Back to news

Dark patterns in cookie banners — regulators are cracking down

· Waulter team
dark patterns cookie banner EDPB CNIL consent UX compliance

What are dark patterns and why regulators care

Dark patterns are manipulative design techniques that steer users toward decisions they wouldn't make on their own. In the context of cookie banners, this means: getting users to click "Accept all" without giving them a real and comparable option to decline.

The European Data Protection Board (EDPB) in its Cookie Banner Taskforce Report stated clearly: consent obtained through manipulative design is not freely given consent under GDPR.

Most common violations in practice

1. Asymmetric buttons

The "Accept" button is large, colorful, and dominant. The "Reject" button is hidden in text, grayed out, or placed on a second screen. EDPB requires comparable size, color saturation, and visual weight for both options.

2. Pre-checked checkboxes

Cookie categories (marketing, personalization) are pre-checked and the user must actively uncheck them. This is not active consent — it's opt-out disguised as opt-in.

3. Cookie walls

Blocking website content until the user accepts cookies. EDPB and most national authorities consider cookie walls a violation of the principle of freely given consent — the user has no genuine choice.

4. Cookies before interaction

The most common violation: cookies (especially advertising trackers) are set before the user interacts with the banner. This is a direct violation of the ePrivacy Directive.

5. Misleading language

"Accept and continue" vs. "Settings" instead of clear "Accept" vs. "Reject". Language suggesting that declining will degrade website functionality is manipulative.

What regulators are saying

CNIL (France) fined Google €150 million for dark patterns in its cookie banner — rejecting cookies required more clicks than accepting.

SHEIN received a €150 million CNIL fine for setting cookies without valid consent on shein.com.

The Danish Data Protection Authority announced that website tracking — specifically whether users have a genuine opportunity to decline cookies — will be an enforcement priority in 2026.

EDPB plans to deploy automated tools (including machine learning) to scan millions of websites for dark patterns. Detection and prosecution of manipulative practices will accelerate dramatically.

How to check if your cookie banner is compliant

Criterion OK Violation
Accept/reject buttonsSame size and colorAccept dominant, reject hidden
CheckboxesUncheckedPre-checked
Number of clicksSame for accept and rejectMore clicks to reject
Cookies before consentNoneTrackers active before interaction
LanguageNeutral, clearMisleading, favoring acceptance
Content accessUnconditionalBlocked without consent

How Waulter handles dark patterns

Waulter CMP is designed so that cookie banners meet EDPB requirements by default — without manual tweaking:

  • Symmetric buttons — accept and reject have equal visual weight.
  • No pre-checked checkboxes — default state is "all off."
  • One click to reject — same number of steps as accepting.
  • Cookie blocking before consent — trackers don't fire until the user grants consent.
  • Crawler verifies compliance — automated checks that no cookies appear on the site before consent.

Sources: EDPB Cookie Banner Taskforce Report (2023), CNIL decisions Google/SHEIN, Danish Data Protection Authority — 2026 priorities

Want to keep consent under control?

Waulter CMP helps you with consent management, GDPR compliance, and cookie banner optimization.