“Reject All Cookies” Buttons: Making Them Legal & Clear

Cookie banners are now a familiar sight for anyone using the web in the UK. But for business owners running websites, knowing exactly how to keep your cookie settings legal-and simple for your users-isn’t always straightforward. In particular, one question has come up again and again: do you really need a “Reject All Cookies” button? And-if so-how do you make sure it’s both legally compliant and easy for your customers to understand? Let’s break down your legal duties, the practicalities of cookie consent, and why a clear “Reject All Cookies” option is rapidly becoming best practice for UK businesses. If you run any kind of website, getting this right is key to both staying on the right side of the law and earning your users’ trust.

Why Are Cookies Legally Important For Your Business?

If your website uses cookies-or similar tracking technologies-you need to understand your responsibilities. Cookies aren’t just about analytics and advertising: they touch on core areas of privacy law and consumer trust. The central piece of legislation here is the Privacy and Electronic Communications Regulations (PECR). PECR sets specific rules for how you use cookies and other similar technologies on your website, app, or digital services. Alongside the UK GDPR and Data Protection Act 2018, these rules are designed to protect individuals’ personal information and ensure people stay in control of how their data gets used online. That means you need more than a quick pop-up-your cookie practices must meet clear legal standards.

What Consent Is Required Before Setting Cookies?

This is the most critical point for business owners: you cannot set most non-essential cookies on your users’ devices without their explicit, express consent. Let’s unpack what that looks like in practice:

• Essential cookies (strictly necessary for your site to function) can be set without consent, but you should still be transparent about their use.
• Non-essential cookies (used for analytics, advertising, personalisation, social media, etc.) must not be set unless the user freely agrees.
• Valid consent must be:
  • Freely given (not forced or bundled with other consents)
  • Specific (cookies grouped by purpose-a single “accept all” for every cookie type isn’t enough!)
  • Informed (clear information about what cookies do and why)
  • Unambiguous (the user must take clear affirmative action; pre-ticked boxes or implied consent are not permitted)

This is where the “Reject All Cookies” button comes in. If you only make it possible to “Accept All” or hide the “Reject All” deep in settings, the consent isn’t freely given or clear enough to satisfy PECR It’s also worth noting-you must not set any non-essential cookies at all (not even for a split-second!) before the user has clearly given their consent. Always check your website’s tech with this in mind.

What Is a Cookie Banner And What Should It Include?

Cookie banners are now the main way most websites in the UK gather cookie consent. But not all banners are created equal: the legal test is whether they present choices fairly and enable informed, genuine decisions. The Information Commissioner’s Office (ICO) expects UK websites to display a cookie banner or pop-up that:

• Clearly notifies the user that cookies are used, explaining why and for which purposes
• Offers the user choices:
  • “Accept all cookies” (grant full consent)
  • “Reject all cookies” (apart from strictly necessary ones)
  • “Manage settings” (allowing detailed control by purpose)
• Makes these choices equally visible and accessible (no using colour, design, or layout tricks to push users toward “Accept” over “Reject”)
• Ensures non-essential cookies are blocked until a choice has been made
• Provides a straightforward route to change or withdraw consent later

Your banner should also link to a full Privacy Policy or dedicated Cookie Policy, setting out what you use, why, and how people can change preferences. For many small businesses, this means you’ll want to regularly review your banner and underlying technology, rather than using a one-size-fits-all approach. The rules on cookie ‘pop-ups’ go deeper than most off-the-shelf solutions provide.

Why Is a “Reject All Cookies” Button So Important?

The short answer is: it’s about genuine choice. Under both PECR and UK GDPR, users must be able to as easily refuse non-essential cookies as accept them. A hidden, hard-to-see, or absent “Reject All” option fails this test. The ICO has made clear that the lack of a “Reject All” feature at the front of your banner may leave your business open to regulatory action. Hiding rejection behind sub-menus, or interpreting any press of “x” or “continue browsing” as consent, is not valid under UK law. Including an upfront “Reject All Cookies” button delivers several benefits:

• Keeps you on the right side of privacy law by ensuring consent is freely given
• Builds consumer trust-users appreciate a straightforward approach, and confusion or suspicion falls away
• Reduces risk of complaints (and ICO fines) by showing you take data protection seriously
• Simplifies user experience (fewer support queries!) whilst improving your site’s transparency

As the digital privacy landscape evolves, “Reject All” is rapidly becoming the standard. Failing to offer it leaves you exposed-and gives potential customers a reason to click away.

What Are The Legal Risks If You Don’t Get This Right?

