Do I Need to Offer a Cookie Rejection Option, Not Just 'Accept'?

Written By Nathalie Pouderoux

Yes, if you're using cookies that are not strictly necessary for your website to function, you must offer users a clear choice to reject them, not just an 'Accept' option.

Under both the GDPR and the ePrivacy Directive, consent for cookies must be freely given, informed, and specific. This means users should not be nudged into accepting tracking or analytics cookies through design tricks (like only offering an 'Accept' button or burying the 'Reject' option). Consent must also be as easy to withdraw as it is to give, so your cookie banner or settings should allow users to refuse or change their preferences without friction.

Importantly, you can't assume consent through silence, inactivity, or by saying "continuing to use the site means you agree." For non-essential cookies, such as those used for marketing or performance tracking, users must actively opt in.

In practical terms, this means your website should:

  • Clearly explain what cookies are used and why.

  • Let users say no to non-essential cookies before any are placed on their device.

  • Provide an easy way to change cookie preferences later on.

We’ll explain more about cookie compliance in this article.

What Are the Different Types of Cookies?

Cookies, though often grouped under one umbrella, differ in important ways, particularly in how long they remain active, who sets them, and the role they serve.

In terms of duration, session cookies are temporary and are erased once a user closes their browser or ends their session. In contrast, persistent cookies remain stored on the user’s device for a set period, defined by an expiry date embedded within the cookie’s code. These remain in place unless manually deleted or automatically removed by the browser after that expiry.

Cookies can also be distinguished by their origin. First-party cookies are placed directly by the website a user is visiting. These are typically used to support site functionality or gather basic analytics. Third-party cookies, on the other hand, are set by external domains, most commonly advertising networks or analytics platforms and are often used to track users across different websites, making them a more frequent source of privacy concerns.

Functionally, cookies fall into several categories. Strictly necessary cookies enable core site features, such as remembering items in a shopping basket or maintaining secure login sessions. These do not require user consent but must still be explained. Functionality cookies (or preference cookies) remember user choices, such as language or region. 

Performance cookies collect anonymised data about how visitors interact with the site to improve usability. Lastly, marketing cookies track browsing behaviour and are primarily used to deliver targeted advertising. These tend to be persistent and from third-party sources, making them subject to stricter compliance requirements.

What Are the Rules for Cookie Compliance?

UK Cookie Compliance

In the UK, the legal requirements around cookies are primarily governed by the Privacy and Electronic Communications Regulations (PECR), alongside the UK GDPR. Under these rules, organisations must not set non-essential cookies on a user’s device unless they have obtained prior informed consent.

This means businesses must clearly inform users that cookies are being used, explain what those cookies do and why, and obtain consent before setting any cookies that are not strictly necessary. This applies not only to traditional cookies but also to similar technologies that store or access information on a user’s device, including tools used in apps or on connected devices such as smart TVs.

Importantly, the obligation is on the organisation to ensure that this information is presented in a way that is accessible and understandable to the average user. Users must be made aware of the potential consequences of consenting to cookie use, particularly when it involves tracking, profiling, or data sharing with third parties.

EU Cookie Compliance

In the European Union, cookies fall under the scope of the General Data Protection Regulation (GDPR) when they can be used to identify individuals directly or indirectly. While the regulation doesn’t focus extensively on cookies, it makes clear that any online identifier, including cookies, is considered personal data if it can be tied to a user profile or used to track behaviour.

Because of this, organisations using cookies to monitor users, personalise content, or analyse behaviour must treat those cookies as personal data under GDPR rules. This means that in most cases, you must have a valid legal basis to process the data, and that basis is typically consent.

Consent under the GDPR must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or passive acceptance (such as continuing to browse a site) do not meet the standard. Users need to clearly opt in to the use of non-essential cookies, and they must also be given a way to withdraw consent just as easily as they gave it.

Even if cookies aren’t directly identifying someone, if they are being used in a way that builds user profiles or tracks behaviour across services, they are considered intrusive enough to fall under data protection rules. Therefore, businesses operating in the EU must take care to evaluate the purpose and effect of the cookies they use and be transparent about them.

What Must Organisations Do to Comply?

To ensure compliance in your business, you must first conduct an audit of the cookies and similar technologies used on your website or digital platform. Once cookies are identified, you must assess whether each cookie is essential for the site’s operation or whether consent is required.

Where consent is needed, users must be given clear and comprehensive information before the cookie is set. This includes outlining what data is collected, the purpose behind it, whether any third parties are involved, and how long the data will be retained. The language used should be plain and appropriate for the audience, avoiding technical jargon wherever possible.

Consent mechanisms must be robust. Users should not be forced to accept cookies in order to access a website’s core functionality, and it should be just as easy to withdraw consent as it is to give it. Records of consent should be securely stored, and if the nature or use of cookies changes, or if devices are shared among different users, organisations may need to refresh or re-obtain consent at appropriate intervals.

While this is often referred to as “cookie compliance,” it is essential to recognise that these rules apply to any technology that stores or accesses data on a user’s device, making it vital for organisations to consider the broader scope of tracking tools and embedded content in their compliance efforts.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Next

‘Pay or Consent’ and the Law: What Businesses Need to Know