Beta cookies.ie is in public beta — found a bug or have feedback? Tell us →
cookies.ie

← All fixes

Your banner has no "Reject all" button

The Irish DPC is explicit: refusing consent must be as easy as giving it. A banner with only "Accept" (or with Reject hidden behind "Manage options") is a dark pattern — the consent it collects is invalid.

TL;DR
  • Put a "Reject all" (or "Only necessary") button on the first layer of the banner.
  • It must be the same size, colour weight, and prominence as "Accept all".
  • Hiding Reject inside "Manage preferences", "Settings", or a link doesn't count.

What the law says

The principle comes from GDPR Article 7(3) — consent must be as easy to withdraw as to give — applied to the cookie context by the EDPB and adopted by Irish regulators. The DPC's cookies guidance puts it bluntly: "users must be able to refuse cookies as easily as they accept them". An "Accept all" button alone, or a banner where Reject is hidden one or more clicks deeper, is treated as not having valid consent at all.

The EDPB Guidelines 03/2022 on deceptive design patterns classify asymmetric consent UIs explicitly as "manipulative design" and not a valid legal basis for processing. The French CNIL has fined Google and Meta hundreds of millions of euros specifically for this pattern, and the DPC has followed suit in its sweep decisions.

What "equal prominence" means

Equal prominence is about parity of friction, not identical styling:

  • Same layer. Both buttons on the first banner, visible without scrolling or clicking.
  • Same click count. One click to accept, one click to reject.
  • Comparable visual weight. Reject can be a secondary/outline button, but not greyed out, not smaller, not tucked into a text link while Accept is a large coloured button.
  • Same reading order. Reject should read as a peer of Accept, not as an escape route.

Good vs. bad patterns

Not compliant:

  • "Accept all" button + "Manage preferences" text link
  • "Accept all" button + an X to dismiss (dismiss ≠ reject)
  • Reject button is visibly greyed out, tiny, or off-screen
  • Reject only appears after you load a second modal

Compliant:

  • Two equal-weight buttons: "Accept all" and "Reject all"
  • Three buttons: "Accept all", "Reject all", "Customise"
  • Reject styled as a secondary/outline button of the same size, with "Customise" as a tertiary link

Why it matters

Consent collected from a banner without a first-layer Reject is treated as invalid. That means every tracker you fired on the back of it was fired without a lawful basis — so the remedy isn't just to add the button, it's also to accept that historical data may not be usable. Regulatory exposure includes public infringement decisions from the DPC, complaints to NOYB (which has filed thousands of Irish and EU cookie complaints), and potential fines up to the GDPR maximum of 4% of worldwide turnover.

How to fix it

If you use a CMP, check the config

Most major CMPs support an equal-prominence layout but default to a dark pattern. Common fixes:

  • OneTrust: in Banner Design, enable "Show Reject All button". Do not rely on the "Save Settings" button inside the preferences modal.
  • Cookiebot (Usercentrics): set "Button layout" to "Multi-level", enable "Show Deny button". Avoid the "Accept only + Details" template.
  • Didomi: enable the "Deny" button on the notice (Notice > Buttons) rather than only in the preferences modal.
  • Iubenda: enable "Reject" in the Cookie Solution settings — Iubenda ships without it by default, which is the single most common failure we see on Irish sites.
  • Shopify's native banner: enabled in Customer privacy settings; verify the storefront actually shows both buttons, as themes can hide them.

If you built the banner yourself

Add a Reject button alongside Accept, in the same markup block, wired to the same dismiss-the-banner flow but without calling your analytics loader:

<div class="consent-actions">
  <button class="btn btn-primary" id="accept-all">Accept all</button>
  <button class="btn" id="reject-all">Reject all</button>
  <button class="btn-link" id="customise">Customise</button>
</div>

Keep the two primary actions at the same visual weight — if Accept is the brand-coloured primary button, Reject should be an outline button of the same size, not a small link.

If you're using GTM Consent Mode

Make sure your Reject handler updates all consent signals to denied (not just analytics_storage): 

gtag('consent', 'update', {
  ad_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  analytics_storage: 'denied',
  functionality_storage: 'denied',
  personalization_storage: 'denied',
});

How to verify the fix

Re-run the cookie banner checker. The "Reject all is offered with equal prominence" check uses the same heuristics as DPC sweeps — it looks for a reject-style button on the first banner layer, not buried in a preferences modal.

Related fixes

cookies.ie is not a law firm. This page reflects current DPC guidance and EDPB materials but your specific situation may need legal advice.