What "reject all" really has to do under GDPR (and why most banners get it wrong)

Banner parity is the most-enforced consent rule in the EU. CNIL fined Google €150 million and Facebook €60 million in 2022 for asymmetric design (cases 2021-024 and 2021-026). Italy’s Garante has issued comparable sanctions. The Spanish AEPD, German BfDI, and Belgian APD have aligned. The rule is not interpretive — it has specific, enforced requirements.

The rule, plainly

From CNIL’s guidelines on cookies and other trackers (Délibération 2020-091, March 2021):

It must be as easy to refuse to consent as to give consent... If the user can consent at the first level by clicking on a single button, refusing must also be possible at the first level by clicking on a single button.

The EDPB Guidelines 03/2022 on dark patterns expand this into a set of recognized anti-patterns. The summary version: any design that makes accept easier than reject invalidates consent.

What passes parity

• Two buttons, equal prominence. “Accept all” and “Reject all” on the same banner, same row, similar size, equivalent color treatment (either both branded or both neutral).
• Three buttons. “Accept all,” “Reject all,” “Manage preferences.” Each on the first banner. Slightly bigger panel footprint, but parity-clean.
• Toggles defaulted to off, plus accept-all + reject-all buttons.The toggle UI is the granular path; the two buttons are the one-click paths. As long as both one-clicks are present on the first surface, this passes.

What fails parity

• “Accept all” button, “Manage preferences” link.The CMP industry’s most common default. Reject requires the user to click into a second panel and click reject there. Per CNIL: invalid consent. Fines have followed.
• “Accept all” button, “Continue without accepting” link. The reject path is present but the labeling is designed to be unread. CNIL has specifically called this out as a dark pattern in the Google and Facebook decisions.
• “Accept all” in brand color, “Reject all” in gray link text. Even when both options are on the same surface, asymmetric visual weight invalidates consent. The test is whether a user can identify both options with equal ease.
• Reject requires more clicks than accept. If accept is one click and reject is one click followed by a confirmation modal, accept is easier. Invalid.
• Reject button greyed out until the user reads the policy. The UX trick of making the reject path require interaction (scrolling, reading) to activate. Invalid per EDPB.
• Pre-ticked checkboxes for categories. Already established by the Planet49 CJEU decision (C-673/17, October 2019): consent must be active. Pre-ticked is invalid.
• Banner that re-appears on every page until accept. Pressure to accept. Invalid.

The CNIL-Google decision in detail

CNIL’s €150M fine of Google (Délibération SAN-2021-023, 31 December 2021) named the specific defect: youtube.com offered a button to accept cookies immediately, while refusal required “several clicks.” The decision quotes the design directly:

• Accept-all: 1 click on a clearly labeled button.
• Reject path: click “Personalize,” click “Deactivate all,” click “Confirm.” 3 clicks across two screens.

CNIL held that the 1-vs-3 click asymmetry invalidated consent. The fine reflected both the breach and the scale of YouTube’s French traffic.

The Italian Garante position

The Garante’s 2021 guidelines (Provvedimento 231 of 10 June 2021) added a specific design requirement: equivalent visibility. Two buttons that are present but differently styled — accept in green, reject in gray — fail Garante’s visibility test even when click count is equal.

The CMP vendor problem

Most CMP vendors (Cookiebot, OneTrust, Termly, CookieYes, Iubenda) ship default templates that fail parity. The defect is usually one of two:

• The default template buries reject behind a “Manage” link.
• The default template puts accept and reject on the same surface, but the visual styling makes accept a prominent button and reject a quiet link.

The compliance fix is a configuration change — toggle “display reject button on first banner,” equalize the colors. Most vendors offer this; the default does not. A Veracly scan’s cookie-banner-audit module specifically tests for this.

The cost of failure

Fines for banner parity violations have ranged from €5k (small SMB, German DPA) to €150M (Google). CNIL has stated that small businesses face proportional fines, not headline-grabbing ones, but the regulatory cost is not the largest exposure — the larger cost is that invalid consent invalidates all the data collected under it. A 12-month archive of analytics gathered under a non-compliant banner is data that cannot be lawfully retained.

Veracly’s parity check

Every Veracly scan runs the cookie-banner module on the homepage and three random internal pages. The parity check is automated: it captures the banner DOM, locates accept and reject affordances, measures their relative prominence (visual size, color contrast, click distance), and flags asymmetric designs. The report cites the specific CNIL/EDPB guidance violated and the typical CMP configuration fix.

See also: Cookie banner audit checklist · GDPR vs ePrivacy: which one governs cookies?