On August 9, 2022, privacy organization NOYB (None Of Your Business) filed another 226 official complaints against European companies.
Again, the complaints were targeted towards the use of dark patterns in cookie banners.
It’s the third time NOYB fills the inboxes of European Data Protection Authorities with complaints about illegal methods for collecting cookie consents.
But what are dark patterns? And how are they used in cookie banners to trick and nudge users into giving consent?
In this article, I’ll show you what type of cookie banner design is legal – and what is not.
What are dark patterns?
Dark patterns are websites’ use of design elements and user interfaces designed to mislead you or influence your actions.
One of the more popular examples is the Roach Motel.
Say, you may want to unsubscribe from a mailing list. You look for an unsubscribe button. But it’s hard to find. Maybe it’s very small or hidden somewhere you wouldn’t think to look.
Or you want to delete your Amazon account. It’s possible, yes. But the road is long and winding, filled with obstacles and hidden deep inside Amazon’s myriad of subpages. Easy to get in, hard to get out.
When you meet designs like these, it’s a strong indicator that the company is actively putting roadblocks between you and your desired action: in this case the cancellation.
But dark patterns are also tricks used to push you into doing things the company wants; for example, to buy a specific version of a product or to accept cookies.
The term ‘Dark Patterns’ was first used by Harry Brignull in 2010. It was meant to define design and marketing techniques deliberately intended to make the user do something specific, something they maybe didn’t mean to do.
Deceptive design patterns (also known as "dark patterns") are tricks used in websites and apps that make you do things that you didn't mean to, like buying or signing up for something.
These are tricks designed to exploit human behavior for the website to achieve the desired outcome: the sale, the signup, the upsell.
And you are exposed to these patterns every single day.
A place where you see many dark patterns, are cookie banners. It also goes by the name “nudging” users into giving consent to cookies.
But how do dark patterns work?
Let’s take a look at dark patterns in cookie banners.
What are dark patterns in cookie banners?
Dark patterns in cookie banners are common and may prevent users from giving valid GDPR consent.
Dark patterns have one purpose: to collect as many consents to cookies as possible.
This is often done by making it difficult for the user to reject consent to cookies.
Using dark patterns may therefore prevent the user from giving “a freely given, informed, specific and unambiguous consent” (GDPR, recital 32).
Types of dark patterns in cookie banners
Between 2021 and 2022, Austrian privacy activist organization NOYB has filed more than 1000 official complaints to European Data Protection Authorities on companies’ use of dark patterns in cookie banners.
Here are some of their definitions of dark patterns and nudging:
1) No reject button in the cookie banner
Most cookie banners still only use one button: “Accept”.
These banners do not give the users the possibility of rejecting cookies. They merely assume that if you use their website, you accept cookies and the collection of personal data.
For consent to be valid, cookie banner must include a reject button in the first layer of the banner.
2) Pre-ticked checkboxes
Consent must be specific. This is why cookie banners must include checkboxes in their design, so the user can choose to give consent to functional, statistic or marketing cookies.
These checkboxes must be “un-ticked” as default.
Consent in the GDPR is opt-in – something the user chooses to give.
Using pre-ticked boxes for different cookie types was ruled in violation of the GDPR by the European Court of Justice in October 2019.
3) Link to settings instead of a reject button
Another common feature is the “Settings” button. Many cookie banners include a “settings” button instead of a reject button.
Click the button and it takes you to the second layer of the cookie banner, where you most likely can reject giving consent.
This is one of the patterns which introduces “more clicks” to reject cookies.
Users tend to choose path of least resistance and therefore choose to accept to click least possible times.
4) Deceptive button contrast colors
Although color design is never mentioned in neither the ePrivacy Directive nor the GDPR, the use of high and low contrasting colors is widely used in cookie banners.
This is a nudging technique not explicitly illegal, but some Data Protection Authorities – like the Danish DPA – will argue that if used to manipulated or mislead, it can be illegal.
4) Deceptive button contrast colors
Although color design is never mentioned in neither the ePrivacy Directive nor the GDPR, the use of high and low contrasting colors is widely used in cookie banners.
This is a nudging technique not explicitly illegal, but some Data Protection Authorities – like the Danish DPA – will argue that if used to manipulated or mislead, it can be illegal.
5) Using Legitimate Interest
Using Legitimate Interest is another common dark pattern found on many websites using Consent Management Platforms.
As a user, you are asked on one page to give or reject consent.
