UK websites urged to add “reject all” button – what that means

The ICO (Information Commissioner’s Office) and CMA (Competition & Markets Authority) have jointly published a blog post, and a paper titled “Harmful Design in Digital Markets,” calling on organisations to “stop using harmful design practices that could undermine people’s control over their personal information.”

Both the paper and blog focus on cookie consent banners as an area where harmful design practices appear. The blog makes clear that to avoid “distort[ing] users choices…a website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them.” 

The ICO may take formal regulatory action against companies that continue to engage in practices that contravene data protection law. Some examples of potentially harmful practices include: 

1. Nudging, or requiring more steps, time or friction to disagree to personal data collection than to agree, such as including an “allow all” button to consent to non-essential cookies without an equivalent “reject all” (or similar) button to refuse consent with the same ease, at the same layer; 
2. Confirm-shaming, or pressuring or shaming someone by making them feel guilty or embarrassed (e.g., displaying “Nahh, I hate savings” after a user refuses a discount in exchange for providing personal information); 
3. Biased framing, or not giving equal weight to the risks and benefits of a decision (e.g., “If you don’t share your search history with us, the information and ads you see may not be as relevant or useful to you.“); 
4. Bundled consent for multiple purposes (e.g., remembering your settings and showing personalized ads) via a single consent action;
5. Low-privacy default settings (e.g., “make my posts visible to everyone” as a default setting).

So what does this mean for UK companies?

The first layer of your consent banner should include a button that allows users to opt out of all technology, including non-essential technology. That button is often displayed as a “Reject All.”  

The “Reject All” button must have the same prominence as the option to consent to all technologies, or “Accept All” button. In general, the option to not consent cannot require more steps, time, or friction than consenting. 

We recommend working with your company’s Data Protection Officer to decide on your organisation’s best course of action. 

Who is subject to enforcement?

In the short term, the ICO will be looking at the most frequently visited sites in the UK. This could include large publishers, social media sites and brands, but there is no set cutoff for who is subject to enforcement. 

As a general baseline, if you are within the top 100 sites in the UK in terms of web visits, you should be putting a plan in place for addressing this new guidance. 

The TCF doesn’t require a “Reject All” button — do I still need to follow ICO guidance?

IAB Europe’s TCF (Transparency & Consent Framework) gives the advertising industry a standard for collecting consent in accordance with GDPR and the ePrivacy Directive. 

However, the Data Protection Authority within each region has the power to dictate additional requirements for compliance. As such, UK organisations should be prepared to adhere to their local authority’s guidance. 

The ICO has indicated that it plans to take regulatory action against harmful design practices, which can include, but is not limited to the absence of a “Reject All” option where an Accept All option is presented. 

What Does “Reject All” mean for consent strings?

There are two main interpretations of how “Reject All” action should impact the consent string. 

One interpretation is that the consent string should reflect a “Reject All” state, which means ads can’t be shown in a manner that involves collecting personal data. 

The other interpretation is that the consent string should reflect “Legitimate Interest Only.” That would mean personal data can only be collected for the purposes that have been declared as Legitimate Interest.

There is an argument for both, and the ICO may come out with additional clarification in the coming months. For now, it’s up to each organisation to determine which approach is appropriate for them. 

How will a “Reject All” button impact revenue?  

Some UK sites have already started testing the impact of adding a “Reject All” button. Based on these tests, websites can expect to see a “Reject All” rate of between 15-30%. 

If the ICO decides that “Reject All” means no personalised ads, that rate could have a significant impact on online revenue. 

Note: Users who have a “Reject All” status can include those who previously bounced, previously chose “Legitimate Interest Only” in the second layer, and previously consented. 

What are my options if I don’t want to add a Reject All button?

German websites went through the same thought process over 18 months ago when local DPAs started requiring “Reject All” buttons. Many saw between 20-30% of their audience move to a “Reject All” state, which had a large impact on revenue. 

In response, IAB Europe and German publishers negotiated with local DPAs to develop a compliant alternative. Sourcepoint provided many German publishers a solution for displaying a Consent or Pay message which also met DPA requirements for equal prominence and neutral consent as the default. 

With a Consent or Pay message, users are given a choice between accessing the website while allowing for advertising, or paying a subscription fee to access content without advertising.  

Today, over 80% of news sites in Germany have adopted the Consent or Pay model. 

As for the UK, the ICO/CMA joint paper indicates that offering an alternative to consenting can be compliant as long as it avoids harmful practices. For example, if a user is presented with the option to consent in exchange for a discount, a message like “Nah, I hate savings” could be seen as confirm-shaming. 

Contact the Sourcepoint team to facilitate a test for your properties. 

Are there consentless advertising solutions available in the market?

While many adtech companies are working on consentless solutions, we are not aware of any that are widely available. 

We recommend reaching out to your DSP and SSP partners to understand what solutions they may be developing, and how they would work.