracked |
| Marketing / advertising | _fbp, _gcl_au, IDE | Blocked - no retargeting or conversion tracking |
A compliant consent management platform handles this automatically by holding back scripts tagged as non-essential until the user grants permission. If your implementation fires tags before consent is recorded, you are breaking the law - a point the French CNIL made painfully clear when it fined SHEIN 150 million euros in September 2025 for setting advertising cookies before users gave permission and for a Reject All button that did not actually stop tracking.
What the Visitor Experiences
From the user's perspective, surprisingly little changes. The GDPR requires that a website remains accessible even when someone rejects non-essential cookies. Cookie walls that block content entirely until the user consents are prohibited.
That said, certain conveniences vanish. Language preferences revert to the site default on every visit. Theme or layout choices are forgotten. "Recently viewed" product carousels go blank. Any personalisation that relied on cookies to remember past behaviour simply stops working.
Embedded content can also break. YouTube videos loaded in standard mode, social media share widgets, and live chat tools often depend on third-party cookies. A well-configured site replaces these with placeholder messages explaining that the content requires consent to load - this is sometimes called an iframe placeholder approach.
The Analytics Blind Spot
For site owners, the most immediate pain is data loss. When a user rejects analytics cookies, tools like Google Analytics 4 cannot associate page views with a persistent user identifier. Ten page views might look like ten separate anonymous events rather than one person browsing five pages twice.
Studies suggest that sites offering a compliant, equally prominent Reject All button lose 40 to 70 percent of their tracking data points. That gap distorts bounce rates, session durations, conversion funnels, and audience demographics. Decisions based on this skewed data risk optimising for the minority of users who clicked Accept rather than representing actual site-wide behaviour.
Google Consent Mode as a Partial Fix
Google Consent Mode v2 attempts to close this gap. In its Advanced implementation, Google tags still load on the page when a user rejects cookies, but they operate in a restricted mode. Instead of writing cookies, they send "cookieless pings" - stripped-down signals containing the page path, device type, browser, and country, but no personal identifiers.
GA4 then uses behavioural modelling to estimate what non-consenting users probably did, based on patterns observed from users who did consent. Google claims this can recover roughly 70 percent of lost attribution paths. The catch: modelling only activates if the site collects at least 1,000 denied events per day for seven consecutive days and has at least 1,000 daily consenting users over the same window. Smaller sites may never hit that threshold.
Basic Consent Mode, by contrast, blocks tags entirely until consent is given - meaning zero data from users who reject, and no modelling at all.
Impact on Advertising and Revenue
Rejected cookies gut remarketing lists. Without a _fbp cookie, Meta Pixel cannot build a retargeting audience from that visitor. Without _gcl_au, Google Ads loses conversion attribution for that session. The visitor who browsed five product pages and left will never see the follow-up ad.
Conversion data also takes a hit. Google's documentation notes that consented users are two to five times more likely to convert than unconsented ones. Advertisers end up with understated return-on-ad-spend figures. For publishers running programmatic ads, rejected consent means untargeted, contextual placements with lower CPMs.
Legal Obligations When Users Say No
A rejection is not optional to honour. Under the GDPR (via Article 7) and the ePrivacy Directive, when a user withholds consent, no non-essential cookies may be set. The site must not degrade service quality as a punishment for rejecting - that would undermine the "freely given" requirement of valid consent.
Regulators have been explicit on this point. The CNIL's September 2025 action against SHEIN cited consent withdrawal failures - when users clicked Reject All, certain cookies continued to be placed and previously set cookies continued to be read. The fine was imposed even though SHEIN corrected the issue during the investigation. The enforcement trend for 2025-2026 shows that cosmetic compliance - a Reject button that does not actually stop tracking - attracts some of the heaviest penalties.
Outside the EU, different rules apply but the direction is similar. Under the CCPA/CPRA, California does not require opt-in consent for most cookies, but it does require a "Do Not Sell or Share My Personal Information" link and must honour Global Privacy Control signals. Brazil's LGPD mandates opt-in consent for personal data processing, and South Africa's POPIA requires a justification for every piece of personal information collected.
What Your Site Should Do Technically
Handling rejection properly is a matter of both compliance and good engineering. The core requirement: no non-essential script fires until consent is explicitly granted.
Tag management tools like Google Tag Manager support consent-aware triggers that check the visitor's consent state before loading a tag. A consent management platform integrates with these tools to enforce blocking automatically, record the rejection in a consent log with a timestamp, and store the user's preference so the banner does not reappear on every page load.
For features that break without cookies, build graceful fallbacks. Detect the browser's Accept-Language header instead of a language cookie. Replace cookie-dependent carousels with session-only memory. The goal is a site that works for everyone, not just users who clicked Accept.
Server-side Alternatives
Server-side tagging moves data collection from the browser to your own server. This gives you more control over what is collected, but it does not remove the consent requirement - if a user rejects tracking, the server must honour that. Privacy-focused analytics tools like Plausible and Fathom skip cookies entirely by collecting only aggregate metrics, though the trade-off is less granular user-level data.
Designing a Banner That Respects the Choice
The banner itself matters. A dark pattern that buries the Reject option behind three extra clicks, or uses a bright green Accept button next to a faint grey Reject link, is both unethical and increasingly illegal. The CNIL fined Google 325 million euros in September 2025 partly because its consent flow required six clicks to reject personalised ads but only two to accept.
A compliant banner places Accept All and Reject All on the same layer with equal visual weight. Category-level toggles give users granular control, and a persistent footer link lets them revisit their choice at any time.
Frequently Asked Questions
Do strictly necessary cookies still work after a user clicks Reject All?
Yes. Cookies that are essential for basic site functionality - such as session tokens, authentication cookies, and load-balancer cookies - are exempt from the consent requirement under the ePrivacy Directive. They continue to work regardless of the user's choice.
Can my website block content if a visitor rejects cookies?
No. Cookie walls that deny access to content unless the user accepts all cookies are prohibited under the GDPR. The site must remain functional and accessible even when non-essential cookies are rejected.
How much analytics data do I lose when visitors reject cookies?
Studies indicate that sites with a compliant, equally visible Reject All button lose between 40 and 70 percent of their tracking data. Google Consent Mode v2 (Advanced) can recover an estimated 70 percent of lost attribution paths through behavioural modelling, but only if your site meets minimum daily traffic thresholds.
Does Google Analytics still collect any data after rejection?
With Advanced Consent Mode, Google tags send cookieless pings containing non-personal information like page path, device type, and country. GA4 uses these signals for behavioural modelling. With Basic Consent Mode, no data is collected at all from users who reject.
What happens to retargeting ads when cookies are rejected?
Marketing cookies like Meta's _fbp and Google's _gcl_au are blocked, so the visitor is not added to any remarketing audience. They will not see retargeted ads, and the conversion cannot be attributed to an ad click.
Can I use server-side tracking to bypass cookie rejection?
Server-side tagging gives you more control over data processing, but it does not remove the legal requirement for consent. If a user rejects tracking, the server must honour that choice. Using server-side methods to circumvent a rejection would violate the GDPR and ePrivacy Directive.
Keep Your Site Compliant Without Losing Control
Cookie rejection is not a technical glitch to work around - it is a legal right that a growing share of visitors exercise. The practical response is a site architecture that degrades gracefully, a consent platform that enforces choices reliably, and analytics strategies that account for missing data honestly.
Kukie.io detects every cookie on your site, blocks non-essential scripts until consent is granted, and logs each decision for audit purposes. If a visitor rejects, your site keeps running and your compliance record stays clean.
