“Reject All Cookies” Buttons In New Zealand: Legal, Clear Consent

If you run a small business website, chances are you’ve seen (or already use) a cookie banner. You might also be wondering whether you need a clear “Reject all cookies” option and what “valid consent” looks like in New Zealand.

It’s a fair question. Cookie pop-ups can feel like a purely “tech” issue, but they’re really about privacy compliance and trust. If your banner nudges people into accepting tracking, or makes opting out difficult, you can end up with unhappy customers, complaints, and a privacy risk you didn’t intend to take on.

Below, we’ll walk through what a “Reject All” option means in practice, what the New Zealand privacy framework expects when websites use cookies and tracking tools, and how to set your cookie banner up in a way that’s user-friendly and defensible.

Why A “Reject All Cookies Button” Matters For Small Businesses

A cookie banner isn’t just a design element. It can be part of how you collect (or avoid collecting) personal information through your website.

Many cookies are harmless and essential (for example, keeping a shopping cart working). But analytics, advertising, and behavioural tracking cookies can create privacy issues because they may help identify people, track them across pages, and build profiles about their behaviour - especially when combined with other data.

From a practical business perspective, having an easy-to-find “Reject all” option matters because:

• It reduces complaints and confusion (people can easily say “no” without hunting around).
• It improves trust and conversion (counterintuitively, transparency often helps customers feel safer buying from you).
• It helps show any consent is genuine (if rejecting is hard, consent can look “forced”).
• It aligns with modern privacy expectations even where the law is principles-based rather than prescriptive.

Think of it this way: if your website effectively says “Accept tracking or leave”, that’s rarely going to be good for customer experience (or privacy compliance).

Do You Legally Need A “Reject All” Option In New Zealand?

New Zealand doesn’t have a single “cookie law” that mirrors the EU ePrivacy Directive word-for-word. That means there isn’t a blanket rule that every NZ website must show a “Reject All” button in every case.

That said, cookie banners aren’t risk-free. In NZ, privacy obligations are mainly driven by the Privacy Act 2020. The key idea is that if cookies or tracking tools collect personal information (or information that becomes personal information when combined with other data), you need to handle that information in line with the Information Privacy Principles (including being transparent and only collecting/using data in appropriate ways).

Practically, this means you should be asking:

• What cookies and trackers are running on our site?
• Do they collect personal information (directly or indirectly)?
• Are we being transparent about it?
• Are we giving people a meaningful choice, especially for non-essential tracking?

So, do you have to include a “Reject All” button?

Not always as a strict legal requirement under a single NZ “cookie rule”. But if you present your banner as a consent mechanism for non-essential cookies (particularly advertising and behavioural tracking), the way you design it matters. If it’s easy to accept but difficult to reject, you may struggle to argue that any consent was freely given - and you may create avoidable privacy and customer trust issues.

Also, many NZ businesses have customers overseas (including in the EU/UK). If you actively target, sell to, or track people in those regions, GDPR-style consent expectations may become relevant. In those situations, offering a clear “Reject All” option is often the safest approach.

At a minimum, you should have clear disclosures in your Privacy Policy and consider a dedicated Cookie Policy if you use multiple categories of cookies.

What Makes Cookie Consent “Valid” (And When Consent Isn’t The Right Approach)

Consent sounds simple, but it has a few moving parts - and in NZ it’s also important to remember that consent is not the only way to collect or use information. Often, the bigger compliance issue is whether you’ve been clear and fair with users, and whether your collection and use is reasonable for your business purposes.

Where you do rely on consent (which is common for non-essential tracking), good consent has a common theme: people should understand what they’re agreeing to, and they should have a genuine ability to say no.

Key Features Of Good Cookie Consent

When your business uses a cookie banner, a strong consent approach is:

• Informed: you explain what cookies are being used for (eg essential, analytics, marketing).
• Specific: people can choose by category, not a vague “we use cookies” statement.
• Freely given: rejecting is not hidden, punished, or made unreasonably difficult.
• Unambiguous: an action like clicking “Accept” is clear; silence or continuing to browse is a weak basis for non-essential tracking.
• Easy to withdraw: users can later change their mind (for example, through a cookie settings link in your footer).

When Consent Might Not Be The Best Fit

Not every cookie use is best handled through consent.

For example, strictly necessary cookies (like login/session cookies, security cookies, or shopping cart cookies) are often used because they’re required to provide the service the customer requested. In those cases, you’re usually not asking people to “agree” to the cookie itself - you’re explaining that it exists because the site can’t function properly without it.

But for marketing cookies and many third-party tracking tools, consent is commonly the cleanest approach, because the customer hasn’t specifically asked for that kind of tracking.

If you’re unsure what your website is actually doing, it’s worth getting a clear picture first (what tools are installed, what data they collect, and where that data goes). If you use third-party vendors to process data, a Data Processing Agreement may also be relevant, depending on your setup.

