The “Accept” button shines bright and clear, while the “Manage Settings” option fades into the background.
The “Reject” button? Nowhere to be found.
These are classic examples of “dark patterns”, tactics websites and apps use to nudge users into accepting cookies.
In fact, research suggests that 72% of cookie banners contain at least one dark pattern. And that’s a problem, because dark patterns aren’t just unethical, they also violate privacy laws.
But what exactly are dark patterns, and how do they shape user behavior?
In this article, we’ll examine that and show you how to avoid dark patterns when designing your cookie banner.
What are dark patterns?
Dark patterns (also called “deceptive patterns”) are design patterns that mislead, influence or force you into taking actions that are not in your best interest. They are deliberately intended to promote business outcomes at the users’ expense.
The term was first used by Harry Brignull in 2010:
Types of dark patterns
-
Trick questions
You're filling out a form and responding to a question that tricks you into thinking it asks one thing, but when you read it carefully it asks something else. -
Sneak into basket
When you try to buy something, sometimes seller adds extra items to your order through opt-out buttons or checkboxes on previous pages. -
Roach motel
You find it easy to create an account or signup for a newsletter, but then difficult to cancel the account or unsubscribe the newsletter. -
Privacy zuckering
You are tricked into publicly sharing more information about yourself than you intended to. The pattern is named after Mark Zuckerberg, CEO Facebook. -
Price comparison prevention
The seller makes it difficult to compare the price of one item with another, so you might not know if you are paying a fair price. -
Misdirection
The design draws your attention to one thing, so that you don't notice another. -
Hidden costs
When you reach the last step of the checkout process, you may be surprised to discover some unexpected charges like delivery fees, taxes, etc. -
Confirmshaming
The act of nudging the user into opting into something. The option to decline is worded in such a way as to shame the user into compliance. -
Disguised ads
Ads that look like other kind of content, like friends’ posts, to get you to click on them. -
Forced continuity
When a free trial period ends and your credit card starts getting charged without warning. Sometimes it’s made even worse by making it difficult to cancel the membership. -
Friend spam
A product may ask for your email or social media permissions and then spam all your contacts claiming it is from you.
So dark patterns are tricks used to push you into doing things the company wants; for example, to buy a specific version of a product – or to accept cookies.
These are tricks designed to exploit human behavior for the website or app to achieve the desired outcome: the sale, the signup, the upsell.
And you are exposed to these patterns every single day, for example in cookie banners.
What are dark patterns in cookie banners?
Dark patterns in cookie banners are common and serve one single purpose: to get as many users to consent to cookies as possible. This is often done by making it difficult for the user to reject consent to cookies.
But using dark patterns in your cookie banner is not only unethical, it’s also illegal in most cases. The reason for this is that they generally prevent the user from giving “a freely given, informed, specific and unambiguous consent” (GDPR, recital 32).
How common are dark patterns in cookie banners?
Dark patterns in cookie banners are very common. Unfortunately.
In 2024 Austrian privacy activist organization NOYB published a report on dark patterns in cookie banners comparing recommendations from the European Data Protection Board (EDPB) with the positions of national DPA’s.
In the report, NOYB identified that a significant majority of websites still employ dark patterns to manipulate users into giving consent.
A 2024 joint study from Karlsruhe Institute of Technology, and IT University of Copenhagen also found that 72% of websites use at least one dark pattern.
Both NOYB’s report and the study identified specific types of dark patterns commonly used in cookie banners.
The most common types of dark patterns in cookie banners
1) No reject button on the first layer
In its report, NOYB found that:
- Rejecting cookies often requires twice as many clicks as accepting them.
- Only 2.18% of users navigate to the second layer of a cookie banner.
2) Pre-ticked checkboxes
Consent must be specific. This is why cookie banners must include checkboxes in their design, so the user can choose to give consent to functional, statistical or marketing cookies.
The joint study from the two universities found that 45% of banners had preselected options consenting to all cookies.
Using pre-ticked boxes for different cookie types was ruled in violation of the GDPR by the European Court of Justice in October 2019. So any checkboxes must be “un-ticked” by default.
3) Link to settings instead of a "Reject" button
Often the only clearly visible option is the “Accept” button. If a banner includes another button it’s often “Settings” instead of “Reject”. Sometimes there is a “Reject” button, but clicking it takes you to a second layer, whereas the accept button works with only one click.
- The “Reject” option is often embedded as a small hyperlink, making it hard for users to notice.
- Some websites place the reject option outside the banner, further misleading users.
