It is against the GDPR if there's no refuse button. The problem is that the regulation has yet to be enforced anywhere near enough so websites can get away with this kind of malicious pseudo-compliance.