Cookie Banner Dark Patterns: 12 Banned Tricks in Belgium
Steven | TrustYourWebsite · 12 June 2026 · Last updated: June 2026
Since 2024, European data protection authorities no longer treat cookie banner design as a matter of taste. On 3 September 2025 the CNIL fined Google 325 million euros and Shein 150 million euros for cookie banner violations. In Belgium, the GBA/APD, the Belgian data protection authority, imposed on Mediahuis a penalty payment of 25,000 euros per day per site (French version) covering four news websites. RTL Belgium took a hit of its own in decision 131/2024. The legal framework comes from the ePrivacy Directive 2002/58/EC and the GDPR. This article maps twelve dark patterns, ranked by regulator consensus, and classifies each one as banned, discouraged or best practice according to the EDPB.
To find out whether your site loads trackers before consent or ignores the "reject all" button, run the free TrustYourWebsite scan. For the GBA's enforcement track record and what it checks in practice, see our guide on GBA cookie enforcement. For the design requirements your banner must meet, see the Belgian cookie banner rules.
Does your cookie banner use dark patterns?
Our scanner clicks 'reject all' and then checks whether trackers keep firing anyway.
I understand this is a technical scan, not legal advice, and I accept the Terms.
The EDPB taxonomy: six categories
The European Data Protection Board published the EDPB Guidelines 03/2022 (version 2.0, 14 February 2023) with a taxonomy of six categories of dark patterns. The Cookie Banner Taskforce (report of 18 January 2023) applied them specifically to cookie banners.
Overloading means swamping the user with information, requests or options to cause fatigue. For cookie banners this translates into endless lists of individual cookies that the user must approve one by one, while "accept all" takes a single click.
Skipping is designing the interface so that the user passes over the choice. A banner that disappears automatically after a few seconds and records that as consent falls into this category.
Stirring plays on emotions or uses visual nudging. The classic green "accept" button next to a small grey "reject" link is the best-known example.
Hindering makes the privacy-friendly choice harder than the default one. Three clicks to reject, one click to accept.
Fickle means inconsistent design: the cookie explanation says one thing, the actual processing does another.
Left in the dark withholds information or presents it in a confusing way. Labelling marketing cookies as "functional" is an example.
The twelve patterns, ranked by consensus
| Pattern | EDPB category | Consensus | Leading enforcement |
|---|---|---|---|
| 1. Trackers loaded before consent | Fickle | Unanimous | Yahoo EUR 10M, Google EUR 325M |
| 2. Pre-ticked checkboxes | Skipping | Unanimous | Planet49 (C-673/17) |
| 3. No "reject all" on the first layer | Hindering | Majority | GBA Mediahuis 113/2024, CNIL |
| 4. Asymmetric button design | Stirring | Unanimous | GBA green/grey, CNIL Dec. 2024 |
| 5. More clicks to reject than to accept | Hindering | Unanimous | Google EUR 150M (2021) |
| 6. Marketing cookies labelled "functional" | Left in the dark | Unanimous | Taskforce par. 3.5 |
| 7. Legitimate interest for advertising cookies | Left in the dark | Unanimous | Taskforce par. 3.6, GBA Mediahuis |
| 8. Consent by "continuing to browse" | Skipping | Unanimous | CNIL 2020-091 par. 27 |
| 9. Missing or asymmetric withdrawal mechanism | Fickle | Unanimous | GDPR art. 7(3) |
| 10. Cookie wall without a paid alternative | Hindering | Majority banned | CNIL Delib. 2023-010 |
| 11. Ambiguous or emotional wording | Stirring | Majority | CNIL Dec. 2024 formal notices |
| 12. Banner shown again after refusal | Overloading | Majority | CNIL six-month standard |
Trackers before consent is the most heavily sanctioned pattern. The CNIL fined Yahoo 10 million euros in 2023 and Google 325 million euros in 2025 because trackers were already active before the visitor had made any choice.
Pre-ticked checkboxes have been unambiguously banned since the Planet49 ruling (CJEU C-673/17). Consent requires an affirmative action. Boxes ticked by default are not consent.
No "reject all" on the first layer is a majority position, not a unanimous one. The EDPB Cookie Banner Taskforce explicitly names this as a point on which not all authorities agree. The GBA confirmed the requirement in the Mediahuis decision 113/2024. The CNIL requires it as well. Epistemic honesty demands that we say this is not an across-the-board unanimous requirement.
