For most of the GDPR era, cookie banners operated in a grey zone. Technically, users had a choice. Practically, the "Accept All" button was large and green while "Manage Preferences" was a small grey link buried beneath three paragraphs of legalese. Regulators tolerated this for years. They don't anymore.

Across Europe, data protection authorities have converged on a single principle that now functions as the de facto standard: refusing cookies must require exactly one click, and that click must be just as visible and accessible as accepting. The European Commission is pushing to codify this in the upcoming ePrivacy Regulation. National regulators aren't waiting — they're enforcing it now, with fines that have already reached nine figures. This article covers what changed, who got fined, what your banner needs to look like technically, and how to build consent UIs that are both compliant and effective.

Where the One-Click Reject Rule Comes From

There's no single regulation that says "put a Reject All button on your banner." The requirement is constructed from several overlapping legal instruments, all pointing the same direction.

GDPR Article 7: freely given consent

Article 7 requires that consent be freely given, specific, informed, and unambiguous. Recital 42 adds that consent is not freely given if the data subject has "no genuine or free choice." When accepting takes one click and refusing takes five clicks through nested menus, the choice isn't free. It's coerced by design.

The ePrivacy Directive and the Commission's next move

The ePrivacy Directive (2002/58/EC, amended 2009) governs cookie consent specifically, but it was written before dark patterns were a recognized category. The long-stalled ePrivacy Regulation — still in trilogue negotiations — includes explicit provisions on consent interface design. Draft text circulated in late 2025 requires that "the means to withdraw or refuse consent shall be presented with equal prominence and ease" as the means to give it. While the final text isn't adopted yet, regulators are already enforcing this principle under existing GDPR provisions.

EDPB Guidelines 03/2022 on deceptive design patterns

The European Data Protection Board's Guidelines 03/2022 don't technically bind anyone — they're guidance, not law. But they have functionally set the enforcement benchmark across all EEA member states. The EDPB identified six categories of deceptive design: overloading (bombarding users with requests), skipping (defaulting to the most privacy-invasive option), stirring (emotional manipulation), hindering (obstructing the privacy-protective choice), fickle (inconsistent interfaces), and left in the dark (withholding information). A cookie banner that buries "Reject" behind multiple clicks hits at least hindering and often skipping too.

These guidelines were updated in 2024 with specific references to cookie consent interfaces, cementing the EDPB's position that first-layer reject buttons are the expected standard.

What Counts as a Dark Pattern in Cookie Consent

Not every nudge is a dark pattern. Regulators distinguish between legitimate design choices and manipulative ones. Here's where the line sits in 2026, based on published enforcement decisions and guidance.

Hidden or missing reject button

The foundational violation. If "Accept All" is on the first layer but "Reject All" is buried behind a settings panel, preferences screen, or additional click, the asymmetry invalidates consent. This is the single most-fined pattern across European DPAs.

Color manipulation and false visual hierarchy

Making "Accept" a high-contrast, brightly colored button while "Reject" is styled as a grey text link, ghost button, or low-contrast element. The visual weight difference steers users toward acceptance. Regulators evaluate whether a reasonable person would perceive both options as equally available.

Confusing or asymmetric toggles

Preference screens where non-essential categories are toggled on by default, where the toggle labels are ambiguous ("Personalization" instead of "Advertising tracking"), or where users must individually deselect 30+ vendors. The CJEU's Planet49 ruling (C-673/17, 2019) established that pre-ticked boxes are never valid consent.

Misleading language and confirmshaming

Labeling the reject option with guilt-inducing text ("No thanks, I prefer a worse experience") or using double negatives ("Don't not enable personalization"). Consent must be informed and unambiguous — which means the choices have to be described in plain, neutral language.

Forced consent walls

Blocking access to content entirely unless the user consents to all cookies, with no alternative. While cookie walls and pay-or-consent models exist in a complicated legal space, a wall that offers no access at all without full cookie consent is a dark pattern under the EDPB's framework. The limited exceptions (paywall alternatives, strict necessity) are narrow and jurisdiction-specific.

