Joris DeeneMany Internet users are annoyed by cookie banners that make refusing tracking cookies unnecessarily difficult. The question, then, is whether a clear "refuse all" button is mandatory. The answer is an unequivocal yes. A decision of the Belgian Data Protection Authority (DPA) of 1 September 2025 (no. 138/2025) in a case against RTL Belgium illustrates that the lack of an equivalent refusal option poses a significant legal risk, even if proceedings ultimately conclude without penalty.
The facts: a complaint against RTL's cookie banner
The case began with a complaint filed by the privacy organization noyb with the DPA on behalf of an Internet user. The complaint targeted the cookie banner on the website of RTL Belgium and contained three central grievances common on the Internet:
- No equivalent refusal option: The first level of the banner had a clear "Accepter et fermer" (Accept and close) button, but an equally clear button to reject all non-essential cookies was missing. Users had to click through via "En savoir plus" (To know more) to manage their choices.
- Misleading Design ("Dark Patterns"): The button to accept had a striking, contrasting color, while the link to get more information was the same color as the banner background, making it less noticeable. This type of design is considered a technique to steer the user in a certain direction.
- Difficult to withdraw consent: Once given permission could not be revoked as easily. It required multiple steps and one had to navigate to a specific management page on the website, which violates the GDPR-requirement that withdrawal should be as easy as giving.
The decision: dismissal after modification by RTL
The proceedings took a remarkable course. After a complex procedure, including a first decision and an appeal to the Market Court, there came a surprising twist. The complainant, via noyb, informed the DPA that she was withdrawing her complaint. The reason? RTL Belgium had changed its cookie banner in the meantime.
Hereupon, the Litigation Chamber of the DPA decided to dismiss the case, or "file without further action," based on expediency reasons. However, the DPA emphasized a crucial principle:
"the withdrawal of a complaint by the complainant does not release the Litigation Chamber from the case. This is an element that it will duly take into account in order to possibly file the complaint without action."
In other words, the DPA retains the authority to continue an investigation if the public interest requires it, even if the original complainant drops out. In this particular case, however, RTL's adjustment and subsequent withdrawal of the complaint was sufficient reason not to pursue the proceedings.
Legal analysis and interpretation
This decision should not be misinterpreted as a free pass for vague cookie banners. The dismissal is a procedural decision and not a ruling on the merits of the case. The DPA explicitly states that the dismissal "does not mean that no potential violation of relevant law exists.".
The underlying legal principles remain intact:
- Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free."
- Equivalence of accepting and refusing: The guidelines of the European Data Protection Board (EDPB), on which the DPA relies heavily, clearly state that accepting and rejecting cookies should be presented at the same level and with the same visual clarity.
- Simple withdrawal of consent: Article 7(3) of the GDPR requires that withdrawing consent must be as easy as giving it. A "hidden" link in the footer of a website often does not meet this requirement if consent was obtained with one prominent click.
RTL Belgium's action - adjusting the banner even before there was a final, enforceable ruling - shows that the pressure of a DPA proceeding is itself a powerful tool for enforcing conformity.
What this specifically means
- For website owners: The message is clear. Don't wait for a complaint or investigation. A non-compliant cookie banner is a ticking time bomb that can lead to reputational damage and significant legal costs. The best practice is unchanged: at the first level, provide a clear "Accept All" button and an equally clear "Decline All" button.
- For marketing departments: The era of "dark patterns" and psychologically "nudging" users toward accepting cookies is over. Transparency and respect for user choice are not only required by law, but also contribute to a relationship of trust with your audience.
- For Internet users: This case proves that filing a complaint has an effect. Even without a financial penalty, it can encourage a company to respect your privacy rights.
Frequently asked questions (FAQ)
Should the "Reject All" button be the exact same color as "Accept All"?
Not necessary. The legislation does not require identical colors, but does require an equivalent visual presentation. A brightly colored, large accept button next to an unobtrusive, small text link to decline is considered a misleading design and violates the GDPR.
What if a user withdraws their complaint to the DPA? Is the case then automatically over?
No. The DPA has the authority to pursue a case if it finds that an important principle is at stake or the violation is serious. However, withdrawal is a very important element that, as in the RTL case, can lead to dismissal.
Where can I check if my cookie banner is compliant?
The Data Protection Authority has published a handy checklist for cookies . This document is an excellent starting point for evaluating your own Web site.
Conclusion
The RTL Belgium case perfectly demonstrates how data protection law works in practice. The threat of enforcement by the DPA was enough to prompt a major media player to modify its practices, which was ultimately the most efficient outcome for all parties. The lesson for businesses is that proactive compliance is the only sustainable strategy. A correct cookie banner is not an annoying obligation, but a sign of respect for your customers.
Dutch 
English