These practices are in direct violation of GDPR Article 7(3), which states that withdrawing consent must be as easy as giving it.
4) Deceptive button colors and contrast
In its report, NOYB found that:
- “Accept” buttons are frequently highlighted in bright colors, while the “Reject” button is either gray or visually obscured.
- Some banners use low-contrast text for the “Reject” button, making it unreadable.
These methods violate the principles of fairness and transparency (Article 5(1)(a) GDPR).
5) Misusing "Legitimate Interest"
Relying on Legitimate Interest is another common dark pattern found on many websites using cookie banners.
Some companies claim they can track users based on “legitimate interest” rather than consent. The ePrivacy Directive explicitly states that tracking requires consent, and DPAs generally reject legitimate interest as a legal basis for cookies.
6) Misclassifying cookies as “essential” or “strictly necessary”
Companies may claim that some marketing or analytics cookies are essential for their business. Understandably so. For most companies, data is essential.
But the “essential” or “strictly necessary” categories are meant to cover cookies that are required for your website to function properly – which marketing and analytics cookies rarely, if ever, are.
Tools like Google Analytics, Meta Pixel or LinkedIn’s insight tag (and many more) are not necessary for websites to work. And they collect personal information about users. Therefore, you are required to collect consent for using them.
Circumventing consent requirements by misclassifying cookies is a direct violation of ePrivacy Directive Article 5(3) as well as GDPR Article 6(1).
7) Vague or misleading language
Vague or misleading language are other examples of dark patterns aimed at confusing the user. Often, buttons on cookie banners might include double negatives or complex language which makes the user unsure about their choice.
Why are dark patterns in cookie banners so effective?
Human psychology!
Dark pattern tactics can be very effective. Most of the time, we don’t even notice them.
Imagine you are going to a website. You see the cookie banner. With one simple click on the highlighted green button, you can accept all cookies.
Or you can click on “Settings”, read what feels like a novel on the way they use cookies. Maybe you have to de-select a range of pre-selected checkboxes before you are finally able to reject cookies.
What do you do?
You came for the website’s content. And you want to see that content as soon as possible. Preferably before you lose interest or forget why you entered the site.
You choose the path of least resistance. You accept all cookies and then go to the content.
Many cookie banners play on that dynamic. One click to see the content, many clicks to reject cookies. This is why legislation like the ePrivacy Directive, GDPR, and many others specify what valid consent looks like.
Consent is a matter of yes or no. And it must be as easy to reject cookies as it is to accept.
What do privacy laws say about dark patterns?
Nothing really.
But it says a lot about what consent is. And based on that many of the dark pattern techniques became illegal.
Dark patterns used in cookie banners often affect user privacy. That means they conflict with privacy laws like the European General Data Protection Regulation (GDPR) or the ePrivacy Directive.
These two privacy laws are some of the strictest in the world when it comes to lawful processing of personal data.
Most personal data collected and processed by cookies fall under the GDPR. And in most cases, companies must use consent as a lawful basis for collecting and processing these data. Many of the dark patterns outlined above conflict with GDPR’s definition of valid consent:
With these dark patterns, users cannot freely choose to accept or reject cookies when the design intentionally is made to deceive the user.
How do you optimize your consent rates without using dark patterns?
If you want to optimize your cookie banner for getting consents, there’s not a lot you can do – at least not within the boundaries of the law.
What you can do is combat “consent fatigue” by optimizing the user-friendliness of your cookie banner. Another option is to simply A/B test different elements.
But most importantly, you should always stay updated on the latest design-related legal developments and ensure that the consents you collect are valid.
Checklist for collecting valid consent to cookies
- Inform your users of the cookies you use and what data they collect.
- Provide your users with an easy way to reject cookies (“Reject” button next to “Accept” button).
- Let your users choose what cookie types they want to accept/reject (checkboxes)
- Let these checkboxes be un-ticked as default.
- Use equal colors and contrasts in “Accept” and “Reject” buttons.
Ditch dark patterns and design with transparency
Stricter regulations requires more transparent, and reminds us that staying informed is crucial for users and businesses alike.
Your cookie banner is a user’s first impression – make it count. Choose transparency over tricks. Honest banners build trust and engagement, and regular audits keep you compliant and user-friendly.
The future of cookie consent is balancing business needs with user rights. By rejecting dark patterns and embracing ethical design, we can create a web that respects both privacy and functionality.
A compliant, user-friendly cookie banner is just a click away.
Try Cookie Information free for 14 days. No credit card required, cancel anytime.