If you reject consent, you only find that on another page, the website claims legitimate interest for its vendors to use cookies.
A user may want to reject all cookies but is misled by the banner’s default “Consent” and “Legitimate Interest” settings. The user has to reject in two separate places and maybe for each of hundreds of vendors. That’s hundreds of clicks to reject cookies, but only one to accept.
6) Defining marketing cookies as essential cookies
Companies may claim that some marketing cookies are essential for their business. Understandably so.
But for privacy laws like the GDPR, most data that cookies collect nowadays are considered personal data.
And that data requires consent.
Tools like Google Analytics, Facebook’s Pixel or LinkedIn’s insight tag (and many more) are not necessary for websites to work. And they collect personal information about users. Therefore, you are required to collect consent for using them.
7) No easy way to withdraw consent
Some websites also make it hard for users to change or withdraw consent. This is a classic example of a dark pattern. We also saw this pattern with Amazon’s process for deleting an account.
Make it difficult enough for the user to perform a desired action and most likely they will abandon their quest.
Why are dark patterns and nudging so effective on cookie consent?
Human psychology!
Dark pattern tactics can be very effective. Most of the time, we don’t even notice them.
And as we discussed, these tactics are widely used in cookie banners.
Imagine you going to a website. You see the cookie banner. With one simple click on the highlighted green button, you can accept all cookies.
Or you can click on “settings”, read what feels like a novel on the way they use cookies. Maybe you have to de-select a range of pre-selected checkboxes before you are finally able to reject cookies.
What do you do?
You came for the website’s content. And you want to see that content as soon as possible. Preferably before you lose the interest or forget why you entered the site.
You choose the path of least resistance. You accept all cookies and then go to the content.
Many cookie banners play on that. One click to see the content, many clicks to reject cookies.
This is why legislation like the GDPR, like the Californian CCPA and many others specify what valid consent looks like.
Consent is a matter of yes or no. And it must be as easy to reject cookies as it is to accept.
But what does the GDPR really say about dark patterns?
Consent defined by the GDPR
What does the GDPR say about dark patterns?
Nothing really.
But it says a lot about what consent is. And from that many of the dark pattern techniques became illegal.
Dark patterns used in cookie banners often affect user privacy.
That means they conflict with privacy laws like the European General Data Protection Regulation (GDPR) or the Californian Consumer Privacy Act (CCPA).
These two privacy laws are some of the strictest in the world when it comes to lawful processing of personal data.
Most personal data collected and processed by cookies fall under the GDPR and the CCPA. And in most cases, companies must use consent as a lawful basis for collecting and processing these data.
Many of the dark patterns and nudging types we saw above conflict with GDPR’s definition of valid consent.
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (..) Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
With these dark patterns, users cannot freely choose to accept or reject cookies when the design intentionally is made to deceive the user.
And recent studies have shown that dark patterns are widely used in Europe.
In 2019, looking at sample of 1000 of the most popular European websites, German researchers found 57.4% to use nudging to push users into giving consent to cookies.
And in 2020, Danish and American researchers studied the effects of dark patterns after the GDPR. They found that dark patterns and implied consent were found everywhere. In fact, only 11.8% of the most popular websites in the UK met the minimal requirements for consent in the GDPR.
Supporting these findings, French researchers looking at cookie banner designs found that 47% of websites nudge users towards accepting cookies by pre-selecting cookie types. 7% didn’t even provide users with an option to refuse cookies.
This widespread use of dark patterns has of course caught the attention of European Data Protection Authorities.
We have seen the French CNIL handing out hefty fines to Google, Facebook and Amazon for manipulative cookie consent designs and hard-to-understand privacy policies.
Much of the attention to dark patterns can be attributed to NOYB. The organization has filed short of 1000 official complaints to European Data Protection Authorities on companies’ illegal use of dark patterns.
They found that many top European websites still use dark patterns to nudge users into giving consent to cookies. Most common feature was not showing a reject button in the first layer of the cookie banner. Users had to click “more than one time” to reject cookies, but only one click to accept.
How do you optimize your consent rates without using dark patterns?
When using cookies on your website, it’s important that you collect valid consent from your users.
Thereby you respect their privacy and comply with data privacy regulations like GDPR and the ePrivacy Directive (the European “cookie law”).
Checklist for collecting valid consent to cookies
- Inform your users of the cookies you use and what data they collect.
- Provide your users with an easy way to reject cookies (reject button next to accept button).
