Dark patterns in cookie banners — regulators are cracking down
What are dark patterns and why regulators care
Dark patterns are manipulative design techniques that steer users toward decisions they wouldn't make on their own. In the context of cookie banners, this means: getting users to click "Accept all" without giving them a real and comparable option to decline.
The European Data Protection Board (EDPB) in its Cookie Banner Taskforce Report stated clearly: consent obtained through manipulative design is not freely given consent under GDPR.
Most common violations in practice
1. Asymmetric buttons
The "Accept" button is large, colorful, and dominant. The "Reject" button is hidden in text, grayed out, or placed on a second screen. EDPB requires comparable size, color saturation, and visual weight for both options.
2. Pre-checked checkboxes
Cookie categories (marketing, personalization) are pre-checked and the user must actively uncheck them. This is not active consent — it's opt-out disguised as opt-in.
3. Cookie walls
Blocking website content until the user accepts cookies. EDPB and most national authorities consider cookie walls a violation of the principle of freely given consent — the user has no genuine choice.
4. Cookies before interaction
The most common violation: cookies (especially advertising trackers) are set before the user interacts with the banner. This is a direct violation of the ePrivacy Directive.
5. Misleading language
"Accept and continue" vs. "Settings" instead of clear "Accept" vs. "Reject". Language suggesting that declining will degrade website functionality is manipulative.
What regulators are saying
CNIL (France) fined Google €150 million for dark patterns in its cookie banner — rejecting cookies required more clicks than accepting.
SHEIN received a €150 million CNIL fine for setting cookies without valid consent on shein.com.
The Danish Data Protection Authority announced that website tracking — specifically whether users have a genuine opportunity to decline cookies — will be an enforcement priority in 2026.
EDPB plans to deploy automated tools (including machine learning) to scan millions of websites for dark patterns. Detection and prosecution of manipulative practices will accelerate dramatically.
How to check if your cookie banner is compliant
| Criterion | OK | Violation |
|---|---|---|
| Accept/reject buttons | Same size and color | Accept dominant, reject hidden |
| Checkboxes | Unchecked | Pre-checked |
| Number of clicks | Same for accept and reject | More clicks to reject |
| Cookies before consent | None | Trackers active before interaction |
| Language | Neutral, clear | Misleading, favoring acceptance |
| Content access | Unconditional | Blocked without consent |
How Waulter handles dark patterns
Waulter CMP is designed so that cookie banners meet EDPB requirements by default — without manual tweaking:
- Symmetric buttons — accept and reject have equal visual weight.
- No pre-checked checkboxes — default state is "all off."
- One click to reject — same number of steps as accepting.
- Cookie blocking before consent — trackers don't fire until the user grants consent.
- Crawler verifies compliance — automated checks that no cookies appear on the site before consent.
Sources: EDPB Cookie Banner Taskforce Report (2023), CNIL decisions Google/SHEIN, Danish Data Protection Authority — 2026 priorities