Nagging and repeat prompting

Re-displaying the banner on every page load or visit after the user refused, hoping to wear them down. A refusal must be stored and respected for the same duration as an acceptance. See our guide on consent expiry and re-consent for the rules on when re-prompting is legitimate.

Enforcement: Who Got Fined and For What

The shift from guidance to enforcement happened fast. These are the most significant cookie-banner-specific actions as of mid-2026.

CNIL (France): the pace-setter

France's CNIL has been the most aggressive enforcer globally:

Google (€150M) and Facebook (€60M), January 2022. Both fined because refusing cookies required multiple clicks while accepting took one. These were issued under France's implementation of the ePrivacy Directive — the asymmetry made refusal more complex than acceptance.
Microsoft (€60M), December 2022. Fined for bing.com's cookie mechanism — cookies deposited without valid consent, reject not equally accessible.
TikTok (€5M), December 2022. Refusing cookies was not as easy as accepting them.
Sectoral sweeps (2024–2026). Targeted audits of e-commerce, media, and public-sector sites, with formal notices issued quarterly. Most violations: absent or subordinated reject buttons.

AEPD (Spain)

Spain's Agencia Española de Protección de Datos has fined CaixaBank (€6M, 2024) for lacking a first-layer reject option with pre-selected preferences, and Vueling Airlines (€30K, 2023) for installing cookies with no way to refuse. The AEPD's cookie guide explicitly requires reject options to be "as easy to access and use as acceptance."

ICO (United Kingdom)

The ICO operates under UK GDPR and PECR, which survived Brexit substantively unchanged. After investigating real-time bidding and publisher consent banners (2023–2025), issuing dozens of formal warnings, the ICO updated its guidance in 2024 to state that "consent is unlikely to be valid if the option to reject is harder to find or use than the option to accept." It has signaled that monetary penalties for repeat offenders will follow the warning phase.

Other notable actions

Austria's DSB has issued binding compliance orders requiring banner redesigns. Italy's Garante published updated guidelines in 2023 requiring refusal to be "no more complex" than acceptance, with fines in the €20K–€100K range. Belgium's enforcement against IAB Europe's TCF raised the question of whether vendor-toggle overload itself constitutes a deceptive pattern. The pattern across jurisdictions is clear: every major European DPA now treats subordinated reject buttons as a consent validity issue, not a UX preference.

Technical Requirements for a Compliant Banner

Knowing the law matters, but you also need to know what to build. Here are the concrete technical requirements that emerge from the enforcement actions and guidance above.

Button sizing and visual weight

Accept and Reject buttons must have comparable visual prominence. That means:

Same dimensions. If "Accept All" is 200×48px, "Reject All" shouldn't be a 120×32px text link.
Comparable contrast ratios. Both buttons should meet WCAG 2.1 Level AA contrast minimums (4.5:1 for text, 3:1 for UI components). A high-contrast Accept button next to a low-contrast Reject button fails the symmetry test even if both technically pass AA individually.
Same button style. If Accept is a filled/solid button, Reject should be a filled/solid button too — not an outlined ghost button, not a text-only link. Regulators look at whether a reasonable user would perceive both as primary actions.

Placement and ordering

Both buttons should appear on the first layer of the banner — no clicks required to reach the reject option. Left-to-right or side-by-side placement is standard. Stacking Accept on top and Reject below is acceptable if the visual weight is equal. What's not acceptable: placing Reject outside the banner's visual frame, below the fold, or in a smaller font after a wall of text.

Color and contrast

This is where many banners fail the symmetry test. Specific rules derived from enforcement:

Don't use the brand's primary color for Accept and a neutral grey for Reject. Either use the primary color for both, or use a neutral treatment for both.
Don't reduce the opacity or saturation of the Reject button.
Background color behind the Reject button should not be chosen to make it blend into the banner background.
The text labels themselves must have sufficient contrast against their button background — WCAG AA minimum of 4.5:1.

Wording

Labels should be short, symmetrical, and neutral. "Accept All" / "Reject All" is the most defensible pattern. Avoid asymmetric pairs like "Accept All" / "Continue without accepting" or "Got it" / "Learn more about your choices." A "Manage Preferences" or "Customize" link alongside the two primary buttons is fine — it's a third option, not a replacement for Reject.

