How To Add A Reject Cookies Option To Your Website (UK GDPR & PECR)

If your website uses analytics, marketing pixels, embedded videos, live chat, or most third-party tools, you’re probably using cookies (or similar tracking technologies) in one way or another.

And if you’re using cookies, you may need a cookie banner that lets users make a real choice - including a clear option to reject cookies.

This isn’t just a “nice to have”. Under UK privacy law, the way you set up cookie consent can create real compliance risk for your business. The good news is that getting it right is usually a practical (and very fixable) website task once you know what the rules are.

Below, we’ll break down what a reject cookies option needs to look like under UK GDPR and PECR, how to implement it in a business-friendly way, and the common mistakes to avoid.

This article is general information only and isn’t legal advice. Cookie compliance can be technical and fact-specific, so it’s worth getting tailored advice if you’re unsure.

Why A “Reject Cookies” Option Matters (UK GDPR & PECR Basics)

In the UK, cookies are mainly regulated by two overlapping legal frameworks:

• PECR (the Privacy and Electronic Communications Regulations) - these rules sit alongside data protection law and specifically cover cookies and similar technologies.
• UK GDPR (and the Data Protection Act 2018) - these apply when cookies involve personal data (which is common, especially for analytics, advertising, or device identifiers).

In plain English, PECR is the rule that generally says: you must not store or access information on a user’s device (including via cookies) unless:

• the user has given consent, or
• the cookie is strictly necessary for providing the service the user requested (for example, keeping items in a shopping cart, or maintaining login sessions).

That’s where a “reject cookies” option becomes important. If your banner only offers an “Accept” button (or makes rejection hard to find), you’re not really offering a free choice.

From a compliance perspective, regulators (including the ICO) generally expect that:

• Rejecting non-essential cookies should be as easy as accepting them.
• Users should be able to make a choice before non-essential cookies are set.
• Consent shouldn’t be nudged through confusing wording, design tricks, or “cookie walls”.

For small businesses, a good way to think about it is: if your cookie banner is designed to push people into clicking “Accept”, it’s probably not compliant.

What Counts As Cookies (And When You Need Consent)

When we say “cookies”, we’re really talking about a broader category: cookies and “similar technologies” that store or read information on a user’s device. This can include things like local storage, tracking pixels, SDKs, device fingerprinting techniques, and certain tags/scripts.

The key legal question isn’t the name of the technology - it’s what it does.

Strictly Necessary Cookies (Usually No Consent Needed)

You normally don’t need consent for cookies that are strictly necessary to deliver a service the user actively asked for.

Common examples include cookies used for:

• shopping basket functionality and checkout flow
• security cookies (e.g. to detect fraud, keep sessions secure)
• load balancing (to keep the site stable)
• remembering a user’s consent preferences (so the banner doesn’t reappear every page load)

Be careful here: “necessary for us as a business” is not the same thing as “strictly necessary for the user-requested service”. Convenience, marketing insights, and performance tracking are usually not “strictly necessary”.

Non-Essential Cookies (Consent Usually Required)

You generally do need consent for cookies used for:

• analytics (measuring traffic, user journeys, conversions)
• marketing/advertising (retargeting, attribution, ad delivery)
• personalisation (remembering preferences that aren’t essential)
• embedded content that tracks users (some video, social media, maps, etc.)

If you’re a small business running online sales or lead generation, this is where most websites end up. Even if you’re not “doing ads”, many third-party plugins and integrations drop cookies by default.

And once consent is required, you need a real way for users to say no - meaning a visible and functional option to reject cookies.

How To Add A “Reject Cookies” Option (A Step-By-Step Checklist)

Adding a reject cookies option isn’t just changing the words on a banner. You want to make sure the user’s choice actually controls what loads on the page.

Here’s a practical process many small businesses follow.

1) Audit Your Cookies And Scripts First

Before you update your banner, you need to know what your site is doing.

• List your website tools: analytics, ad tags, CRM forms, chat widgets, booking systems, embedded media, A/B testing tools, etc.
• Identify which ones drop cookies (or access device info) and whether they’re essential.
• Check whether third parties set cookies via your site (this is very common).

If you skip this step, your reject cookies button might look good but won’t actually prevent tracking.

2) Categorise Cookies In A Way Users Can Understand

Most cookie setups use categories. Common categories include:

• Strictly necessary (always on)
• Analytics (optional)
• Marketing (optional)
• Preferences (optional)

For each category, you should be able to explain (in plain English):

• what it does
• who sets it (you vs third parties)
• how long it lasts (where possible)

This information typically sits in your cookie documentation, such as a Cookie Policy, with your banner linking to it.

3) Design The Banner So “Reject Cookies” Is Clear And Equal

To be on the safe side, your banner should generally include:

• An Accept button
• A Reject button (or “Reject all non-essential”)
• An option to manage preferences (granular controls)

Best practice is that “Accept” and “Reject” are presented with equal prominence. That usually means:

• similar size, colour weight, and placement
• both available at the first layer (not hiding “Reject” inside multiple clicks)
• no confusing language like “Accept and continue” vs “Settings” (which nudges users)

If your banner only shows “Accept” and “Manage options”, that can create risk - because rejection becomes harder than acceptance in practice.

4) Make Sure Non-Essential Cookies Don’t Load Until The User Chooses

This is the part that often trips businesses up.

