Does a cookie banner need a reject button?
No law literally says "the banner must have a reject button". But the chain of requirements lands there anyway: consent must be freely given, and refusing must be as easy as agreeing. A banner where the visitor can only accept — or where saying no takes three clicks through settings menus — does not collect valid consent. All tracking built on that consent then rests on a foundation that does not hold.
What does the law say?
The GDPR defines consent as freely given, specific, informed and unambiguous (article 4.11). Article 7 adds the quality requirements: refusing must be as easy as consenting, and withdrawing afterwards just as easy (article 7.3). It is the freely-given requirement that makes the reject option necessary — a choice without a no is not a choice.
The EU Court of Justice drew a clear line in Planet49 (C-673/17, 2019): pre-ticked boxes are not valid consent. The visitor must make an active choice — and then both outcomes must be available to choose.
In Sweden, supervision is split between PTS (the Swedish Post and Telecom Authority), which oversees the cookie rule in the Electronic Communications Act, and IMY (the Swedish Authority for Privacy Protection), which oversees the validity of consent under the GDPR.
Is a cookie wall allowed?
A cookie wall is a banner that blocks the entire website until the visitor accepts — there is no way in without saying yes. Under the EDPB's guidelines on consent (05/2020), such a setup normally makes the consent involuntary: the visitor has no real choice, and involuntary consent is invalid.
The consequence is backwards but logical: a cookie wall does not give you more valid tracking but less — everything resting on the forced consent rests on a consent that does not count.
Reject on the first layer — and dark patterns
The EDPB's cookie banner taskforce — where the European supervisory authorities aligned their views in a report in January 2023 — concluded that most authorities consider a reject option must be available already on the banner's first layer. Hiding the no behind "Settings" or "Learn more", so that saying no takes more clicks than saying yes, is criticised as a dark pattern in the EDPB's guidelines 03/2022.
The same guidelines call out more tricks: reject as a grey text link next to a large colourful accept button, "legitimate interest" pre-selected in the banner's second layer so that a no on the first layer does not stop the tracking, and wording that nudges towards yes. France's CNIL has fined major companies over banners where refusing was harder than accepting — so the question is not theoretical.
Common issues we see
- The banner only has "Accept" and "Settings" — no no on the first layer, but several clicks through menus to reject.
- A reject option exists but is a grey or low-key text link while accept is a large colour button — visually, the choice has already been made for the visitor.
- "Legitimate interest" is pre-selected in the banner's second layer, so tracking continues even when the visitor has refused consent.
- A cookie wall: the website cannot be used at all without accepting.
- Refusing is possible — but changing your mind is not: once the banner is closed there is no way back to withdraw or revise the choice.
How CompliantHQ tests this
The scanner deterministically checks that the banner has a reject option at all — a banner that can only be accepted is flagged, since it does not collect valid consent.
On top of that, the scanner takes a screenshot of the banner and lets a vision AI judge it the way a visitor sees it: is the reject option as prominent as the accept button? Size, colour, contrast and placement are weighed in — exactly the visual imbalance a pure code review cannot see.
Both checks are included already in the trial. And since the scanner also visits the website after clicking reject, the same run measures whether a no is respected technically — that no cookies are set and no tracking requests are sent afterwards.
How to fix it
- Put a clear reject button — "Reject all" or "Decline all" — on the banner's first layer, next to accept.
- Give both options the same visual weight: comparable size, contrast and placement. A grey text link does not count as equivalent.
- As many clicks for no as for yes — if accepting takes one click, rejecting should too.
- Remove pre-ticked categories and pre-selected "legitimate interest" settings; a no on the first layer must actually stop the tracking.
- Make changing your mind just as easy: a permanent entry point — for example a link in the footer — where the visitor can revise or withdraw their choice.
What the check covers
- That the cookie banner offers a way to reject — a banner that can only be accepted does not collect valid consent.
- That the reject option is as prominent as the accept button — judged visually on a screenshot of the banner.
Common questions
Must the cookie banner have a reject button on the first layer?
Most European supervisory authorities consider so, according to the EDPB's cookie banner taskforce. And regardless of the button's exact placement: consent that is noticeably harder to refuse than to give risks being invalid.
Is a cookie wall allowed?
Normally not. Under the EDPB's guidelines 05/2020, a banner forcing the visitor to accept just to get in makes the consent involuntary — and therefore invalid.
Is a "Settings" link enough as a reject option?
It is risky. When saying no takes more clicks than saying yes, supervisory authorities criticise it as a dark pattern, and France's CNIL has fined companies over exactly that construction.
Must the reject button look exactly like the accept button?
The requirement is that refusing must be as easy as consenting — not pixel-identical buttons. Comparable size, contrast and placement is the safe way to meet it; a grey link next to a colour button is not.
Want to see what we find on your site?
Run a free scan — all four modules included for 30 days, no card required.