Asymmetric button design is unanimously problematic. There is no fixed WCAG threshold in the EDPB text, but colour difference, element type (link vs. button), font size and position are repeatedly used as evidence.
Legitimate interest for advertising and tracking cookies is unanimously banned. The Taskforce states in paragraph 3.6 that legitimate interest is not a valid legal basis for placing non-functional cookies. The GBA confirmed this in the Mediahuis decision.
Cookie walls without a paid alternative are banned by the majority. The CNIL takes the position that a cookie wall is only permitted if a reasonable paid alternative exists. Not all authorities share that view.
Belgium: GBA enforcement and the IAB Europe saga
The GBA is the most active Belgian regulator on cookie banners. In October 2023 it also published a concrete cookie checklist that sets out the banner requirements point by point. Three enforcement cases define the landscape.
Mediahuis (decision 113/2024, 6 September 2024). The GBA imposed a penalty payment of 25,000 euros per day per site on four news websites (De Standaard, Het Nieuwsblad, Gazet van Antwerpen and Het Belang van Limburg). The violations: no reject button on the first layer, asymmetric button design and the use of legitimate interest for advertising cookies. The GBA found that the prominent colour of the "agree and close" button drew attention and so undermined the visitor's free choice. The Marktenhof annulled this decision on 19 March 2025 (AR/1690) on the ground that the complainant had abused his rights, but the substantive analysis remains a reference for how the GBA reads dark-pattern banner design.
RTL Belgium (decision 131/2024, 18 October 2024). RTL Belgium hid the reject option in a second layer while "Accept and close" sat on the first layer in a prominent colour. The GBA ordered that all buttons receive the same visual weight and that the refusal must be available on the first layer. The decision confirms that the GBA enforces systematically against French-language sites too, not only against Flemish media.
IAB Europe and the Transparency & Consent Framework (TCF). In decision 21/2022 the GBA took the position that IAB Europe is a joint controller for processing through the TCF. IAB Europe appealed. The Court of Justice ruled in C-604/22 (7 March 2024) that the TC String is personal data and that IAB Europe can qualify as a joint controller. The Brussels Marktenhof confirmed the core of the GBA decision on 14 May 2025. IAB Europe has since updated the TCF to version 2.2, but that version has not yet been tested by a supervisory authority.
For Belgian SMEs the practical consequence is clear: if your CMP runs on the TCF, the legal basis of your marketing cookies rests on a framework whose legality is still contested. It is worth following how this develops.
Four cases, one consistent line
To place the Mediahuis decision in its European context, here are the most-cited cookie banner sanctions. They all confirm the same line: no equivalent reject option means no valid consent. We have also documented what GDPR fines look like for small businesses specifically.
| Case | Authority | Year | Sanction | Core finding |
|---|---|---|---|---|
| Mediahuis 113/2024 (annulled by Marktenhof 19 March 2025) | Belgian GBA | 2024 | EUR 25,000 per day per site | No "reject all" on the first layer, legitimate interest for advertising cookies |
| Google (CNIL) | CNIL | 2025 | EUR 325 million | Two-click refusal flow, trackers before choice |
| Yahoo (CNIL) | CNIL | 2023 | EUR 10 million | Advertising cookies placed before consent |
| Planet49 (C-673/17) | CJEU | 2019 | Landmark ruling | Pre-ticked boxes are not consent |
What the scanner actually tests
The TrustYourWebsite scanner has one feature that maps directly onto the most heavily sanctioned pattern: after clicking "reject all", the scanner re-checks the network traffic for trackers that keep running. Specifically, we detect whether Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag or Criteo still send data after a reject action. This matches the core finding in the CNIL Yahoo case (10 million euros).
The scanner also detects asymmetric button design (CSS contrast ratio, element type a vs. button, font-weight), the presence of a reject button on the first layer, pre-ticked checkboxes, cookie walls, a missing withdrawal mechanism and the use of legitimate interest for advertising cookies.
All findings are technical signals, not legal verdicts. The scanner can establish that a tracker is active after a reject. The scanner cannot judge whether the legal basis for that tracker is sound.
Banned, discouraged or best practice
Banned (explicit decisions by supervisory authorities or courts): pre-ticked checkboxes, trackers before consent, trackers that persist after a reject, legitimate interest for marketing cookies, consent by continued browsing, missing withdrawal mechanism.
Majority consensus, not unanimous: a "reject all" button on the first layer. The Taskforce specifically notes this as a point of divergence. The GBA follows the majority position, but epistemic honesty requires that we mention the split.
