Our Cookie Banner Was Rejected

Your cookie banner has been flagged as non-compliant. The flag may have come from a supervisory authority (notice of inquiry or complaint), an enterprise customer's privacy review, a compliance audit, or your own internal review. Whatever the source, you need to understand what's wrong and fix it fast.

This page covers the most common cookie banner failures, how to prioritize remediation, and how to prevent recurrence.

The most common reasons banners get rejected

Reject all hidden behind extra clicks while Accept all is prominent. The CNIL and other EU supervisory authorities have repeatedly fined this pattern. The first layer of the banner must offer reject as visibly and easily as accept. Hiding reject in a second-layer menu or in user settings is the most common failure.

Cookies loading before consent. The banner appears but non-essential cookies have already been placed. Browser developer tools easily reveal this. Any non-essential cookie (analytics, advertising, marketing, third-party trackers) must wait until explicit consent.

Pre-ticked boxes. Defaulting any non-essential cookie category to opt-in via pre-ticked box is invalid consent under GDPR and ePrivacy. All non-essential categories must default to opt-out.

Implied or browse-on consent. Banner language like "by continuing to use this site you consent to cookies" is not valid consent. Consent must be a clear affirmative action.

Lumped consent. A single Accept all button covering analytics, advertising, marketing, and personalization without offering category-level choices is non-compliant. Granular consent by purpose is required.

Asymmetric design. Accept button visually prominent (color, size, position) and Reject button visually de-emphasized (low contrast, small, hidden). This is a recognized dark pattern.

Cookie wall. Conditioning site access on accepting non-essential cookies. The EDPB and several supervisory authorities have ruled cookie walls typically invalid.

Withdrawal harder than consent. Many banners make accept one click but require users to navigate to settings to withdraw. Withdrawal must be equally easy. A persistent preference link should be available.

Missing or vague cookie information. The banner or linked cookie notice does not explain what cookies are placed, the third parties involved, the purposes, retention, and rights.

US-only banner shown to EU users. Some companies use Do Not Sell links designed for CCPA but those do not satisfy ePrivacy consent for EU users.

The first 48 hours

Identify the source and urgency of the flag.

If a supervisory authority has issued a notice or complaint, you have a regulatory deadline. Treat as urgent.

If an enterprise customer flagged it during procurement, you have a commercial deadline tied to the deal.

If internal review flagged it, you have flexibility but should not delay.

Audit the current state. Use a cookie scanner (browser DevTools, OneTrust scanner, Cookiebot scanner, similar tools) to identify what cookies are currently being placed, when they are placed relative to consent, and what third parties are involved.

Match the audit findings against the common failures listed above. Most banner rejections involve multiple failures stacked together.

Quick fixes vs full remediation

Some failures can be fixed within 24 to 48 hours:

  • Pre-ticked box removal. Configure your CMP to default all non-essential categories to off.

  • Banner button parity. Reconfigure the banner so Reject all is equally prominent on the first layer.

  • Removing cookie wall. Allow site access regardless of consent state.

  • Adding a persistent preference link. Footer link to update cookie choices.

  • Other fixes require deeper work and more time:

  • Cookie classification. Ensuring all cookies are correctly classified as strictly necessary vs other categories. Requires reviewing each cookie's actual function.

  • Blocking before consent. Ensuring non-essential cookies and third-party scripts do not load until consent. Often requires tag manager reconfiguration or CMP integration changes.

  • Granular consent implementation. Adding category-level consent if you only had all-or-nothing. Requires CMP reconfiguration.

  • Vendor-by-vendor consent management. Some advanced cookie banners offer vendor-level consent under IAB TCF or similar frameworks. Implementation can take weeks.

  • Multi-jurisdictional banner logic. Detecting user location and presenting appropriate banner variants for EU, UK, US, and other jurisdictions.

Preventing recurrence

A compliant cookie banner needs ongoing maintenance. New plugins, marketing tools, and third-party scripts can add cookies that bypass the existing CMP. Common preventive measures:

  • Cookie audit on a quarterly schedule.

  • Tag manager governance. Require marketing and engineering teams to register new tags and scripts with the privacy team before deployment.

  • CMP integration. Connect your CMP to your tag manager so all tags are gated on consent by default.

  • Consent management testing. Periodic browser-based testing that consent withdrawal actually stops cookies.

  • Cookie notice content review whenever new cookies are added.

How Engage Compliance helps

Cookie compliance is included in our DPO services. Specific work includes:

  • Cookie audit using scanning tools and manual review.

  • Banner design and CMP configuration review against ePrivacy and GDPR requirements.

  • CMP selection guidance (OneTrust, Cookiebot, Usercentrics, Termly, Iubenda, Didomi, Sourcepoint).

  • Multi-jurisdictional banner design.

  • Cookie notice drafting.

  • Supervisory authority response if cookie compliance has been challenged.

For non-clients with a specific cookie banner remediation need, we engage on focused project basis.

Get started

If your cookie banner has been challenged and you need fast remediation, book a consultation.