Dark Patterns in Cookie Banners: What's Illegal, What's Risky, and How to Stay Compliant
Regulators across Europe are no longer just checking whether you have a cookie banner — they are checking how it behaves. Dark patterns — deceptive design choices that manipulate users into giving consent they did not intend — have become the number one enforcement target for data protection authorities in 2025-2026. Fines are real, they are growing, and they hit companies of every size.
What Are Dark Patterns in Cookie Consent?
A dark pattern is any design choice that nudges users toward consenting when a neutral design would lead them to decline or make a genuinely free choice. The European Data Protection Board (EDPB) issued binding guidelines in 2023 defining specific dark pattern categories. These are not suggestions — they carry the force of law across all EU member states.
The 7 Most Common Dark Patterns (and Why They Are Illegal)
1. Hidden Reject Button
Making "Accept All" a prominent green button while "Reject" is a tiny grey text link buried in a second layer. Multiple DPAs have ruled this invalid. CNIL fined a major tech company €60 million partly for this practice.
2. Pre-Checked Boxes
Loading the consent banner with all cookie categories already checked. The CJEU ruled in the Planet49 case (2019) that pre-checked boxes do not constitute valid consent. This is settled law.
3. Cookie Walls
Blocking access to the website entirely until the user consents. The EDPB guidelines state that consent is not freely given if access to the service is conditional on it. Most EU DPAs have confirmed this position.
4. Confusing Language
Using legal jargon, double negatives, or intentionally complex wording to confuse users. "By not opting out of non-essential cookies, you agree to..." is a dark pattern. Clear, plain language is required.
5. Emotional Manipulation
Guilt-tripping users with phrases like "I don't care about my experience" for the reject option, or using sad icons and warning colours on the decline button. Regulators have specifically called this out.
6. Asymmetric Effort
One click to accept, five clicks to reject. If declining consent requires navigating through multiple screens, toggles, and confirmation dialogs while accepting is a single button, this is a dark pattern.
7. Repeated Prompting
Showing the consent banner again to users who already declined, hoping they will eventually click accept out of fatigue. Once a user makes a choice, that choice must be respected until they actively change it.
Real Fines for Dark Patterns
- CNIL (France): €60M and €40M fines against major tech companies for consent banners where rejecting was harder than accepting
- Italian DPA: €20M fine for pre-checked consent boxes and cookie walls
- Spanish AEPD: €2.5M fine for manipulative cookie banner design
- Belgian DPA: Ruled IAB Europe's original TCF implementation involved dark patterns
- Austrian DSB: Multiple rulings against asymmetric consent designs
How to Audit Your Banner for Dark Patterns
Run this checklist against your current consent banner:
- Accept and Reject buttons are the same size, colour prominence, and number of clicks
- No boxes are pre-checked — all consent categories start as opted-out
- The website is accessible without consenting (no cookie wall)
- Language is plain, clear, and in the visitor's language
- No guilt-tripping text or emotional manipulation on the reject option
- Previous choices are remembered — banner does not reappear to users who declined
- A "Manage Preferences" option exists alongside Accept and Reject
- Withdrawing consent is as easy as giving it
FlexyConsent: Dark-Pattern-Free by Design
FlexyConsent is built with regulatory compliance as the default. Equal buttons, no pre-checked boxes, no cookie walls, plain language in 43+ languages, and automatic respect for previous choices. As a Google Certified CMP registered with IAB Europe, FlexyConsent follows the strictest interpretation of EDPB guidelines — so you never have to worry about dark pattern enforcement.
FlexyConsent — compliant consent, zero dark patterns. Google Certified CMP.
Start Free Trial