Back to Blog
GDPRDark PatternsCookie Consent

Cookie Banner Dark Patterns: What Gets You Fined

81% of cookie banners use dark patterns. Learn the 6 EDPB-defined categories, real GDPR fines, and how to check if your banner is compliant.

By CookieCompliance Team||6 min read
ENESDEFRIT
Split-screen comparison of a manipulative cookie banner design versus a compliant transparent cookie banner

81% of Cookie Banners Are Designed to Manipulate You

A 2024 study by advocacy group noyb found that 81% of cookie banners do not offer a "Reject" option on the first layer. Of those that do, 73% use deceptive color contrasts to steer users toward clicking "Accept." Only 2.18% of users who click "Manage preferences" actually reach the second layer of settings. The rest give up and accept everything.

These are not accidental design choices. They are dark patterns: interface designs deliberately crafted to manipulate users into giving up their privacy rights. And European regulators have made it clear: dark patterns in cookie banners violate the GDPR, and they will fine you for using them.

Infographic showing common dark pattern types found in cookie banners with statistics

What Exactly Are Dark Patterns?

The European Data Protection Board (EDPB) published Guidelines 03/2022 specifically defining dark patterns in the context of data protection. They identified six categories that apply directly to cookie consent:

1. Overloading

Bombarding users with consent requests, preference screens, or information until they give up and accept. A cookie banner that requires five clicks to reject cookies while "Accept All" is one click is a textbook example.

2. Skipping

Designing the consent flow so that the most privacy-protective settings are not the default. Pre-checked consent boxes, banned by the Court of Justice of the EU (CJEU) in the Planet49 ruling (C-673/17), fall into this category.

3. Stirring

Using emotional language, visual hierarchy, or color manipulation to push users toward a specific choice. A bright green "Accept All" button next to a barely visible gray "Reject" link is stirring in action.

4. Hindering

Making it difficult or impossible to reject cookies or withdraw consent. If your "Reject" button requires navigating through multiple screens while "Accept" is one click, that is hindering.

5. Fickle

Designing a consent interface that is inconsistent or confusing, so users cannot understand what they are agreeing to. Toggle switches that are unclear about their on/off state, or categories labeled with vague terms like "Functional" that actually include advertising trackers.

6. Left in the Dark

Failing to provide clear information about what cookies do and who receives the data. A banner that says "We use cookies to improve your experience" without mentioning third-party advertising or data sharing is leaving users in the dark.

Real Fines for Dark Patterns

Regulators are not just publishing guidelines. They are issuing substantial fines. Here are the most significant enforcement actions specifically related to cookie banner dark patterns:

Google - EUR 150 Million (France, 2022): The CNIL fined Google because google.fr and youtube.com made it easy to accept all cookies with one click but required multiple clicks to reject them. This asymmetry violated Article 82 of the French Data Protection Act, which transposes the EU ePrivacy Directive into French law.

Facebook - EUR 60 Million (France, 2022): In the same enforcement wave, the CNIL fined Meta's Facebook for the identical issue: an asymmetric consent flow where accepting was one click but rejecting required several steps.

Microsoft - EUR 60 Million (France, 2022): Microsoft's bing.com was fined for two violations: advertising cookies were deposited automatically without any consent when users visited the site, and the consent mechanism made rejecting cookies harder than accepting them.

TikTok - EUR 5 Million (France, 2023): TikTok was fined because its cookie banner made rejection harder than acceptance and failed to provide adequate information about the purposes of its cookies.

Amazon - EUR 35 Million (France, 2020): One of the earlier landmark cases where Amazon was fined for placing advertising cookies on users' devices without prior consent and without adequate information.

Sweden - Formal Reprimands (April 2025): The Swedish privacy authority IMY issued formal reprimands to ATG, Aller Media, and Warner Music specifically for using deceptive color contrasts and button sizing in their cookie banners.

Side-by-side comparison of a dark pattern cookie banner with hidden reject option versus a compliant banner with equal accept and reject buttons

How Regulators Test Your Banner

Understanding how regulators evaluate cookie banners helps you fix yours. Here is what they look for:

Click counting: They count the number of clicks required to accept versus reject cookies. If rejecting takes more clicks than accepting, you have a problem.

Visual hierarchy: They examine button sizes, colors, and placement. A large, colorful "Accept" button next to a small, gray "Reject" text link is a red flag.

Pre-consent loading: They open browser developer tools and check which cookies and trackers load before any consent is given. If anything loads before you click, that is a violation regardless of your banner design.

Functional testing: They click "Reject All" and then check if cookies are actually blocked. The SHEIN case (EUR 150 million, 2025) proved that regulators verify whether the reject button actually works. Theirs did not.

Consent withdrawal: They accept cookies, then try to withdraw consent, and check if cookies stop being read. The Orange case (EUR 50 million, 2024) showed that cookies continued transmitting data even after consent withdrawal.

The Legal Standard: Freely Given Consent

The core legal requirement comes from GDPR Article 4(11) and Article 7, reinforced by Recital 42: consent must be freely given, specific, informed, and unambiguous. The EDPB has further clarified that consent is not freely given if:

  • There is a clear imbalance between the ease of accepting and rejecting (asymmetric design)
  • The user faces detriment for refusing consent (e.g., blocked content)
  • Consent is bundled with accepting terms of service
  • Consent cannot be withdrawn as easily as it was given

Under Article 83(5)(a), violations of consent rules can trigger fines of up to EUR 20 million or 4% of global annual revenue, whichever is higher.

What Is Coming in 2026

The EU's Digital Omnibus Proposal (published November 2025) will further tighten the rules:

  • Single-click rejection becomes a legal requirement. No more burying reject behind "Manage preferences"
  • Six-month cool-down: if a user rejects cookies, you cannot ask again for the same purpose for six months
  • Machine-readable consent signals like Global Privacy Control will be legally recognized
  • The proposed Digital Fairness Act will specifically target manipulative consent designs, bringing dark pattern regulation beyond GDPR

These rules are expected to take effect by late 2026.

A Quick Self-Audit Checklist

Check your cookie banner against these requirements:

  • Equal prominence: Accept and Reject buttons are the same size, color, and style
  • First-layer reject: Users can reject all non-essential cookies without entering a second screen
  • No pre-ticked boxes: All optional cookie categories are unchecked by default
  • No pre-consent loading: Zero cookies or trackers fire before the user makes a choice
  • Clear language: The banner explains what cookies are used for and who receives the data
  • Working reject: Clicking "Reject" actually prevents cookies from being set
  • Easy withdrawal: Users can change their consent as easily as they gave it
  • No cookie walls: Users can access the site without being forced to accept cookies

If you fail even one of these points, your banner could trigger an investigation.

Check Your Banner Now

You do not need to audit your banner manually. Scan your website for free and see exactly what a regulator would find: pre-consent cookies, trackers loading before consent, dark pattern indicators, and banner compliance issues. It takes 30 seconds.

The fines listed above are not hypothetical. They are real penalties issued to real companies, many of which assumed their cookie banner was fine because a developer set it up once and never tested it. Regulators test what actually happens in your browser, not what your privacy policy says. Make sure your banner passes the same test.

Is Your Website Compliant?

Scan your website for free and find out if your cookie banner meets GDPR requirements.

Scan Your Website - Free