Even if your banner offers a reject cookies option, you still need to make sure your website behaviour matches it. In many cases, that means:

• blocking non-essential scripts from running until the user clicks “Accept” (or opts into specific categories)
• loading scripts conditionally based on the consent choice
• preventing tags from firing by default

From a technical angle, this is often handled through a consent management platform (CMP) or your tag management configuration, but it can also be implemented in other ways depending on your website setup. The key is that rejecting cookies should genuinely stop non-essential cookies being set.

5) Make It Easy To Change Your Mind Later

UK GDPR consent standards require that withdrawing consent is as easy as giving it.

In practice, this usually means:

• having a persistent “cookie settings” link in your website footer (or privacy area)
• allowing users to update preferences without hunting for it
• making sure any change is applied (e.g. disabling further tracking)

This is also a good moment to review whether your Privacy Policy explains how you use personal data collected via cookies and similar technologies.

6) Keep Records Of Consent (And Your Cookie Decisions)

If you ever need to show how your website handles cookie consent, it helps to have records. Depending on how your site is set up, this can include:

• consent logs showing choices (without collecting unnecessary personal data)
• a cookie register (what cookies exist, purpose, duration, provider)
• internal notes on why certain cookies are “necessary”
• review dates (so you periodically update your cookie list)

For many small businesses, it’s also sensible to document how cookie data fits into your overall GDPR compliance work - for example, your retention practices and why you keep data for certain periods. If you’re reviewing that, data retention can be a useful companion topic (including data retention periods).

Common “Reject Cookies” Mistakes Small Businesses Should Avoid

Most cookie compliance issues aren’t caused by bad intentions - they happen because website plugins and default settings don’t match what the law expects.

Here are the big pitfalls to watch out for.

Making “Reject Cookies” Harder Than “Accept”

If users can accept cookies in one click, but rejecting requires several clicks, scrolling, or reading dense settings, your consent is less likely to be considered “freely given”.

A practical fix is to offer a “Reject all non-essential” button on the first banner layer and keep the detailed toggles as an extra option.

Pre-Ticked Boxes Or Default “On” Toggles For Optional Cookies

Consent must be an affirmative action. Pre-ticked boxes (or equivalent default opt-ins) are a red flag.

If you use toggles in “Manage preferences”, optional categories should generally be off by default until the user chooses otherwise.

Claiming Analytics Are “Strictly Necessary”

Analytics are extremely useful for a business - but they’re usually not strictly necessary to provide the service the user asked for.

If you treat analytics as necessary when they aren’t, your banner and cookie policy can become misleading.

Setting Cookies Before Consent (Even For A Split Second)

Some sites show a banner but still load tracking scripts immediately on page load. That defeats the point of the banner.

If you want a compliant reject cookies option, you need to stop non-essential cookies from being placed until after opt-in.

Not Updating Cookie Lists When Your Website Changes

Your cookie situation can change whenever you:

• add a plugin
• embed a new tool
• change your website theme
• run a new marketing campaign

If your cookie policy and banner aren’t reviewed regularly, they can quickly fall out of date.

What Else You Need Alongside A “Reject Cookies” Option

Cookie compliance isn’t only about the banner. The banner is the front door - but you also want the rest of your privacy setup to match what you’re doing online.

A Clear Privacy Policy

If cookies (or similar technologies) result in you processing personal data, your privacy information should cover things like:

• what personal data you collect via your website
• why you collect it and your lawful basis (where relevant)
• who you share it with (including third parties)
• international transfers (if applicable)
• data subject rights and how to exercise them

This is often handled through a well-drafted Privacy Policy that works together with your cookie information.

A Cookie Policy That Matches Your Actual Setup

A cookie policy is where you can give more detailed information that doesn’t fit neatly into a banner.

For example, you might include:

• a cookie table (name, purpose, provider, expiry)
• cookie categories and what they mean
• how to change cookie settings
• how to contact you with privacy questions

If your website has different tools across pages (for example, marketing landing pages vs your main site), make sure the Cookie Policy reflects this.

Internal Policies For Your Team (So You Stay Consistent)

Cookies are often added by marketing teams, web developers, or agencies, sometimes without a full legal review. A simple internal process can prevent accidental non-compliance.

Depending on your business, it may help to have an Acceptable Use Policy (or similar internal guidelines) so staff know what tools they can install and what checks are needed before adding tracking scripts.

A Broader GDPR Compliance Plan

If you’re collecting customer data through your website (forms, email signups, bookings, online sales), cookies are only one part of the bigger picture.

It can be worth pulling your privacy compliance together in one consistent approach (especially as you grow), such as a GDPR Package that covers the core documents and processes.

Key Takeaways

• A compliant cookie banner for many UK business websites should offer a clear option to reject cookies, not just an “Accept” button.
• Under PECR, you generally need consent for non-essential cookies (like analytics and marketing), unless the cookie is strictly necessary to deliver a service the user requested.
• Under UK GDPR, consent must be freely given, informed, specific, and easy to withdraw - which usually means rejecting cookies should be as easy and prominent as accepting them.
• A reject cookies option only works if your website is configured to block non-essential scripts until a user opts in.
• You should support your cookie banner with a clear Cookie Policy and Privacy Policy, and keep them updated as your website tools change.
• For growing businesses, it’s worth putting a simple internal process in place so new plugins and tracking tools don’t get added without the right checks.

If you’d like help reviewing your cookie banner, cookie policy, and wider UK GDPR compliance (so you’re protected from day one), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.