Accessibility: WCAG 2.1 Level AA for Consent Interfaces

Under the European Accessibility Act (EAA, effective June 2025), consent interfaces must meet WCAG 2.1 Level AA. This intersects directly with dark patterns — an inaccessible reject button is a functionally absent one for users with disabilities.

The requirements that matter most for cookie banners:

Keyboard navigation (2.1.1). All controls must be operable via keyboard. Tab order should follow visual order. Focus must not be trapped inside the banner.
Focus visibility (2.4.7). Active focus states must be visible on all interactive elements.
Color contrast (1.4.3 / 1.4.11). Text needs 4.5:1 contrast against background. Non-text UI components (button borders, toggle tracks) need 3:1.
Target size (2.5.5 / 2.5.8). Interactive targets should be at least 24×24px (AA) with adequate spacing.
Screen reader compatibility (4.1.2). Buttons need accessible names. Toggle states must be programmatically determinable. Use dialog or alertdialog ARIA roles.

For the full implementation checklist, see our guide on cookie banner accessibility and WCAG.

Compliant Design That Still Performs

A common objection to the one-click reject rule is that it will tank consent rates. The data tells a different story.

Manipulative banners get 85–95% raw accept rates, but that consent is legally invalid. Well-designed compliant banners achieve 55–70% — a real gap, but one that represents consent with an actual lawful basis. More importantly, optimized compliant designs outperform poorly designed compliant banners by up to 200%. The difference is design quality, not trickery:

Position and timing. Bottom-bar banners that don't block content outperform center-screen modals. A 1–2 second delay beats instant pop-ups.
Copy clarity. Short, plain language explaining what cookies do increases acceptance. Legal walls decrease it.
Trust signals. Brand identity in the banner (logo, symmetric brand colors on both buttons) builds trust.
Performance. Banners loading in under 100ms without layout shift get higher engagement. See our guide on cookie banner performance and Core Web Vitals.
Mobile optimization. Thumb-friendly buttons (minimum 48px height) and single-column layouts that don't require scrolling to reach the reject button.

You can lose the dark patterns without losing your analytics data. The path is better design, not more manipulation.

How CookieBeam Enforces Equal Button Prominence

CookieBeam's banner designer is built around the symmetry principle.

Enforced first-layer reject

Every banner template includes a "Reject All" button on the first layer by default. You can customize its label text, but you can't remove it or hide it behind a second screen — a guardrail that keeps you compliant across all European jurisdictions.

Symmetry constraints in the designer

The designer enforces visual parity between Accept and Reject: both buttons inherit the same base dimensions, color settings are linked by default (the designer flags asymmetric contrast ratios if you unlink them), and button ordering defaults to Reject / Accept left-to-right.

Built-in WCAG compliance checks

Real-time validation against WCAG 2.1 Level AA: contrast ratio checks on button text against backgrounds, minimum target size validation (44×44px recommended), focus indicator presence, and keyboard navigation order preview.

Regional consent integration

CookieBeam's regional consent system adjusts by visitor location. In jurisdictions requiring one-click reject (EEA, UK, Brazil under LGPD, Canada under PIPEDA), the reject button is always prominent. For US opt-out states, the banner adapts to the local framework while maintaining honest design.

What's Coming Next

The trajectory is one-directional. No jurisdiction is loosening its stance on consent design.

The ePrivacy Regulation is expected to codify first-layer reject requirements at the EU level, ending debates about whether national DPAs are over-interpreting the Directive.
The Digital Services Act (in force since February 2024) bans dark patterns on online platforms. Its definitions of manipulative design are already being cited by DPAs in cookie consent enforcement.
Browser-level consent signals. The EU is exploring whether browsers should transmit consent preferences, shifting the interaction upstream of the website entirely.
AI-driven enforcement. Several DPAs, including the CNIL, now use automated scanning tools to detect non-compliant banners at scale. Enforcement volumes will increase.

Building a compliant banner today isn't just about avoiding a fine this quarter. The one-click reject rule isn't a trend — it's the floor.

The One-Click Reject Rule: How Dark Pattern Laws Are Reshaping Cookie Banners in 2026