Ready for the new Google Consent Mode v2? Learn more »

Dark patterns on cookie banners

As an internet user, you have probably encountered Dark Patterns several times. Dark patterns are deceptive designs that come in many forms with the aim of manipulating users. You are in a gray area of ​​legality; not entirely legal, but not entirely illegal either, although organizations like the noyb are actively fighting against it.

an image of a concrete maze with the words

So what happens if you accidentally use such designs on your cookie banners that should be GDPR compliant? And how can you still create a positive user experience without deceptive designs or the risk of a fine?

In our article, we address all of these questions and answer the following:

  1. What is a dark pattern?
  2. Does the GDPR say anything about this?
  3. How are dark patterns used in cookie banners to force user consent?
  4. How can you legally design your cookie banner to increase your consent rate?

What is a dark pattern?

The main purpose of a dark pattern is to trick users (whether they’re scrolling on a website or through an app) into doing something they really didn’t want to do, e.g. B. Buying products or signing up for something. Here are a few cookie banner examples of dark patterns:

  • A cookie banner that displays a opt-out option instead of an opt-out option (and does not display the purpose categories of data collection and processing)
Screenshot of a cookie banner with a red cross on it
  • A cookie banner that pre-ticks all your data processing categories
a screenshot of the cookie settings on a cookie banner with a red cross on it

💡Tip: Our integrated compliance check in the consentmanager cookie banner warns our users if certain banner practices are considered harmful or even illegal! Test it here for free → consentmanager cookie banner

Does the GDPR say anything about this?

no Although the term is not explicitly mentioned in the GDPR guidelines, you can assume that there are several articles in the GDPR that address dark pattern practices. Take a look at the following articles of the GDPR:

Article 4(11)

“Consent” of the data subject means any voluntary, informed and unequivocal expression of will in the specific case, in the form of a declaration or other clear affirmative action, with which the data subject indicates that they are processing their personal data agrees;

Here, consent is clearly stated as “in an informed manner” and “voluntary”, which is effectively subverted by the basic concept of Dark Patterns. Users do not make a fully informed and transparent decision, and the misleading design does not lead to a voluntary (or better: equitable) decision.

GDPR Recital 32

“Silence, pre-ticked boxes or inactivity should not therefore constitute consent,”

As shown in the previous example, the ticked boxes are a clear violation of GDPR regulations.

Furthermore, individuals like Harry Brignull, the founder of , and organizations like the noyb are willing to name and shame companies that use dark patterns. This further increases the pressure on the issue. In addition, the guide to detecting and avoiding dark patterns published by the European Data Protection Board (EDPB) will help data protection officials to assess whether websites really comply with the guidelines.

🚀 Would you rather play it safe? Test whether your website is compliant with the law with our website scanner here.

Now that we know why dark patterns violate GDPR guidelines, let’s take a closer look at the most common categories with example cookie banners:

  • Overloading: Mechanisms such as repeated requests, creating a kind of “maze” in the cookie banner and displaying too many options are all dark patterns that confront users with a multitude of queries and unintentionally entice them to share their data.
  • Hindering: If users have to go through an unnecessarily long process to refuse cookies or if the action is almost impossible/impractical, this is a type of hindrance.
  • Fickle: This is when the design is so unstable and inconsistent that the user has trouble locating the various control functions. For example, when a certain button is placed on a completely different page that is not in its context.
  • Left in the dark: This is the case when the user is intentionally “left in the dark”, ie when the user does not know how their data is being processed because the policies are not provided in the country’s official language. Or because the banner uses vague terms when conveying information to the user.

How can you legally design your cookie banner to increase your consent rate?

If you manage your cookie banner to be as transparent as possible when communicating with your users, you can actually increase your consent rate. And why? Your users will be more likely to agree if they know the reasons for your data processing.

  1. Inform your users about which cookies you use and what data they collect.
  2. Make sure you offer an easy way to refuse cookies, e.g. B. a decline button next to the agree button, and that the buttons are equally easy to recognize.
  3. Make sure you provide links to your privacy policy and cookie policy.
  4. Don’t tick any boxes, let users decide for themselves which cookies they want to accept or reject.
  5. Integrate visual cues, e.g. B. a widget that allows the user to go back to your banner if they want to change their consent preferences.

Click here to download a complete checklist for a legally compliant cookie banner →

✅ You can easily carry out the following instructions with the consentmanager cookie banner . Try it now!

Conclusion: Do not damage the trust of your customers with dark patterns!

If you want to protect your business in the long run, you need to offer your customers a transparent user experience instead of manipulating them to gain their trust. And like the Pareto principle, a loyal customer will prove to be fruitful for your business in the long run.

more comments

Einhaltung der EU-Verordnung über künstliche Intelligenz consentmanager

EU Act on Artificial Intelligence

EU AI Act comes into force in August 2024 Following the European Commission’s initial proposal in April 2021, the European Parliament adopted the EU AI Act, which was published in the Official Journal of the European Union in July 2024 and is available in all member state languages. The Act will officially enter into force in August […]
Newsletter consentmanager Juni

Newsletter 06/2024

New Addon: Privacy-friendly Website Analytics With the June update, the new add-on “Website Analytics” is available in your account. Here we combine the two components that we are particularly good at: real data protection and great reporting. The advantage of our new privacy-friendly website analytics lies primarily in data protection and the simplicity of the […]