Every website with EU visitors has one. The cookie banner. The pop-up that materialises the moment you arrive, demanding you make a choice before you can read a single word. Most people click "Accept All" without hesitation — not because they're happy to be tracked, but because they just want it to go away.
This is consent fatigue. And it creates a serious problem: if users are clicking "Accept All" out of frustration rather than genuine informed agreement, is that legally valid consent under GDPR?
Increasingly, regulators think the answer is no.
What Is Consent Fatigue?
Consent fatigue is the psychological state that occurs when people are asked to make so many consent decisions — across so many websites, apps, and services — that they stop engaging meaningfully with any of them. They click the fastest available option to make the friction go away.
Research backs this up. A 2023 study found that over 90% of users accept all cookies without reading the consent notice. A separate study found that when "Accept All" is presented as a single large button, acceptance rates jump to over 95% — while when "Reject All" is given equal prominence, acceptance rates fall dramatically.
The mechanism is simple: decision fatigue. Every website asks for consent. Users have learned that engaging carefully with cookie banners takes time and effort, that the "Reject" option is often buried or broken, and that the consequences of clicking "Accept" are invisible and diffuse. So they click "Accept" to make the banner disappear and get on with their day.
This is not informed, freely given consent. It's compliance theatre.
Why Consent Fatigue Happens: The Design Factors
Consent fatigue doesn't emerge in a vacuum. It's actively engineered by poor — and sometimes deliberately deceptive — UX design. Regulators have a word for the latter: dark patterns.
Asymmetric friction is the most common culprit. "Accept All" gets a large, prominent, high-contrast button. "Reject" or "Manage Preferences" gets a small, grey, low-contrast text link buried at the bottom of the notice. The user is being guided toward one choice through design rather than genuine preference.
Buried reject options take this further. Some banners require three to five clicks to reject all cookies: click "Manage Preferences," scroll through categories, deselect each one individually, click "Confirm." Accepting takes one click. Rejecting takes a minute. This asymmetry is intentional — and regulators have been very clear that it is not acceptable.
Confusing language compounds the problem. Categories like "Performance Cookies," "Functional Cookies," and "Targeting Cookies" mean little to most users. When you don't understand what you're agreeing to, you default to the path of least resistance: "Accept All."
Banner persistence — banners that reappear even after a user has made a choice, or that reset consent when the user returns — trains users to treat banners as obstacles rather than meaningful decisions.
Volume is the final factor. A typical internet user encounters dozens of consent requests per day. No one can engage meaningfully with dozens of consent decisions. The cognitive load is too high, so users develop a policy of reflexive acceptance.
What the ICO and EDPB Say About Consent Fatigue
Regulators have been paying close attention to consent fatigue, and their position is increasingly clear.
The UK Information Commissioner's Office (ICO) published detailed guidance on consent in cookie banners stating that consent obtained through deceptive design — including designs that make rejection harder than acceptance — is not valid consent under UK GDPR. The ICO has conducted sweeping audits of popular websites and issued enforcement notices to those using dark patterns in their consent UIs.
The European Data Protection Board (EDPB) has been even more explicit. In its Guidelines on Dark Patterns (05/2022), the EDPB identified six categories of dark patterns in consent interfaces, including "overloading" (making users process excessive information), "skipping" (designing interfaces to make users forget about privacy), "stirring" (appealing to emotion to influence choices), "obstructing" (making data protection hard), "faking" (using deceptive appearances), and "hindering" (making it harder to reject than to accept).
The EDPB was unambiguous: any of these patterns renders consent invalid. If a user clicks "Accept All" because rejection is too hard, that consent is not freely given — and freely given consent is a GDPR requirement.
Is "Accept All" from a Fatigued User Valid GDPR Consent?
GDPR Article 7 requires that consent be "freely given, specific, informed and unambiguous." Recital 42 clarifies: consent is not freely given if the user cannot refuse or withdraw it without detriment. Recital 32 specifies that silence, pre-ticked boxes, or inactivity do not constitute consent.
For consent to be valid, users must have a genuine choice. The EDPB has stated clearly that consent is not freely given when refusing or withdrawing consent is harder than giving it.
This creates a real legal exposure. If your consent banner:
- Makes "Accept All" substantially easier than "Reject All"
- Buries the reject option behind multiple clicks
- Uses confusing language or design to guide users toward acceptance
- Resets or ignores previous rejections
...then the consent you've collected may not be valid GDPR consent, even if users clicked "Accept All." You may be processing personal data without a lawful basis.
This is not a theoretical concern. The French CNIL fined Google €150 million and Facebook €60 million in 2022 specifically because their cookie interfaces made accepting cookies easier than refusing them. The Irish DPC, the Danish Datatilsynet, and the Spanish AEPD have all taken enforcement action on similar grounds.
What Valid Consent UX Actually Looks Like
Regulators have given detailed guidance on what constitutes compliant consent design. The core principles:
Equal prominence for accept and reject. The "Accept All" and "Reject All" buttons must be visually equivalent — same size, same colour, same prominence. One should not be styled as a primary button while the other is a link.
One-click rejection. If you offer one-click acceptance, you must offer one-click rejection. You cannot require users to navigate through preference panels to reject when accepting is a single button.
Granular categories with clear language. If you offer category-level consent, the categories should be meaningful and described in plain language. "Analytics" is better than "Performance Cookies." "Marketing and Advertising" is better than "Targeting Cookies."
No pre-ticked boxes. All non-essential categories must be opt-in, not opt-out. Pre-ticking analytics or marketing boxes is not valid consent.
