# GDPR Cookie Consent Bottom Sheet UI for Mobile

> By Lawrence Arya, Founder & CEO of VP0. Published 2026-05-31, updated 2026-06-02. 4 min read.
> Source: https://vp0.com/blogs/gdpr-cookie-consent-mobile-bottom-sheet-ui

Real consent has a real no: if rejecting is harder than accepting, it is not consent, it is a dark pattern.

**TL;DR.** A GDPR-style consent bottom sheet has to offer a genuine choice: reject must be as easy as accept, nothing non-essential may be pre-checked, and the purpose has to be in plain language. Build it from a free VP0 design as a calm bottom sheet with clear Accept, Reject, and Manage options. On iOS, pair it correctly with App Tracking Transparency, and log consent so you can prove it.

A cookie or tracking consent bottom sheet is a compliance surface first and a design surface second, and the two only agree when the choice is genuine. The short answer: build it from a free VP0 design as a calm bottom sheet, make Reject exactly as easy as Accept, pre-check nothing non-essential, explain the purpose plainly, and log the choice. GDPR enforcement is not theoretical: fines have totaled more than [€5](https://www.enforcementtracker.com/) billion since 2018, and "reject as easy as accept" is now explicitly expected by regulators.

## What real consent looks like

Valid consent under the GDPR must be freely given, specific, informed, and unambiguous, and recent guidance is blunt that a prominent "Accept all" with a buried "Reject" does not qualify. So your sheet needs equally weighted Accept and Reject actions, an optional "Manage preferences" for granular categories, and short, human descriptions of what each category does. Nothing beyond strictly necessary should be on by default. The goal is a user who can say no in one tap, just like they can say yes. The European Data Protection Board's guidance on consent is the authority here, and good UX and the law point the same way.

## Build it from a free design

VP0 is a free iOS design library for AI builders. Pick a bottom sheet or modal design, copy its link, and have Cursor or Claude Code rebuild it in SwiftUI or React Native. Keep it calm: a brief title, one or two plain sentences, and three clear actions (Accept, Reject, Manage). On iOS specifically, remember that tracking across apps and websites requires Apple's [App Tracking Transparency](https://developer.apple.com/documentation/apptrackingtransparency) prompt, which is separate from your GDPR sheet, do not conflate them, and never try to coerce a yes. Store the user's choice with a timestamp and version so you can demonstrate compliance later. Apple's [Human Interface Guidelines](https://developer.apple.com/design/human-interface-guidelines/) on sheets keep the presentation native. For the trust theme more broadly, see [account deletion retention dark pattern alternatives](/blogs/account-deletion-retention-dark-pattern-alternatives/).

## Consent sheet requirements

Each row is both a legal and a design requirement.

| Requirement | What it means in the UI |
|---|---|
| Equal choice | Reject is as easy and prominent as Accept |
| No pre-ticking | Non-essential categories default off |
| Plain language | Short, human purpose per category |
| Granular control | A Manage option for categories |
| Provable consent | Log choice with timestamp and version |

## Common mistakes

The first mistake is the classic dark pattern: a big "Accept all" with reject hidden two taps deep, which regulators now treat as non-compliant. The second is pre-ticked non-essential boxes. The third is vague copy ("We value your privacy") with no real explanation. The fourth is conflating the GDPR sheet with Apple's App Tracking Transparency prompt, they are different and both may apply. The fifth is not recording consent, so you cannot prove what the user agreed to.

## A worked example

Say your app uses analytics and optional ad measurement. On first launch, a VP0-built bottom sheet appears: "Choose what data we use," two plain lines, and three equal buttons, Accept, Reject, and Manage. Manage opens toggles, all non-essential ones off by default. Separately, if you track across other apps, you show Apple's ATT prompt at the right moment. Every choice is stored with a timestamp. Reject is one tap, exactly like accept. For the sign-in moment that often precedes this, see [Apple Sign-In UI guidelines Figma](/blogs/apple-sign-in-ui-guidelines-figma/), and to make the sheet itself feel polished, see [how to make my app look better](/blogs/how-to-make-my-app-look-better/).

## Key takeaways

- Real GDPR consent means Reject is as easy and prominent as Accept.
- Pre-check nothing non-essential and explain each purpose in plain language.
- Build the bottom sheet from a free VP0 design with Accept, Reject, and Manage.
- On iOS, keep the GDPR sheet separate from Apple's App Tracking Transparency prompt.
- Log every choice with a timestamp and version so you can prove consent.

## Frequently asked questions

How do I design a GDPR-compliant cookie consent sheet? Build a calm bottom sheet from a free VP0 design with equally prominent Accept and Reject buttons, a Manage option for categories, plain-language purposes, nothing non-essential pre-checked, and stored consent.

Does Reject really have to be as easy as Accept? Yes. Regulators now treat a prominent "Accept all" with a buried reject as invalid consent. The two choices must carry equal weight in the UI.

Is the GDPR sheet the same as Apple's tracking prompt? No. Apple's App Tracking Transparency prompt is required to track users across other apps and websites and is separate from your GDPR consent sheet. Both can apply.

Do I need to store the user's consent choice? Yes. Record the choice with a timestamp and a version of the consent text so you can demonstrate compliance if asked.

## Frequently asked questions

### How do I design a GDPR-compliant cookie consent sheet?

Build a calm bottom sheet from a free VP0 design with equally prominent Accept and Reject buttons, a Manage option for categories, plain-language purposes, nothing non-essential pre-checked, and stored consent.

### Does Reject really have to be as easy as Accept?

Yes. Regulators now treat a prominent 'Accept all' with a buried reject as invalid consent. The two choices must carry equal weight in the UI.

### Is the GDPR sheet the same as Apple's tracking prompt?

No. Apple's App Tracking Transparency prompt is required to track users across other apps and websites and is separate from your GDPR consent sheet. Both can apply.

### Do I need to store the user's consent choice?

Yes. Record the choice with a timestamp and a version of the consent text so you can demonstrate compliance if asked.

---
*Published on the [VP0 Journal](https://vp0.com/blogs). Free to read, index and cite with attribution.*