- Let your users choose what cookie types they want to accept/reject (checkboxes)
- Let these checkboxes be un-ticked as default.
- Use equal colors and contrasts in accept and reject buttons.
- Store your users consents for 5 years.
But how do you optimize your banner to collect consents?
One of the questions, we get a lot here at Cookie Information is:
“Can I use different colors in my “accept/reject” buttons?
We would absolutely say yes, but tread carefully.
In 2021, the Danish DPA (Datatilsynet) critized a Danish company for using deceptive color design in its cookie banner.
The company’s “reject” button had an orange font on a white background (on a white cookie banner), whereas the accept button had a white font on an orange background.
Datatilsynet found that the design deceived the users because one choice was more prominent than the other.
To make it even more confusing, the “reject” button actually said “accept” (to the settings) and to accept cookies, you had to “accept all”. Confused? I was.
But!
Last time I asked the Danish DPA, they didn’t want to comment on colors choices in cookie banners.
But in their latest cookie guidelines, the Danish DPA makes use of contrasting colors for accepting and rejecting cookies.
So…
What can we conclude from that?
If you want to implement your company colors in your cookie banner or if you want to give your accept button a green color and the reject button a red color, then it seems to be ok with the guidelines.
*Disclaimer: Every case the Data Protection Authorities investigate is based on their interpretation of the cookie banner and the legislation.
How to get a GDPR compliant cookie banner
Cookie Information is a leading European provider of compliant cookie banners that have a high acceptance rate.
Why?
Because:
- Your cookie banner design will be transparent. All information is there.
- We test designs, texts, buttons and banner placement and give you the latest best practices.
- You are always up to date with current legislation.
Sign up and try Cookie Information’s GDPR compliant cookie banner.
You get 30 days completely free. In these 30 days you get compliance + high opt-in rates.
In turn, we give you Google Consent Mode as default in your cookie banner.
Never miss valuable data analytics about website traffic and Google Ads conversions. Consent Mode gives you anonymized data about all those who reject cookies, so you can make data informed decisions about pages, posts and campaigns.
Types of Dark Patterns
Dark patterns come in many forms and shapes. Here are some of the most used.
1. Trick questions
You’re filling out a form and responding to a question that tricks you into thinking it asks one thing, but when you read it carefully it asks something else.
2. Sneak into basket
You’re filling out a form and responding to a question that tricks you into thinking it asks one thing, but when you read it carefully it asks something else.aWhen you try to buy something, sometimes seller adds extra items to your order through opt-out buttons or checkboxes on previous pages.
3. Roach motel
You find it easy to create an account or signup for a newsletter, but then difficult to cancel the account or unsubscribe the newsletter.
4. Privacy zuckering
You are tricked into publicly sharing more information about yourself than you intended to. The pattern is named after Mark Zuckerberg, CEO Facebook.
5. Price comparison prevention
The seller makes it difficult to compare the price of one item with another, so you might not know if you are paying a fair price.
6. Misdirection
The design draws your attention to one thing, so that you don’t notice another.
7. Hidden costs
When you reach the last step of the checkout process, you may be surprised to discover some unexpected charges like delivery fees, taxes, etc.
8. Bait and switch
When you reach the last step of the checkout process, you may be surprised to discover some unexpected charges like delivery fees, taxes, etc.
9. Confirmshaming
The act of nudging the user into opting into something. The option to decline is worded in such a way as to shame the user into compliance.
10. Disguised ads
Ads that look like other kind of content, like friends’ posts, to get you to click on them.
11. Forced continuity
When a free trial period ends and your credit card starts getting charged without warning. Sometimes it’s made even worse by making it difficult to cancel the membership.
12. Friend spam
A product may ask for your email or social media permissions and then spam all your contacts claiming it is from you.
FAQ about nudging, dark patterns and cookie consent
“Can I use a green button in my cookie banner?”
We get a lot of questions about what you can and cannot do in your cookie banner. What is legal and what is not.
Here are the most frequent questions about dark patterns and the use of colors, texts, buttons and so much more.
What buttons do I have to include in my cookie banner?
For consent to be valid under the GDPR, consent must be freely given, informed, specific & unambiguous.
This means that consent is:
- a matter of yes and no (freely given).
- based on information about what you give consent to (informed).
- given specifically to each data processing purpose like functional, statistical and marketing cookies (specific).
- clearly described, so the user is not in doubt that he/she gives consent (unambiguous).
