It’s a question that many website owners face, especially now that the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) is highlighting this in their guidelines. Below is a practical summary of the discussion between a developer and two clients, shedding light on the technical and legal nuances of cookie consent.
Short summary
- Two clients reported that their cookie banner lacked a ‘Reject’ button, which they believed was required by the AP.
- Technically, it’s not necessary to reject all cookies, as essential (necessary) cookies can always be placed without user consent.
- The term ‘Reject’ may be misleading—users still get necessary cookies, even if they press ‘Reject’; therefore, the banner should clearly explain this.
- A practical workaround is to label the ‘Accept only necessary cookies’ button as ‘Reject’, aligning with AP examples while staying legally compliant.
- The GDPR Consent plugin used does not support rejecting all cookies (since some are essential), but it can be configured to meet AP expectations with clear labeling.
Does your cookie banner need a ‘Reject’ button?
Two clients recently asked us if their cookie banner is correct. They were worried because there is no button that says ‘Reject’. According to the Dutch privacy authority (Autoriteit Persoonsgegevens, or AP), this button should be there.
Here is our explanation and what you can do to fix it in a simple and clear way.
What the rules say
You don’t always need a real ‘Reject all cookies’ button. That’s because some cookies are necessary for your website to work. These are allowed without permission. So, rejecting all cookies is not possible or needed.
The AP gives examples of banners with a ‘Reject’ button, but this button usually just means that the user only accepts necessary cookies.
What we did for one client
One client had a banner on their site. There, cookies were already being placed before the user clicked anything. These are necessary cookies, so that is allowed.
We found that calling the button ‘I refuse’ can be confusing, because it sounds like no cookies will be placed. But in reality, necessary cookies are still used. To make things clearer, we changed the label of the button that accepts only necessary cookies to say ‘Reject’. This is more in line with what the AP expects.
Also, we noticed that the ‘Close’ button was already doing the same thing: it only allowed necessary cookies. But now, with the clearer ‘Reject’ label, visitors better understand what’s happening.
What about the AP’s advice?
The AP is now more active in asking websites to show a clear reject option. That makes sense for cookies used for tracking or marketing. But again, necessary cookies do not need to be rejected, and cannot be blocked without breaking the site.
Even the AP’s own website places one necessary cookie without asking permission. So, your website is not doing anything wrong by allowing these types of cookies by default.
How your GDPR Consent plugin handles this
If you use a plugin like the GDPR Consent plugin, it does not have a ‘Reject All Cookies’ button—because that would make your website stop working. But it does offer a button that only accepts necessary cookies. You can turn this on and possibly rename it to ‘Reject’, just like the AP shows in its examples.
What you can do now
If you want to follow the rules and keep things clear for your visitors, just turn on the button that allows only necessary cookies, and change its label to ‘Reject’. This keeps your site working well and shows users that they have a choice. Also, make sure the cookie banner explains clearly that some cookies are still needed for the website to function.
In summary
You don’t have to offer a button that blocks everything. But if you label the ‘only necessary cookies’ button as ‘Reject’, your banner will meet the expectations of the AP and stay user-friendly. This way, your site is both legally correct and easy to use.
3 Actions you can take
Here are 3 concrete actions to make your cookie banner compliant with AP (Autoriteit Persoonsgegevens) guidelines:
- Activate the ‘Accept only necessary cookies’ Button
– Enable this option in your cookie plugin to give users a clear choice besides ‘Accept All’. - Rename the Button to ‘Reject’ (optional)
– Change the label of ‘Accept Only Necessary Cookies’ to ‘Reject’ to match AP’s examples and clarify the action to visitors. - Review cookie usage for compliance
– Ensure that only essential cookies are placed by default, and no tracking cookies are loaded before user consent.
Need more background on creating cookie compliance?
Read our guide to creating a clear and effective cookie compliance checklist here.
