Dark Patterns in Cookie Consent

A dark pattern is a user interface design that manipulates users into making choices they would not otherwise make. In the context of cookie consent, dark patterns steer users toward accepting all cookies — not through clear information and genuine choice, but through visual manipulation, confusing language, and deliberate friction.

Dark patterns in cookie consent are not just bad design — they are a legal liability. Data protection authorities across the EU have issued substantial fines specifically for manipulative consent interfaces, and the regulatory scrutiny is intensifying.

Why Dark Patterns Invalidate Consent

Under the GDPR, consent must be:

• Freely given (Article 4(11)) — the user must have a genuine choice, without pressure or manipulation.
• Specific — consent must be given for each distinct purpose.
• Informed — the user must understand what they are consenting to.
• Unambiguous — given by a clear affirmative action.

Dark patterns undermine "freely given" and "informed" by design. If the reject option is hidden, visually minimized, or buried behind multiple clicks, the user's consent was not freely given. If the language is confusing or misleading, the user was not informed. In either case, the consent is legally invalid — and every cookie set on the basis of that consent is a violation.

The EU Cookie Pledge

In November 2023, the European Commission launched the Cookie Pledge — a voluntary commitment for companies to adopt fair cookie practices. While not legally binding, the Cookie Pledge signals the Commission's expectations and foreshadows regulatory direction.

Key principles of the Cookie Pledge:

• Refusing cookies must be as easy as accepting them — in terms of number of clicks, visual presentation, and cognitive effort.
• No manipulative design elements that steer users toward acceptance.
• Clear, plain language that users can understand at a glance.
• No cookie walls that block access to content.
• Easy withdrawal of consent at any time.

Companies that signed the Cookie Pledge include several major brands. While the initiative is voluntary, data protection authorities have explicitly referenced the Pledge's principles in enforcement decisions.

EDPB Guidelines on Dark Patterns

The European Data Protection Board (EDPB) published Guidelines 03/2022 on dark patterns in social media platform interfaces, which have been widely applied to cookie consent interfaces as well. The guidelines identify six categories of dark patterns:

1. Overloading — bombarding users with excessive information or requests, causing decision fatigue.
2. Skipping — designing interfaces that skip or pre-select options without the user's active engagement.
3. Stirring — using emotional language or visual cues to steer users toward a particular choice.
4. Hindering — making it difficult to exercise rights (e.g., find the reject button, access settings, withdraw consent).
5. Fickle — inconsistent design that confuses users about where they are and what their choices mean.
6. Left in the dark — hiding information, using ambiguous language, or providing incomplete context.

National data protection authorities have used these categories as a framework when assessing cookie banners during enforcement proceedings.

Common Dark Patterns with Examples

Pre-Ticked Checkboxes

Presenting cookie category checkboxes that are already checked, requiring the user to actively untick them to refuse consent. This was explicitly ruled invalid by the Court of Justice of the European Union in the Planet49 case (C-673/17, October 2019). The Court held that pre-ticked checkboxes do not constitute an "active indication" of consent.

Despite this unambiguous ruling, many websites continue to use pre-ticked preference panels, particularly for "analytics" or "functional" categories. Every one of these implementations produces invalid consent.

No Reject Button

Showing only "Accept All" and "Manage Preferences" on the first layer, with no option to reject. The user must click "Manage Preferences," navigate a secondary panel, deselect all categories, and then click "Save" — typically three to five clicks to refuse, versus one click to accept.

The CNIL (France's data protection authority) has been particularly aggressive in enforcing against this pattern. In its January 2022 enforcement actions against Google (EUR 150 million) and Facebook (EUR 60 million), the CNIL specifically cited the absence of a straightforward reject mechanism on the first layer as a violation.

Visual Manipulation

Making the "Accept" button visually dominant while minimizing the "Reject" option. Common techniques include:

• A large, brightly colored "Accept All" button next to a small, gray, or transparent "Reject" option.
• "Accept" as a solid, high-contrast button while "Reject" is a text link or ghost button.
• "Accept" in the user's visual focus path (center, right-aligned, or primary position) while "Reject" is placed in a less prominent position.
• Using green for "Accept" (signaling safety/go) and red or gray for "Reject" (signaling danger/stop/disabled).

The principle is straightforward: if a reasonable user would perceive the accept option as the "default" or "recommended" action based purely on visual design, the banner is using a dark pattern.

Confusing Language and "Legitimate Interest"

Some consent interfaces present certain tracking purposes as based on "legitimate interest" rather than consent, with these purposes pre-enabled and requiring opt-out rather than opt-in. This is technically permitted under the GDPR for genuine legitimate interests, but it is widely abused.

When a cookie banner lists dozens of advertising vendors under "legitimate interest" with tiny toggles, the practical effect is that most users do not understand what they are seeing and do not take action — resulting in tracking by default. Several data protection authorities, including the Belgian APD, have challenged this practice, arguing that legitimate interest cannot be the legal basis for advertising tracking.