How To Set Up A “Reject All Cookies Button” That’s Clear And Defensible

Cookie banners are often where businesses accidentally create risk. The good news is that getting the basics right usually isn’t complicated - it just needs to be intentional.

1) Put “Accept” And “Reject All” On The Same Level

If you’re using non-essential cookies, a simple and defensible setup is:

• Accept All
• Reject All
• Manage Settings (optional, but very helpful)

From a consent perspective, the key is that rejecting shouldn’t be buried behind extra clicks while accepting is one click. If you offer a reject option, it should be visible and easy to use.

2) Explain Cookie Categories In Plain English

A banner should give a short explanation, and your detailed policy can do the heavy lifting.

For example:

• Essential cookies: required for the website to work.
• Analytics cookies: help you understand website usage (traffic, page views, performance).
• Marketing cookies: used to show relevant ads and measure advertising performance.

This is where having a dedicated Cookie Policy makes life easier. You can keep the banner short, while still being transparent and specific.

3) Don’t Load Non-Essential Cookies Until The User Chooses

This is a common technical trap: a site shows a banner, but tracking cookies are already running in the background before the person clicks anything.

If you present your banner as a consent tool, but you’re already tracking, it can undermine the whole point of asking. It’s also the kind of thing that frustrates customers and can trigger a complaint.

As a practical step, ask your developer (or your web platform provider) to confirm:

• Which cookies fire on page load
• Whether marketing tags are blocked until consent
• Whether “Reject All” truly prevents those cookies from firing

4) Make It Easy To Change Preferences Later

People change their mind, and they should be able to withdraw consent without friction.

A common approach is adding a “Cookie Settings” link in your website footer, alongside your Privacy Policy and Website Terms And Conditions.

5) Keep Records (At Least At A System Level)

Small businesses don’t usually need a complex consent database, but you should be able to explain your approach if asked:

• What categories you use
• What happens when someone clicks “Reject All”
• How choices are captured and applied (even if only via your cookie management tool)

If your business operates internationally, or you’re proactively aligning with GDPR standards, it may be worth looking at a broader privacy compliance approach like a GDPR Package, especially if your site is heavily data-driven.

Common Cookie Banner Mistakes (And How To Avoid Them)

Most cookie compliance issues aren’t deliberate - they happen because cookie pop-ups are often installed quickly, using default settings, without anyone auditing what the site actually does.

No “Reject All” Button (Or It’s Hidden)

If the banner has “Accept All” but no clear reject option, users can be funnelled into acceptance. Even if you technically offer a way to opt out through “Manage settings”, hiding rejection behind extra steps can weaken the argument that any consent was freely given (and it’s generally a poor user experience).

If you’re going to rely on consent for non-essential cookies, making “Reject All” easy to find is one of the simplest ways to make that choice feel genuine.

Pre-Ticked Boxes For Non-Essential Cookies

Pre-ticking marketing or analytics cookies can be risky because it’s not a clear affirmative choice by the user.

A safer approach is:

• Essential cookies always on (with explanation)
• Analytics/marketing off by default until chosen

Vague Explanations Like “We Use Cookies For Your Experience”

Customers (and regulators) are becoming less accepting of vague statements.

It’s better to be upfront: if you’re using third-party advertising or tracking, say so, and point users to a clear policy.

Not Matching Your Banner To Your Actual Practices

Your banner, policies, and behind-the-scenes setup should all line up.

For example:

• If you say marketing cookies are optional, they shouldn’t load until consent.
• If you say you don’t use third-party advertising cookies, check your plugins aren’t adding them anyway.
• If you collect personal information through forms, newsletters, accounts, or purchases, your privacy documents should cover that too.

If you’re unsure where to start, it’s often worth reviewing whether you need cookie pop-ups at all and what format makes sense for your setup. Many businesses begin with the question: Cookie pop-ups - and then build the banner and policies around their actual data practices.

Forgetting About Third Parties (And Data Transfers)

Cookies often involve third parties (analytics providers, advertising networks, embedded videos, social media widgets).

Even if you’re a small business, third-party tools can create complicated flows of information. That’s why it’s important your privacy approach is joined-up - and why some businesses choose to get help from an Online Data Privacy Lawyer to make sure nothing is missed.

Key Takeaways

• A clear “Reject All” option can help make user choice clearer, more user-friendly, and easier to defend where you rely on consent for non-essential tracking.
• In New Zealand, website tracking compliance is mainly driven by the Privacy Act 2020 and whether cookies collect (or help infer) personal information.
• If you’re using analytics and marketing cookies and relying on consent, your consent approach should be informed, specific, freely given, and easy to withdraw.
• Best practice is to present “Accept All” and “Reject All” at the same level, and not load non-essential cookies until the customer chooses.
• Your Privacy Policy and (often) a Cookie Policy should match what your website actually does.
• Cookie banners are easy to get wrong with default settings - a quick audit of your tools, cookies, and third-party integrations can save you headaches later.

If you’d like help getting your cookie banner, privacy documents, and consent settings right for your business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.