Cookie Banner Dark Patterns: What They Are and Why They're Illegal

Cookie banners are supposed to give users a genuine choice. Many do not. Instead, they use design techniques that nudge, pressure, or confuse users into accepting tracking — techniques the EDPB (European Data Protection Board) has classified as "dark patterns."

Using these techniques invalidates consent. Under GDPR Article 7, consent must be "freely given" — it cannot be the result of manipulation or undue influence. The AP (Autoriteit Persoonsgegevens) and EDPB have both confirmed that dark patterns in consent interfaces make the resulting consent legally void.

The EDPB Taxonomy: 6 Categories of Cookie Dark Patterns

In its March 2022 guidelines on dark patterns, the EDPB identified six categories. While initially focused on social media, the framework applies to cookie consent interfaces across all websites.

1. Overloading

Overloading means providing too much information or too many choices to make a meaningful decision difficult.

Examples:

• Long lists of cookie categories with detailed technical descriptions that most users cannot interpret
• Showing hundreds of individual advertising partners that users must individually opt out of
• Displaying privacy settings spread across multiple pages with no summary view
• Presenting consent banners with so much text that users cannot quickly find the action buttons

Why it's illegal: Consent must be "informed" — but deliberately complex presentation designed to discourage reading is the opposite of transparency.

2. Skipping

Skipping means designing an interface in a way that makes users skip past important information.

Examples:

• A prominent "Accept" button at the top and the privacy policy link in small text below
• Animated or attention-grabbing accept button that draws the eye away from other options
• Long scrolling consent forms where the reject option is only visible at the bottom

Why it's illegal: Users who do not see or understand the options cannot give informed consent.

3. Stirring

Stirring uses emotional language or visual cues to push users toward a particular choice.

Examples:

• "Help us keep our content free by accepting cookies" (guilt)
• Accept button in green (go), reject option in red (stop) or grey (inactive)
• "Improve your experience" framing for analytics that primarily serves the business, not the user
• Countdown timers ("Your settings expire in 30 seconds") creating false urgency

Why it's illegal: GDPR recital 42 states that freely given consent cannot be given "under duress." Emotional pressure is a form of duress.

4. Obstructing

Obstructing makes it difficult for users to exercise their right to refuse or withdraw consent.

Examples (the most common dark pattern):

• "Accept all" button vs. "Manage preferences" text link — the false hierarchy
• Single-click accept, multi-click reject (must go to settings, deselect each category, save)
• Reject button in grey or white on white background — low contrast, hard to see
• Preference centre that does not have a "Reject all" option at the top level
• Consent withdrawal buried in settings → privacy → cookie preferences → individual settings

Why it's illegal: GDPR Article 7(3) states that withdrawal of consent must be as easy as giving consent. The AP fined Kruidvat and Coolblue specifically for this type of obstruction.

5. Fickle

Fickle means using inconsistent design that creates confusion about the purpose and effect of consent choices.

Examples:

• Toggle switches where "on" means the cookie is blocked (reversed logic)
• Toggle switches that appear active/coloured even when off
• Category labels that don't explain what the cookies actually do ("Performance cookies" without defining what performance data is collected)
• Unclear checkboxes where it's ambiguous whether ticking means opting in or out

Why it's illegal: Consent must be unambiguous — there must be a clear affirmative act. Confusing design means users cannot give unambiguous consent.

6. Left in the Dark

Left in the dark means providing insufficient information for users to make an informed choice.

Examples:

• Cookie banner that says "we use cookies for analytics and personalisation" without explaining what that means
• No list of the actual cookies placed or the third parties involved
• "Our advertising partners" without naming them
• Claiming cookies improve "your experience" without specifying how
• Linking to a 50-page privacy policy without a summary relevant to the cookie choices

Why it's illegal: Consent must be specific and informed. Article 4(11) GDPR requires that consent is given "for a specific purpose."

The 12 Most Common Dark Patterns in Practice

Based on AP enforcement and independent research, these are the most frequently observed violations:

1. False hierarchy — Accept is a large button; reject is a small link or secondary button
2. Hidden reject — No reject option at all on the first layer; requires navigating to settings
3. Pre-ticked boxes — Non-functional categories are ticked by default, requiring users to deselect
4. Confirm shaming — Reject option labelled "No thanks, I prefer to miss out" or similar
5. Forced scrolling — Reject option only visible after scrolling through long consent text
6. Visual camouflage — Reject button has the same colour as the background (white on white, grey on grey)
7. Asymmetric clicks — Accept in 1 click, reject requires 3–5 clicks through menus
8. Ambiguous "Continue" — "Continue" or "OK" button that implies acceptance without being labelled as such (Coolblue case)
9. Consent bundling — All cookie categories bundled into a single accept/reject, with no granular control
10. Re-prompting — Banner reappears on every page or every visit, wearing down the user
11. Moving targets — Preference centre design that makes it hard to find previously set preferences
12. Misleading framing — Describing analytics cookies as "necessary for site functionality" when they are not

What Valid Consent Looks Like

For contrast, here are the markers of a compliant, non-manipulative cookie banner:

• Equal prominence: Accept and reject are both primary buttons, same size, same colour weight
• One-click reject: Rejecting all non-essential cookies takes the same number of clicks as accepting
• Clear labelling: Categories are described in plain language: "Google Analytics — tracks pages you visit and how long you stay"
• No default selections: All non-functional categories unchecked by default
• Named third parties: Third parties (Google, Meta, Hotjar) are identified by name, not just category
• Persistent preference centre: A "Cookie settings" link is accessible from the footer of every page
• Immediate effect: After rejecting, no tracking scripts load — verifiable in developer tools

Real Enforcement: What the AP Has Done

The AP's cookie enforcement since 2024:

• 2024: Kruidvat (AS Watson) fined €600,000 for pre-ticked consent boxes and tracking before consent. Reduced to €50,000 on appeal, but the violation was confirmed.
• 2024: Coolblue fined €40,000 for using "Continue" as an implicit acceptance of cookies and for pre-ticked boxes.
• April 2025: More than 200 warning letters sent to webshops, media companies, and insurers. Target: 500 warnings per year.

The AP has been clear that it does not exempt small businesses from cookie enforcement. Warning letters go to organisations of all sizes.

Testing Your Banner for Dark Patterns

Run through this checklist:

• Both accept and reject are primary buttons (not one button and one link)
• Accept and reject require the same number of clicks
• No boxes are pre-ticked
• "Continue," "OK," or similar does not mean acceptance
• No countdown timers or urgency language
• Reject button is visible without scrolling
• All non-functional cookie categories are off by default
• A "Reject all" option is available at the first layer of the banner
• Cookie settings are accessible from the footer of every page

For automated testing of whether your banner actually stops tracking after rejection, use @trustyourwebsite/cookie-consent-validator.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.