Excessive Clicks to Reject

The asymmetry of effort is perhaps the most widespread dark pattern:

Action	Clicks Required
Accept all cookies	1 click
Reject all cookies (dark pattern)	3-7 clicks (open settings, deselect each category, save, possibly confirm)
Reject all cookies (compliant)	1 click ("Reject All" button on first layer)

The EDPB's consent guidelines are explicit: "Withdrawing consent should be as easy as giving it." By extension, refusing consent should not require more effort than granting it.

Cookie Walls

A cookie wall blocks access to the website entirely unless the user accepts cookies. The page content is hidden behind an overlay, and the only way to proceed is to click "Accept."

The EDPB has stated in its Guidelines 05/2020 that cookie walls generally do not provide freely given consent, because the user is not given a genuine choice — it is "consent or leave." Some jurisdictions allow a nuanced version (the Dutch DPA, for example, has indicated that cookie walls may be acceptable if the user has a genuine equivalent alternative), but the safer position is to avoid them entirely.

Overloading with Information

Some banners present pages of dense legal text, dozens of vendor toggles, and complex category hierarchies — not to inform, but to overwhelm. When faced with a wall of text and 150 individual vendor toggles, most users simply click "Accept All" out of fatigue. This is the "overloading" dark pattern identified by the EDPB: using exhaustive information to prevent meaningful engagement.

The solution is a layered approach: brief, clear information on the first layer, with detailed information available but not mandatory to navigate.

Emotional Manipulation

Using guilt-inducing or emotionally charged language to steer consent choices:

• "No thanks, I don't care about a personalized experience"
• "I prefer to see irrelevant ads"
• "Continue with a degraded experience"
• Using sad emoji or disapproving imagery when the user moves toward rejection

These "confirmshaming" techniques make the user feel that rejecting cookies is a bad or anti-social choice. The language should be neutral and informational, not emotional.

Real Enforcement Examples

Data protection authorities have moved from guidance to enforcement. Here are notable cases where dark patterns in cookie consent led to significant fines:

CNIL vs. Google (EUR 150 million) — January 2022

The CNIL found that google.fr did not offer a mechanism to refuse cookies as easily as accepting them. Accepting cookies required one click; refusing required navigating multiple screens. The fine was accompanied by an order to provide a "Refuse All" button on the first layer within three months.

CNIL vs. Facebook (EUR 60 million) — January 2022

Same enforcement action. Facebook's cookie banner on facebook.com lacked a first-layer reject option. Users had to navigate through settings to refuse cookies. The CNIL imposed the fine and ordered remediation.

CNIL vs. Microsoft (EUR 60 million) — December 2022

The CNIL found that bing.com deposited advertising cookies without proper consent and that the cookie banner did not provide an equally easy way to refuse cookies.

CNIL vs. TikTok (EUR 5 million) — December 2022

TikTok's cookie banner required multiple actions to refuse cookies. The CNIL found this violated the requirement for equally accessible consent and refusal mechanisms.

Italian Garante vs. Various Companies — 2023

The Italian data protection authority conducted sweeps targeting cookie banner dark patterns, issuing warnings and fines to multiple companies for using manipulative accept/reject button designs.

How to Design Ethical Consent Interfaces

Designing an ethical cookie consent interface is not just about avoiding fines — it is about respecting your users and building trust. Here are the principles:

1. Equal prominence. Accept and reject options must be visually identical in size, color weight, and placement. If "Accept" is a solid blue button, "Reject" must also be a solid button of equal size.
2. Equal effort. Refusing cookies must require the same number of clicks as accepting them. One click to accept means one click to reject.
3. Clear language. Use plain, neutral language. "Accept All" and "Reject All" — not "Accept" and "Learn More."
4. No defaults. All non-essential cookie categories must be off by default. No pre-ticked checkboxes, no pre-enabled legitimate interests.
5. Honest information. Describe what cookies do in factual terms. No euphemisms, no scare tactics, no emotional manipulation.
6. Accessible settings. The preferences panel should be straightforward to navigate, with clear categories and concise descriptions.
7. Easy withdrawal. A persistent settings icon or link must be available on every page so users can change their preferences at any time.

Checklist: Is My Banner Dark-Pattern Free?

Use this checklist to audit your current cookie banner:

1. Is there a "Reject All" button on the first layer of the banner?
2. Is the reject button the same size as the accept button?
3. Is the reject button the same visual style as the accept button (both solid, both outlined, etc.)?
4. Does rejecting cookies require the same number of clicks as accepting them?
5. Are all non-essential cookie categories turned off by default in the preferences panel?
6. Is the language neutral and factual (no guilt-tripping, no emotional manipulation)?
7. Can the user access the site's content without accepting cookies (no cookie wall)?
8. Can the user change their preferences at any time via a visible link or icon?
9. Is the purpose description specific (not just "improve your experience")?
10. Are no cookies set before the user makes a choice?

If you answered "no" to any of these questions, your banner may contain dark patterns that expose you to regulatory risk.

Passiro's consent banner is designed from the ground up to be dark-pattern free, meeting every criterion on this checklist by default. Learn how Passiro can help you implement ethical, compliant cookie consent.