Skip to main content
Back to Guides
Basics5 min read

What Happens When You Reject Cookies?

Clicking reject shouldn't break the site. Here's what actually changes when you decline cookies, what a website is still allowed to do, and what it's legally not allowed to do.

The short version

When you reject cookies, the non-essential ones (analytics, advertising, embedded widgets that track) should never load. The essential ones, the cookies that keep you logged in, hold your cart, and protect the session, keep working, because the site can't function without them and the law doesn't require your permission for them. So the honest answer to "what happens when you reject cookies" is: the site should still work, and the tracking should stop. If either half of that isn't true, something is set up wrong.

What actually stops

A correctly built consent banner blocks non-essential scripts before they run, and your rejection keeps them blocked. Concretely, that means:

  • Analytics stops counting you. Tools like Google Analytics won't set their cookies or record your session (or will fall back to cookieless, modeled signals where the site uses Consent Mode).
  • Advertising cookies don't get set. You'll still see ads, but they're generic rather than targeted to a cross-site profile.
  • Some third-party embeds may hold off loading. A YouTube video or a social feed that would normally drop tracking cookies might show a placeholder asking you to allow that category first.

This is the difference between a decorative banner and a real one. The mechanics are in how to block scripts before consent.

What keeps working

Rejecting cookies doesn't log you out or empty your cart, because those rely on strictly necessary cookies that sit outside the consent requirement. Logins, shopping carts, security tokens, load balancing, and remembering your language choice all continue. A site that breaks when you decline is usually mislabelling tracking cookies as essential, or it never separated the categories in the first place. Rejecting should cost you personalisation and tailored ads, not basic function.

What a website is NOT allowed to do

Setting non-essential cookies anyway after you reject is a straightforward breach of the ePrivacy Directive and GDPR. So is making "reject" harder to find than "accept," hiding it behind extra clicks, or greying it out. Regulators including France's CNIL have fined companies specifically for not offering a reject option as easy as the accept one. Rejecting is a valid choice, and the site has to honour it as given.

How your "no" gets remembered

There's a small irony here: to remember that you rejected cookies, a site stores your choice, usually in a single consent cookie or a local storage entry. That record is itself treated as strictly necessary (it exists to respect your decision), so it's allowed. It's what stops the banner reappearing on every page. Most consent records are re-checked after a set period, commonly 6 to 13 months, after which you may be asked again, because consent isn't meant to last forever. Background on that cycle is in consent expiry and re-consent.

Can you change your mind?

Yes, and a compliant site has to let you. Withdrawing or changing consent must be as easy as giving it, which is why well-built banners leave a small persistent link or icon to reopen the preferences. Signals like the Global Privacy Control take this further by letting your browser broadcast a blanket opt-out that sites are increasingly required to honour automatically.

For site owners: rejection is a feature, not a loss

If you run a website, treat a clean reject path as part of doing consent properly rather than a leak in your funnel. Users who trust that "reject" is real are more willing to engage, and dark patterns that pressure people into accepting produce consent that regulators can invalidate anyway, taking the data with it. CookieBeam blocks non-essential scripts until the visitor chooses, honours a rejection by keeping them blocked, and logs the decision as proof. See cookie banner dark patterns for what to avoid.

Why you still see ads after rejecting

Rejecting cookies doesn't remove advertising, it removes the personalisation. Ad slots on a page are sold whether or not the advertiser can profile you; declining just means the ad is contextual (based on the page you're reading) rather than behavioural (based on a profile built across sites). So the ad count doesn't drop, the targeting does. That surprises people who expect a quieter web after clicking reject.

Does rejecting actually make you more private?

Mostly, but not completely. Cookie rejection stops cookie-based tracking, which is the bulk of it. It doesn't stop everything: server logs still record your IP and the request, and some sites attempt fingerprinting, identifying a browser by its configuration rather than by a stored ID. Fingerprinting is non-consensual tracking and is itself caught by the same consent rules, but it's harder for a user to see. This is why browser-level signals matter. A tool like the Global Privacy Control expresses a durable "do not sell or share" that applies before you ever meet a banner, and a well-run site honours it automatically. Rejecting on the banner handles this visit; a browser signal handles every visit.

What to do if a site ignores your choice

If you reject and the site sets marketing cookies anyway, you have options. Clear the site's cookies in your browser and reload to confirm it's repeating the behaviour rather than showing a stale cookie. Turn on a browser-level signal like Global Privacy Control so your preference travels with you. And if it keeps happening, you can complain to your data protection authority, the ICO in the UK, your national DPA in the EU, or a state attorney general in the US, which is exactly the enforcement route that has produced cookie fines. Your rejection is a legal instruction, not a suggestion.

What Happens When You Reject Cookies? | CookieBeam | CookieBeam