The consequences of non-compliance can be significant, especially as the ICO increases scrutiny of cookies and online tracking in the UK. Your business could face:

• Regulatory investigations and warnings by the ICO
• Legal enforcement notices: orders to immediately change your setup
• Fines: Breaching PECR can lead to penalties of up to £500,000 per breach, while serious or repeated non-compliance with data protection law can reach much higher levels under the UK GDPR
• Reputational damage, customer complaints, and loss of trust

The ICO’s stance is proactive-don’t wait until you receive a complaint. Make sure your consent solution (including “Reject All Cookies”) is transparent, up to date, and genuinely allows customer choice from the start.

What Should a Legally-Compliant Cookie Banner Look Like?

Balancing legal compliance, practicality, and user experience means your ideal cookie banner will typically:

• Appear as soon as the user lands on your website (before any non-essential cookies are set)
• Make “Accept All”, “Reject All”, and “Manage Settings” options equally prominent (ideally, on the same level/row)
• Explain (in plain English!) what each type of cookie does and why you use it
• Enable detailed management-for example, toggling analytics or marketing cookies on/off
• Link to your Cookie Policy and privacy notices for full details
• Remember the user’s choice (so you don’t repeatedly ask for consent!) and enable easy changes later, for example, through a persistent settings icon

Critically, you also need to check what's actually happening ‘under the hood’ on your website. Even a perfect-looking banner isn’t compliant if your site sets non-essential cookies by default, or without waiting for a user to click.

What About Cookie Walls Or 'Implicit Consent'?

Some UK sites use “cookie walls”: requiring users to accept non-essential cookies to get access. Unless these are strictly necessary for the service the user requests, they carry a high risk of non-compliance-the ICO has cautioned against them. Similarly, just continuing to use the site, scrolling, or clicking “okay” is no longer valid consent. Only a clear button or toggle meeting the PECR standards will do.

What Else Should UK Businesses Know?

We often get questions about whether the same rules apply to apps, SaaS platforms, and international websites. The simple answer: if you’re providing services to people in the UK, PECR and UK GDPR will almost certainly apply-regardless of where your website is hosted or your business is based. Non-essential cookies covers a wide range, including things like social media ‘like’ buttons, chat widgets, affiliate tracking, analytics tools, adtech (Google Ads, Facebook Pixel, etc.), and much more. If you’re unsure whether a script or tool is essential, speak to a privacy specialist. And, as your website or online business evolves, so can your responsibilities-review your consent mechanisms and policies at least annually (and after any major update).

What Legal Documents Will I Need?

Aside from your cookie banner and technical implementation, there are a few key legal documents you should have in place to fully cover your compliance risks:

• Cookie Policy: explaining what cookies you use, what information you collect, and how users can control them
• Privacy Policy: a legally required document if you handle any personal data; covers broader data collection and user rights
• Website Terms and Conditions: clarify your website’s rules, limits of liability, and data handling practices
• Internal settings audits and data mapping documents, to prove your compliance in case the ICO investigates

If you’re handling especially sensitive information, like health data, or if you share data with third parties, you’ll have additional duties-see our guide on customer data protection or privacy standards for health service providers for more information.

Frequently Asked Questions

What Is PECR?

PECR stands for the Privacy and Electronic Communications Regulations. It’s UK law covering things like cookies, electronic marketing, and communication privacy. PECR works alongside UK GDPR but has its own rules-especially around non-essential cookies and getting consent.

What Is A Cookie Banner?

A cookie banner is a box or pop-up that appears when someone visits your website or app. It tells users about cookies you want to use and asks them for their preferences (for example, “Accept All”, “Reject All”, or “Customise”).

How Can Sprintlaw Help Keep My Website Legal?

Making your cookie practices truly compliant can be tricky, especially as rules and technology keep changing. Sprintlaw’s GDPR & Privacy Law Packages include access to specialist lawyers who can:

• Review or draft your Cookie Policy and consent mechanism
• Provide practical guidance on how to implement prominent “Reject All Cookies” options
• Give ongoing advice and support as your online business grows

Don’t leave your compliance (or your customer relationships) to chance-clear, user-friendly consent not only keeps you legal, but sets your brand apart for transparency and trust.

Key Takeaways

• PECR requires clear, freely given consent before setting non-essential cookies-pre-ticked boxes and implied consent are not enough.
• Your cookie banner must prominently display a “Reject All Cookies” option, equal to “Accept All”, for real user choice.
• Make sure no non-essential cookies are set until the user agrees-check that your website script actually waits for clear permission.
• Have clear Cookie and Privacy Policies explaining your use of cookies and user rights, available directly from your banner.
• Failing to comply with cookie consent rules can lead to regulatory action, fines, and loss of customer trust-don’t take chances.
• Review and update your approach regularly, or seek professional advice if you’re unsure what applies to your setup.

---

If you’d like help reviewing your cookie consent solution, drafting compliant policies, or understanding your business’s privacy duties, you can reach the Sprintlaw team at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. We’re always here to help make the legal side of online business simple, transparent, and protected from day one.