No "consent walls." You cannot deny access to your website or service to users who refuse consent for non-essential cookies, unless you offer a paid alternative (and even then, this is contested).
Persistent preferences. If a user rejects all cookies, that preference must be remembered and honoured. Resetting consent on each visit — or presenting the banner again when it suits you — is not compliant.
Easy withdrawal. Users must be able to withdraw consent as easily as they gave it. A small "Cookie Settings" link in the footer that lets users update their choices satisfies this requirement.
Practical Design Recommendations
Implementing compliant consent UX doesn't mean sacrificing aesthetics or conversion. Here's what works in practice:
Use a layered notice. A short first layer — "We use cookies for analytics and advertising. Accept all, reject all, or customise." — with a second layer for detailed preferences is cleaner than dumping everything on the user at once.
Style both primary actions equally. Make "Accept All" and "Reject All" the same size and visual weight. You can still use your brand colours — just don't make one button visually dominant.
Lead with the benefit to the user. "We use analytics to improve this site. Here's what we track:" is more likely to earn genuine consent than "We and our 47 partners process your data for the following purposes."
Remember choices across sessions. Use a long-lived first-party cookie to store the user's consent decision. Don't show the banner again once they've made a choice.
Test the reject flow. Click through your own banner as if you want to reject everything. Count the clicks. If it takes more than two clicks to reject all non-essential cookies, your banner will likely fail a regulatory audit.
The Case for Alternative Lawful Bases
Consent is only one of six lawful bases for processing personal data under GDPR. For many common website uses, there are alternatives — and using them can eliminate consent friction entirely.
Legitimate interests (Article 6(1)(f)) allows processing where you have a genuine business reason that isn't overridden by the user's rights. For certain types of analytics — particularly privacy-respecting analytics that don't track individuals across sites — legitimate interests can be a defensible lawful basis.
The test is a three-part legitimate interests assessment (LIA): establish that you have a legitimate purpose; confirm the processing is necessary for that purpose; balance your interests against the individual's rights.
For first-party, aggregate analytics that don't send data to third parties, don't track users across sessions, and don't build advertising profiles, many DPAs have acknowledged that legitimate interests can apply. This means no consent banner for analytics at all.
This is significant. If you switch from Google Analytics (which requires consent in the EU due to its data transfers to the US) to a privacy-friendly alternative, you may be able to process analytics data under legitimate interests — no banner, no friction, no consent fatigue.
Privacy-Friendly Analytics as a Consent Strategy
This leads to a broader strategic point: the best way to eliminate consent fatigue for analytics is to stop requiring consent for analytics.
Tools like Plausible, Fathom, and Pirsch are designed to be privacy-friendly by default: no cookies, no cross-site tracking, no individual user profiles, data stored in the EU. They give you the metrics you need — page views, referrers, conversion rates — without the GDPR complexity.
If you're only running Google Analytics for aggregate site metrics, switching to a cookieless alternative has a meaningful UX benefit: your consent banner becomes shorter, simpler, and less intrusive. Users see a banner about advertising or marketing cookies rather than a banner about analytics, advertising, and personalisation combined. Fewer categories means less cognitive load means less consent fatigue.
Run a free scan at https://app.custodia-privacy.com/scan to see exactly which third-party scripts are firing on your website, which require consent, and which could be replaced with privacy-friendly alternatives.
Why Better Consent UX Actually Converts Better
There's a common assumption that compliant consent design — equal prominence for accept and reject — will crater your analytics opt-in rates. This is partly true: you will likely see lower acceptance rates for advertising and personalisation cookies.
But the full picture is more nuanced.
Users who consent genuinely are more valuable. A user who actively chose to accept analytics cookies is less likely to use a browser extension to block your tracking. Their data is more reliable, not just more legal.
Trust is a product feature. A study by Cisco found that 84% of customers want more control over how their data is used, and 48% have switched companies over data use concerns. A consent banner that treats users fairly signals that you take privacy seriously — and that signal matters to the audience most likely to convert: privacy-conscious early adopters, B2B buyers, and anyone who has read about GDPR enforcement in the news.
Regulatory risk is a business risk. A €60 million fine or a regulatory investigation is an existential event for a small business. Even if better consent UX reduces your analytics coverage, it removes a compliance risk that could cost far more.
Cookieless analytics is often enough. Most small businesses don't need individual-level tracking to understand how their website is performing. Aggregate page views, referrer sources, and conversion funnel data — all available from cookieless tools — tell you what you need to know.
Putting It Together
Consent fatigue is a symptom of a broken system: one where consent is harvested through friction and dark patterns rather than earned through transparency. Regulators are catching up, enforcement is increasing, and the legal validity of coerced consent is increasingly in doubt.
The path forward isn't more sophisticated consent theatre. It's:
- Audit what you're actually collecting — you may need consent for far fewer things than you think
- Design consent UI with equal options — accept and reject at the same visual weight, one click each
- Replace consent-dependent tools where privacy-friendly alternatives exist
- Use legitimate interests thoughtfully — for aggregate, privacy-respecting analytics, it may be the right lawful basis
- Remember user choices — don't show the banner again to someone who has already decided
A well-designed consent flow doesn't just reduce regulatory risk. It signals to your users that you respect them — and in a world where consent fatigue is the norm, that signal is increasingly rare and valuable.
Want to see what your website is actually tracking — and whether your consent UI is compliant? Run a free scan at https://app.custodia-privacy.com/scan. Results in 60 seconds, no signup required.
This post provides general information about GDPR consent requirements and UX design. It does not constitute legal advice. Requirements vary based on your specific circumstances and jurisdictions. Consult a qualified data protection professional for advice tailored to your situation.
Top comments (0)