...if not, you may find yourself on the radar of the UK's data protection regulator, the ICO. Stephen Bonner, the deputy commissioner at the ICO, told MLex last week that the ICO is “paying attention in this area.”   

This follows a string of enforcement actions taken by the CNIL, the French data protection regulator; most notably the 150 million euro fine it issued to Google.  

The cookie rules in the UK and EU are governed by the ePrivacy Directive, which has been implemented separately by each EU Member State (and the UK). It overlaps with the GDPR in the sense that the test for valid consent to the use of cookies must comply with the standard set out in the GDPR. As a result, many regulators are viewing the lack of a "reject all" button on a cookie banner to mean that consent to cookies is not "freely given" (one of the criteria for valid consent). 

Marketers in particular are using numerous creative techniques to "nudge" users into consenting to the use of cookies, including by not including an easy way of refusing cookies. Failing to include a "reject all" button is becoming a risky technique and will force marketers to be more creative in future.