Write email

Reject All” Must Be As Easy As “Accept All” – Even for Non-EU Websites

Author: Arno Schlösser, DP-Dock GmbH
Last updated: October 2025
Category: Cookies, Data Security, Consumer Rights

A German court ruled in March 2025 that cookie consent banners must present a “Reject All” button as clearly and prominently as “Accept All” – and this applies to any website targeting users in the EU, regardless of where the company is based.

Who is affected?

Companies inside and outside the EU/EEA (e.g. in the US, UK, Canada)
Websites or apps that:
- Are accessible to EU users
- Offer services or content in EU languages
- Accept EU currencies or ship to the EU
- Use cookies or tracking for EU visitors

If you target the EU, you must comply with the GDPR and the ePrivacy Directive, including valid cookie consent.

Even if you are not subjected to german jurisdiction, enforcement trends in the EU are converging and design matters just as much as the legal basis.

Key takeaways from the ruling:

Users must be given a genuine choice — “Accept All” and “Reject All” must be equally accessible
“Reject All” cannot be hidden behind settings or multiple clicks
Design that nudges users toward acceptance (so-called “dark patterns”) may violate consent rules
Consent must be freely given, specific, informed, and unambiguous

Recommended actions:

Audit your cookie banner and consent UX for EU users
Implement a first-layer “Reject All” option
Ensure no tracking or data collection occurs before consent
Maintain records of user consent in case of regulatory inquiry

EU regulators have made it clear: the GDPR applies based on where the (targeted) users are, not where the company is. Find the court ruling here.

Need help?

If your company operates a website or app used by EU residents, it’s time to double-check your consent mechanisms. Reach out to your privacy team, or legal counsel for a compliance review.

DP-Dock GmbH can support you in an advisory capacity to ensure that the legal requirements of the GDPR and e Privacy Directive are implemented correctly.

Should you have any questions or require further information, please do not hesitate to contact us any time.

Cookie banner box with the heading “We use cookies” and two buttons of the same color, ‘Accept’ and “Decline.” — © Generated with AI / chatgpt.com

Back to the news overview

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.

Group	essential
Name	Matomo
Technical name
Provider
Expire in days	72
Privacy policy
Use	Use without cookies
Allowed
Group	external media
Name	Calendly
Technical name	__cf_bm,__cfruid,OptanonConsent
Provider	Calendly LLC
Expire in days	365
Privacy policy
Use	To arrange appointments via the provider Calendly
Allowed
Name	Contao CSRF Token
Technical name	csrf_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Allowed
Name	Contao HTTPS CSRF Token
Technical name	csrf_https_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Allowed
Name	PHP SESSION ID
Technical name	PHPSESSID
Provider	Contao
Expire in days	0
Privacy policy
Use	PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Allowed