FAQEU

EU ePrivacy Directive Reject-All Button

For consent-based cookies and similar technologies, a cookie banner should give users a real refuse or reject option wherever it asks them to accept.

Use this answer to review first-layer reject controls, equivalent prominence, deceptive banner patterns, consent evidence, withdrawal paths, and Member State implementation caveats.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under Article 5(3) of the ePrivacy Directive, consent is the normal route for non-essential storage of, or access to, information on a user's terminal equipment. The practical FAQ answer is that a banner asking for that consent should make refusal available and understandable at the same decision point, while preserving evidence that non-essential cookies and similar technologies do not fire after refusal.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

Is a reject-all button required?

EU-level source material does not phrase Article 5(3) as a literal, standalone command to use the words "reject all". The safer operational rule is stronger than a wording debate: if a banner presents an accept-all control for consent-based cookies, SDKs, pixels, local storage, fingerprinting, or comparable storage/access, it should also present a clear refuse, reject, or continue-without-consenting option at that same decision layer.

The EDPB Cookie Banner Taskforce reported that a vast majority of authorities considered the absence of refuse/reject/not-consent options on any layer with a consent button to be inconsistent with valid consent and an ePrivacy infringement. The same report notes a minority view that Article 5(3) does not explicitly mention a reject option, so teams should avoid saying there is one uniform EU statutory label and instead document the applicable national implementation and regulator guidance.

  • Treat "reject all", "refuse", and "continue without accepting" as acceptable only when the action is clear and actually blocks consent-based storage or access.
  • Do not set consent-required cookies or similar technologies by default; consent must be expressed through a positive user action.
  • Do not rely on legitimate interest for the placement or reading of cookies where Article 5(3) requires consent.
  • Keep strictly necessary storage separate from analytics, advertising, social-media, personalisation, and measurement purposes.
Citations
EDPB Cookie Banner Taskforce report

Supports the majority authority position on missing reject/refuse options, the minority caveat, deceptive design concerns, and national-law implementation caveats.

Question 2

What makes the refusal option equivalent?

Equivalent does not mean every button must be visually identical, but the user must not be pushed toward acceptance by layout, wording, colour, contrast, or hidden navigation. A reject option embedded as a small text link, placed only in a later settings layer, or made unreadable through contrast can undermine the user's ability to understand and refuse the consent request.

Review the banner as a live interaction, not only as a design file. The control should be visible before consent-required storage or access occurs, describe the same category of choice as the accept control, and leave the user able to continue without consent unless a specific national rule or valid exception says otherwise.

  • Place accept and reject/refuse controls in the same decision layer for consent-based purposes.
  • Use plain labels that identify the action, such as "Reject all" or "Continue without accepting".
  • Avoid paragraph-embedded refusal links, misleading colour hierarchy, unreadable contrast, and wording that implies consent is required for ordinary site access.
  • Test desktop and mobile banners because mobile-first rendering, overlays, and small screens can hide or demote refusal controls.
Citations
Question 3

What evidence should teams keep?

Keep enough evidence to prove both sides of the consent choice: the user-facing refusal path and the technical result after refusal. A screenshot alone is not enough if tags still fire, local storage is populated, or SDKs access device information before or despite rejection.

Consent records should also preserve the banner version, language, country or market setting, purposes shown, vendor/category configuration, timestamp, and withdrawal route. The EDPB consent guidance says controllers must be able to demonstrate valid consent, while the cookie banner taskforce expects website owners to maintain cookie lists and demonstrate why claimed essential cookies are essential where requested.

  • Cookie, SDK, pixel, local-storage, and fingerprinting inventory mapped to purposes and whether each item is strictly necessary or consent-based.
  • CMP configuration exports showing accept, reject, granular settings, default states, and country or language variants.
  • Network and browser-storage test logs proving consent-required technologies do not fire before consent or after rejection.
  • Evidence of the exact banner text, visual state, consent information, session event, and version shown when consent was requested.
  • Withdrawal testing showing users can reopen settings and withdraw consent as easily as they gave it.
Citations
EDPB Guidelines 05/2020 on consent

Supports retaining consent workflow records, session information, user-facing information, and withdrawal mechanisms without collecting excessive evidence.

Question 4

What are the main caveats?

First, Article 5(3) applies broadly to storage of, or access to, information on terminal equipment; it is not limited to browser cookies or personal data. That means a reject-all review should cover pixels, app SDKs, local storage, unique identifiers, fingerprinting signals, and other similar technologies that store or access device information.

Second, cookie placement or reading is governed by national laws transposing the ePrivacy Directive, while later personal-data processing may also need GDPR analysis. The EDPB taskforce describes its banner positions as a common denominator and says they must be combined with additional national requirements and competent-authority guidance. This FAQ therefore should not be used to infer country-specific rules, penalties, or regulator deadlines that are not separately sourced.

  • Check Member State law and regulator guidance before treating a single banner pattern as valid across all EEA markets.
  • Separate the Article 5(3) storage/access question from later GDPR processing purposes and lawful bases.
  • Do not classify analytics or advertising as strictly necessary merely because the business needs measurement or revenue.
  • Do not silently switch from withdrawn consent to another lawful basis for the same personal-data processing without the required transparency analysis.
Citations
EDPB Guidelines 05/2020 on consent

Supports the rule that withdrawal must be as easy as giving consent and that consent-based processing must stop after withdrawal unless another lawful basis applies.

Recommended next step

Turn the reject-all answer into tested banner controls

Sorena can help map consent-based cookies and similar technologies, test reject/refuse behavior, and keep the evidence needed for ePrivacy and GDPR consent reviews.

Research workflow
Open Research Copilot for EU ePrivacy

Ask source-linked questions about Article 5(3), reject/refuse banner patterns, withdrawal, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your cookie-banner controls, consent logs, testing evidence, and national-law questions with Sorena.

Explore next step
Primary sources

References and citations

EDPB Cookie Banner Taskforce report
edpb.europa.eu
Referenced sections
  • Supports the caveat that cookie placement and reading are assessed under national ePrivacy-transposition laws and local regulator guidance.
"additional national requirements"
EDPB Guidelines 05/2020 on consent
edpb.europa.eu
Referenced sections
  • Supports the rule that withdrawal must be as easy as giving consent and that consent-based processing must stop after withdrawal unless another lawful basis applies.
"as easy as giving consent"
European Commission ePrivacy factsheet
ec.europa.eu
Referenced sections
  • Supports the policy context that users should control information on their devices and be asked for consent before tracking cookies are stored.
"Users must be in control"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.