Do Indian Websites Need a ‘Reject All’ Button? DPDP Says Yes

 ‍

Cookie Consent Is No Longer a Design Choice

For years, cookie banners on Indian websites followed a familiar pattern: a bold “Accept All” button, a faint “Learn More” link, and no real way to refuse tracking without digging through settings.

That era is over.

With the Digital Personal Data Protection Act (DPDPA), 2023 and the DPDP Rules, 2025 now in force, consent is no longer implied, nudged, or assumed. It must be freely given, informed, and reversible.

Which brings us to a critical question many businesses are asking in 2026:

Do Indian websites legally need a “Reject All” button?

The short answer is yes.

What the DPDP Act Says About Consent

Under the DPDP Act, consent is the primary lawful ground for processing personal data in most digital contexts. The law requires that consent must be:

• Free (not forced or manipulated)

• Specific (linked to clear purposes)

• Informed (explained in plain language)

• Unambiguous (clear affirmative action)

• Revocable (easy to withdraw)

Crucially, the DPDP Rules add an important clarification:

The ease of withdrawing or refusing consent must be comparable to the ease of giving consent.

This single requirement changes everything about cookie banner design.

Why “Accept All” Without “Reject All” Fails DPDP Compliance

If your cookie banner prominently displays “Accept All” but hides rejection behind multiple clicks or removes it entirely you are not offering free consent.

This is because:

• Users are nudged into acceptance

• Refusal becomes harder than acceptance

• Consent is no longer genuinely voluntary

Under DPDP, that is considered invalid consent.

A cookie banner that lacks a visible “Reject All” option violates:

• The principle of free consent

• The requirement of equal ease

• The obligation of transparent choice

DPDP Rules and Equal Consent Choice

The DPDP Rules (2025) reinforce that consent mechanisms must not use dark patterns or deceptive interfaces. This means:

• “Reject All” must be as visible as “Accept All”

• Font size, colour, and placement should not disadvantage refusal

• Users should not be blocked from access for rejecting non‑essential cookies

If refusing cookies leads to degraded access, forced sign‑ups, or repeated nudging, regulators may view it as coercive consent.

What a DPDP‑Compliant Cookie Banner Looks Like

A compliant cookie banner in India in 2026 typically includes:

• “Accept All” and “Reject All” shown side‑by‑side

• A clear explanation of cookie purposes (analytics, marketing, etc.)

• No cookies fired before user choice (except strictly necessary ones)

• A link to manage granular preferences

• A permanent way to revisit and change consent later

Anything less puts your website at risk.

Legal and Financial Risks of Skipping ‘Reject All’

Ignoring this requirement is not a minor UI issue it’s a legal exposure.

Under Section 33 of the DPDP Act, penalties for processing personal data without valid consent can go up to ₹250 crore per violation.

In practice, this could apply if:

• Tracking cookies load before consent

• Users are not given a real refusal option

• Consent logs cannot prove voluntary choice

With enforcement actions now expected to increase in 2026, cookie banners are one of the first audit touchpoints regulators examine.

Does This Apply to All Websites?

Yes, if your website uses:

• Analytics cookies (Google Analytics, GA4)

• Advertising cookies (Meta Pixel, programmatic ads)

• Personalisation or tracking tools

• Third‑party scripts that process personal data

This applies across industries including SaaS, e‑commerce, fintech, media, healthcare, and edtech.

Only strictly necessary cookies (such as session management or security cookies) may load without consent.

What About “Manage Preferences” Instead of “Reject All”?

A “Manage Preferences” link does not replace a visible “Reject All” button.

If users must click through multiple layers just to refuse cookies, while acceptance is one click, the consent is not considered equal or free under DPDP standards.

Best practice is:

• Show Accept All and Reject All upfront

• Offer granular controls as an additional option not a substitute

Operational Reality: Why Most Businesses Struggle

Many Indian businesses struggle to implement compliant consent because:

• Cookie inventories are complex

• Third‑party scripts fire automatically

• Consent logic differs across platforms

• Audit‑ready logs are difficult to maintain

This is why many organisations adopt dedicated consent management platforms instead of building everything from scratch.

Toward that end, platforms like Blutic help businesses deploy DPDP‑compliant cookie banners with built‑in Accept/Reject parity, automated cookie blocking, consent logs, and easy withdrawal mechanisms without redesigning their entire tech stack.

So, do Indian websites need a “Reject All” button?

Yes, explicitly, clearly, and visibly.

‍

In 2026, cookie banners are no longer cosmetic pop‑ups. They are legal consent interfaces. If users can’t refuse cookies as easily as they accept them, consent fails and so does compliance.

Getting this right protects your business from penalties, builds user trust, and aligns your digital presence with India’s evolving privacy framework.

‍