Case by case: button colour, size and contrast. There is no fixed WCAG threshold in the EDPB text. The parameters are nonetheless used repeatedly as evidence.
Best practice: a persistent withdrawal icon (a small pictogram in the bottom left or bottom right that stays visible), refreshing consent every six months and layered transparency.
The machinery is in motion
Dark pattern enforcement has crossed a threshold. In 2024 the question was whether regulators would act. In 2026 the question is how fast they can scale up. The Google fine of 325 million euros and the Mediahuis penalty of 25,000 euros per day per site show the price of inaction. The RTL Belgium decision confirms that French-language sites are not spared either. For what your banner must look like to pass a GBA check, see the Belgian cookie banner rules.
Check your cookie banner now. Scan your website and see whether trackers keep firing after "reject all". Free, takes 2 minutes.
Common questions
What are cookie banner dark patterns?
Dark patterns in cookie banners are design tricks that steer visitors toward accepting cookies. Think of a large green "accept" button next to a small grey "reject" link, or a cookie wall that blocks the site until you agree.
Is a "reject all" button on the first layer mandatory in Belgium?
The GBA follows the majority position of the EDPB Cookie Banner Taskforce and requires a reject button on the first layer. In the Mediahuis decision 113/2024 the GBA confirmed that the absence of such a button is a violation. The CNIL requires it explicitly. The EDPB taskforce treats it as a majority point, not a unanimous one.
What does the TrustYourWebsite scanner detect on cookie banners?
After clicking "reject all", the scanner checks whether trackers such as Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag and Criteo keep sending data anyway. It also detects asymmetric buttons, a missing reject button and pre-ticked checkboxes.
Sources
- GBA, Decision on the merits no. 113/2024 (Mediahuis) (gegevensbeschermingsautoriteit.be)
- GBA, Decision on the merits no. 131/2024 (RTL Belgium) (gegevensbeschermingsautoriteit.be)
- GBA, Decision on the merits no. 21/2022 (IAB Europe) (gegevensbeschermingsautoriteit.be)
- GBA, Cookie checklist, October 2023 (gegevensbeschermingsautoriteit.be)
- GBA press release on the Mediahuis measures (NL) (gegevensbeschermingsautoriteit.be) / APD press release (FR) (autoriteprotectiondonnees.be)
- Marktenhof judgment of 19 March 2025, AR/1690 (autoriteprotectiondonnees.be)
- GBA/APD public decisions database (autoriteprotectiondonnees.be)
- CJEU, C-604/22, IAB Europe (curia.europa.eu) / case overview (infocuria.curia.europa.eu)
- CJEU, C-673/17, Planet49 (curia.europa.eu)
- EDPB Guidelines 03/2022 on deceptive design patterns (NL) (edpb.europa.eu) / (FR)
- EDPB Cookie Banner Taskforce report, 18 January 2023 (edpb.europa.eu) / report page (edpb.europa.eu)
- CNIL, Google sanction of 325 million euros (cnil.fr)
- CNIL, Yahoo sanction of 10 million euros (cnil.fr)
- Regulation (EU) 2016/679 (GDPR) (eur-lex.europa.eu)
- Directive 2002/58/EC (ePrivacy Directive) (eur-lex.europa.eu)
This is technical analysis, not legal advice. Consult a qualified lawyer for specific legal guidance.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Start free checkWebsite Guides
AI-Built Website and GBA Complaint: Who Pays in Belgium?
Your builder used Cursor or Lovable. The cookie banner does not work. The GBA fines you, not OpenAI. What changes 9 December 2026.
Belgian Cookie Banner Rules: GBA Checks and Fines
What your cookie banner must do in Belgium. GBA enforcement, equal reject button, no dark patterns and a checklist included.
Belgian GBA Cookie Enforcement: What They Check
The Belgian Gegevensbeschermingsautoriteit (GBA) enforces cookie rules under art. 10/2 of the Kaderwet. What they check and how to fix your setup.
GDPR Compliance Checklist for Belgian Businesses (2026)
35-point GDPR checklist for Belgian businesses. APD/GBA enforcement, Wet 30 juli 2018, KBO/BCE number, cookie consent rules, Brussels bilingual obligations.
GDPR for Restaurant Websites in Belgium
GDPR for restaurant websites in Belgium. Reservations, Google Maps, analytics and newsletters: what the GBA expects and what you can fix this week.