- the user must be able to reject consent (reject button in the cookie banner)
- consent must not be implied. Scrolling, swiping, just using the site is not considered valid consent.
- checkboxes must be used for collecting specific consent and must be unticked as default.
Can I use different button colors?
Yes, you can use two different colors for “Accept” and “Reject”. There is nothing in neither ePrivacy Directive nor the GDPR that specifically says you cannot use a green Accept or red Reject button color.
As long as your design is not deceiving or tricking your users into consent (Accept) by using low contrast between text and button color background (e.g., Grey on white or something that is hard to read).
Recently (2021), the Danish Data Protection Authority officially criticized a company for using orange font color on a white button background which blended with the banner’s white background. The ‘Accept cookies’ button had a high contrast: white on orange background.
According to Danish DPA’s (Datatilsynet) latest cookie guidelines (page 17), using different colors in Accept and Reject buttons is valid as long as the design is transparent and both button have equal weight.
Can I make the Accept button larger?
There are no specific rules for button size in the ePrivacy Directive or the GDPR. But most European Data Protection Authorities highlight in their cookie guidelines that buttons for “Accept” and “Reject” should have equal weight (size).
You may not try to hide the reject button making it significantly smaller than the accept button. That would be a dark pattern.
Do I need a reject button in my cookie banner?
Yes! And it should be placed in cookie banners “first layer”. Just next to the “Accept” button and not hidden behind “Settings”, “Preferences” or “Details”.
However, different European Data Protection Authorities have different opinions here, so please check your local cookie guideline.
Link: Regulations & Frameworks
Can I change the words in the buttons?
Sure. Whether you write “Accept”, “Accept all”, “OK” or something else is entirely up to you. As long as it is clear to the users what they are choosing.
“Accept” and “Reject” are the most common wordings in compliant banners.
If you write “Accept” and “Accept all” assuming that the users know that “Accept” is only accepting non-essential cookies and “Accept all” is accepting all the cookies, then it gets confusing. If you intend it to be confusing, then it is a dark pattern.
Can the checkboxes be pre-selected for consent?
No! In 2019 the European Court of Justice ruled against German lottery website Planet49 and their privacy practices. The court stated that it was not legal to pre-select the checkboxes for specific cookie types (functional, statistic, marketing). The user has to opt-in to specific cookie types, not de-select them.
Your cookie banner must include checkboxes (as specific consent is needed for each cookie type) and these boxes must be de-selected as default (consent must not be implied).
What text is required in the cookie banner?
Consent must be informed. Therefore, your cookie banner must as a minimum contain information about:
- Your use of cookies.
- Which cookie you use.
- What data they collect.
- Who owns the cookies.
- How long time the cookies are stored.
- How users accept/reject and withdraw consent.
Do I need to ask for consent? (Legitimate Interest)
Yes, you have to ask for consent. In terms of cookies, Legitimate Interest (GDPR) is not an alternative to consent. We do see consent pop-ups using legitimate interest as their lawful basis for using cookies, but consent is always required under the ePrivacy Directive.
Legitimate interest can be used when you have a legitimate reason for processing a person’s personal data, e.g., a name and address for a pizza delivery (cannot deliver the pizza without an address).
But always use Consent when concerning data, your users have to give you permission to use (IP-address, deviceID). A DeviceID is not required for your website to work.
Link: Legitimate Interest & cookies explained in 5 minutes
Is Google Analytics essential? (essential/non-essential cookies)
To your business, yes! For your website to work, no.
Google Analytics’ cookies (_ga) are not considered essential cookies.
Google Analytics’ cookies require consent because they still collect and process a lot of personal information about your user. According to the GDPR, you need valid consent for collecting this data.
But I’m not collecting any data!
But Google is! Facebook is. Amazon is.
Here’s how it works. You use Google Analytics. Google Analytics sets cookies through your website, so you can see how many visits your site, what pages they read and how they convert/buy.
Google collects a lot of data to give you these metrics. IP-address, geolocation, DeviceID, etc. This is personal data under the GDPR. Even though you never see it and never can identify anyone.
And you are the data controller under the GDPR, therefore the responsibility for collecting consent is yours
This is how Google uses cookies
Can I A/B split test the Cookie Information banner?
Yes. We encourage testing text and buttons in your banner. In our solution, you can do A/B test over time by making one change at a time and see the results after a few days.
Take into consideration that other factors could have effects on your results, such as time, countries, seasons etc.