Dark Patterns in Cookie Banners

As an online user, you have probably encountered dark patterns several times. Dark patterns are deceptive designs that appear in many forms with the aim of manipulating users. They are in a gray area of legality; not quite legal, but not quite illegal either, although organizations like the noyb are actively fighting against them.

So what happens if you accidentally use such designs on your cookie banners that should comply with the GDPR? And how can you still create a positive user experience without using deceptive designs or risking a fine?

In this article, we’ll address all of these questions and answer the following:

  1. What is a dark pattern?
  2. Does the GDPR say anything about it?
  3. How are dark patterns used in cookie banners to force users to consent?
  4. How can you make your cookie banner legal to increase your consent rate?

What is a dark pattern?

The main purpose of a Dark Pattern is to entice users (whether they’re on a website or scrolling through an app) to do something they didn’t really want to do, like buy products or sign up for something. Here are a few cookie banner examples of Dark Patterns:

  • A cookie banner that displays a preference option instead of a decline option (and does not display the purpose categories of data collection and processing).
a screenshot of a cookie banner with a red cross on top of it
  • A cookie banner that ticks all your categories for data processing in advance.
a screenshot of the cookie preferences preview on a cookie banner with a red cross on top of it

💡Tip: Our integrated compliance check in the consentmanager cookie banner warns our users if certain banner practices are considered harmful or even illegal! Test it here for free → consentmanager Cookie-Banner

Does the GDPR say anything about this?

Yes and no. Although the term is not explicitly mentioned in the GDPR guidelines, you can assume that there are several articles in the GDPR that address dark pattern practices. Take a look at the following articles of the GDPR:

Article 4(11)

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Here, consent is clearly explained as “informed” and “freely given”, which is practically undermined by the basic concept of Dark Patterns. Users do not make a fully informed and transparent decision, and the misleading design does not lead to a voluntary (or better: equally informed) decision.

As shown in the previous example, the checked boxes are a clear violation of the GDPR regulations.

Further, individuals like Harry Brignull, founder of darkpatterns.org, and organizations like the noyb are willing to name and shame companies that use dark patterns. This further increases the pressure on the issue. In addition, the Guide to Detecting and Preventing Dark Patterns published by the European Data Protection Board (EDPB) will help data protection officers assess whether websites are truly compliant.

🚀 Prefer to play it safe? Try our website scanner here to test whether your website is compliant with the law.

How are Dark Patterns used in cookie banners to force users to consent?

Now that we know why dark patterns violate the GDPR guidelines, let’s take a closer look at the most common categories with examples of cookie banners:

  • Overloading: mechanisms such as repeated queries, designing a kind of “maze” in the cookie banner and displaying too many options are all Dark Patterns that confront users with a large number of queries and unintentionally trick them into sharing their data.
  • Hindering: when users have to go through an unnecessarily long process to reject cookies, or when the action is nearly impossible/impractical, this is a type of obstruction.
  • Fickle: this is when the design is so unstable and inconsistent that the user has difficulty finding the various controls. For example, when a certain button is placed on a completely different page, out of its context.
  • Left in the dark: This is the case when the user is intentionally “left in the dark”, that is, when the user does not know how his data is processed because the guidelines are not provided in the official language of the country. Or, because the banner uses vague terms when conveying information to the user.

How can you lawfully manage your cookie banner to increase your consent rate?

If you manage your cookie banner to be as transparent as possible when communicating with your users, you can actually increase your consent rate. And why? Your users are more likely to consent if they know the reasons for your data processing.

  1. Inform your users about what cookies you use and what data they collect.
  2. Make sure you provide an easy way to reject cookies, such as a reject button next to the agree button. Make sure the buttons are equally easy to see.
  3. Make sure you provide links to your privacy policy and cookie policy.
  4. Don’t put checkmarks, but let users decide for themselves which cookies they want to accept or reject.
  5. Incorporate visual cues, such as a widget that allows users to refer back to your banner if they want to change their consent preferences.

Click here to download a complete checklist to a legally compliant cookie banner!

✅ You can easily perform the above instructions with the consentmanager cookie banner. Try it out now!

Bottom line: don’t damage your customers’ trust with dark patterns!

If you want to protect your business in the long run, you need to provide your customers with a transparent user experience to gain their trust, instead of playing manipulation tricks. As stated in the Pareto principle, a loyal customer will prove fruitful, for your business, in the long run.


Not sure if you need a CMP?

If you are unsure if your company needs a CMP or not, please get in touch with us – we will help you find the right solution for your company!

Get In Touch