FAQ about dark patterns and cookie consent
What buttons do I have to include in my cookie banner?
For consent to be valid under the GDPR, consent must be freely given, informed, specific & unambiguous.
This means that consent is:
- a matter of yes and no (freely given).
- based on information about what you give consent to (informed).
- given specifically to each data processing purpose like functional, statistical and marketing cookies (specific).
- clearly described, so the user is not in doubt that he/she gives consent (unambiguous).
When it comes to cookie banners, most European Data Protection Authorities interpret the GDPR as:
- the user must be able to reject consent (reject button in the cookie banner)
- consent must not be implied. Scrolling, swiping, just using the site is not considered valid consent.
- checkboxes must be used for collecting specific consent and must be unticked as default.
Learn more about what cookie consent under the GDPR is.
Can I make the Accept button larger?
There are no specific rules for button size in the ePrivacy Directive or the GDPR. But most European Data Protection Authorities highlight in their cookie guidelines that buttons for “Accept” and “Reject” should have equal weight (size).
You may not try to hide the reject button making it significantly smaller than the accept button. That would be a dark pattern.
Do I need a reject button in my cookie banner?
Yes! And it should be placed in cookie banners “first layer”. Just next to the “Accept” button and not hidden behind “Settings”, “Preferences” or “Details”.
However, different European Data Protection Authorities have different opinions here, so please check your local cookie guideline.
Link: Regulations & Frameworks
Can I change the words in the buttons?
Sure. Whether you write “Accept”, “Accept all”, “OK” or something else is entirely up to you. As long as it is clear to the users what they are choosing.
“Accept” and “Reject” are the most common wordings in compliant banners.
If you write “Accept” and “Accept all” assuming that the users know that “Accept” is only accepting non-essential cookies and “Accept all” is accepting all the cookies, then it gets confusing. If you intend it to be confusing, then it is a dark pattern.
Can the checkboxes be pre-selected for consent?
No! In 2019 the European Court of Justice ruled against German lottery website Planet49 and their privacy practices. The court stated that it was not legal to pre-select the checkboxes for specific cookie types (functional, statistic, marketing). The user has to opt-in to specific cookie types, not de-select them.
Your cookie banner must include checkboxes (as specific consent is needed for each cookie type) and these boxes must be de-selected as default (consent must not be implied).
What text is required in the cookie banner?
Consent must be informed. Therefore, your cookie banner must as a minimum contain information about:
- Your use of cookies.
- Which cookie you use.
- What data they collect.
- Who owns the cookies.
- How long time the cookies are stored.
- How users accept/reject and withdraw consent.
Whether you write: “We use cookies” or “You control your data” doesn’t matter (but do A/B test it). Important thing is, that you are transparent about data collection and data processing. And that your text is written in a plain and easy to understand language.
A good Consent Management Platform will automatically make you an updated cookie policy and import this information into your cookie banner.
Do I need to ask for consent? (Legitimate Interest)
Yes, you have to ask for consent. In terms of cookies, Legitimate Interest (GDPR) is not an alternative to consent. We do see consent pop-ups using legitimate interest as their lawful basis for using cookies, but consent is always required under the ePrivacy Directive.
Legitimate interest can be used when you have a legitimate reason for processing a person’s personal data, e.g., a name and address for a pizza delivery (cannot deliver the pizza without an address).
But always use Consent when concerning data, your users have to give you permission to use (IP-address, deviceID). A DeviceID is not required for your website to work.
Is Google Analytics essential? (essential/non-essential cookies)
To your business, yes! For your website to work, no.
Google Analytics’ cookies (_ga) are not considered essential cookies.
Google Analytics’ cookies require consent because they still collect and process a lot of personal information about your user. According to the GDPR, you need valid consent for collecting this data.
But I’m not collecting any data!
But Google is! Facebook is. Amazon is.
Here’s how it works. You use Google Analytics. Google Analytics sets cookies through your website, so you can see how many visits your site, what pages they read and how they convert/buy.
Google collects a lot of data to give you these metrics. IP-address, geolocation, DeviceID, etc. This is personal data under the GDPR. Even though you never see it and never can identify anyone.
And you are the data controller under the GDPR, therefore the responsibility for collecting consent is yours
Can I A/B split test the Cookie Information banner?
Yes. We encourage testing text and buttons in your banner. In our solution, you can do A/B test over time by making one change at a time and see the results after a few days.
Take into consideration that other factors could have effects on your results, such as time, countries, seasons etc.
