Skip to main content
Back to Guides
Compliance5 min read

Why 'Accept All' Only Banners Keep Getting Fined

A banner with a one-click "Accept All" and no equally easy way to refuse is the single most-fined cookie pattern in Europe. Google, Facebook, Microsoft, TikTok and Yahoo all paid for it. Here's the mechanism.

The most-fined banner in Europe

If you had to pick the single cookie mistake regulators have punished most, it's this one: a banner with a bright one-click "Accept All" and no equally easy way to say no. The reject option is buried under "Manage settings," takes several clicks, or simply isn't there. It looks harmless. It has cost some of the largest companies in the world hundreds of millions of euros.

Why the law treats this as illegal

The GDPR requires consent to be "freely given" (Article 4(11)). If accepting takes one click and refusing takes five, the choice isn't free, it's engineered toward "yes." Regulators call this an asymmetry. The EDPB's guidance on deceptive design patterns treats the missing or buried reject option as a design that undermines valid consent, and national authorities have turned that principle into a hard rule: refusing has to be as easy as accepting, at the same level of the banner. The full legal picture is in the one-click reject rule.

The enforcement record

This isn't theoretical. The French regulator (CNIL) built a whole enforcement wave around exactly this pattern:

  • Google, 150 million euros (31 December 2021). Split as 90 million against Google LLC and 60 million against Google Ireland. The CNIL found it took one click to accept all cookies but several to refuse them. The order came with a 100,000 euro per-day penalty until fixed.
  • Facebook (Meta), 60 million euros (31 December 2021). Same day, same problem. The CNIL noted that the button meant to refuse cookies was buried on a second screen and labelled in a way that discouraged its use.
  • Microsoft, 60 million euros (December 2022). Bing let users accept immediately but offered no equally simple way to reject third-party tracking cookies.
  • TikTok, 5 million euros (announced January 2023). Users could accept in one click but had to go through several steps to refuse, which the CNIL said discouraged refusal.
  • Yahoo, 10 million euros. Advertising cookies set without proper consent and a refusal path that was too hard to use.

It's a systemic problem, not a big-tech one

The pattern shows up on small sites as often as on the companies large enough to make headlines. When noyb scanned more than 500 European sites in 2021, 81% had no reject option on the first screen at all, and 73% used colour and contrast to push users toward accepting. The reason regulators keep finding it is that it's the default output of a lot of banner tools, and it happens to be the version that maximises consent rates in the short term. That short-term gain is what the fines are pricing.

What a compliant banner does instead

The fix is not complicated:

  • A reject button of equal prominence on the first layer. "Reject All" sits next to "Accept All," same size, same visual weight, same number of clicks (one).
  • Nothing pre-selected. Non-essential toggles start off, so silence and inaction default to no tracking.
  • Scripts blocked until a choice is made. Nothing non-essential fires before the visitor decides, so a "reject" actually stops the tracking rather than just recording a preference.
  • The same effort to change your mind later. Withdrawing consent has to be as easy as giving it.

Why teams keep shipping it

Nobody sets out to build an illegal banner. The asymmetric pattern survives because it's the path of least resistance in three ways: it's often the default in older banner tools, it posts the highest consent rate in a quick A/B test, and "add a reject button later" is easy to deprioritise. Each of those is a short-term reason, and each is exactly what the enforcement record above is punishing. The consent-rate bump is real, and so is the fine that eventually prices it.

Check your own banner in thirty seconds

Open your homepage in a private window and count the clicks. If accepting all cookies is one click and refusing them takes more than one, or the reject option lives behind "Manage preferences," or there's no reject at all on the first screen, you have the exact pattern the CNIL fined above. Then open your browser's developer tools and reload: if analytics or advertising cookies appear before you click anything, the banner is decorative and the tracking is already running. Both are fixable, and both are worth fixing before a regulator or a competitor's complaint finds them first.

The same rule is spreading beyond the EU

Equal-prominence choice isn't only a European idea anymore. US state laws increasingly require honouring opt-out signals and giving a symmetric way to decline sale or sharing, and the direction of travel everywhere is toward making "no" as easy as "yes." Building the symmetric banner now means you aren't rebuilding it every time another jurisdiction codifies the same expectation.

The trade-off is smaller than it looks

The usual objection is that a real reject button tanks consent rates. In practice, a clear, honest banner with equal-prominence choices performs closer to the manipulative version than people expect, and it's the only version that doesn't carry a fine attached. A consent platform like CookieBeam ships an equal-prominence "Reject All" on the first layer by default, keeps non-essential cookies blocked until the visitor chooses, and logs the decision, which removes the specific pattern every fine above was built on. For the wider list of failure modes, see why most cookie banners fail, and for the fines in detail, the biggest GDPR cookie fines.

Sources

  • CNIL fines Google (150M euros) and Facebook (60M euros), 31 Dec 2021, cnil.fr
  • CNIL fines TikTok 5M euros over cookies, cnil.fr
  • noyb cookie banner scan findings (2021), noyb.eu
  • EDPB Guidelines 03/2022 on deceptive design patterns, edpb.europa.eu
Why 'Accept All' Only Cookie Banners Get Fined | CookieBeam | CookieBeam