Cookie Banner

Dark Patterns in Cookie Banners: EDPB Guidelines and Legal Risks

Analysis of EDPB Guidelines 3/2022 on dark patterns in cookie banners. Covers the 6 types of manipulative design, enforcement examples, DPA testing methods, and compliant design principles.

Compliso Team
9 min read

Dark patterns in cookie banners are not just bad UX — they are a legal liability. The European Data Protection Board explicitly addresses manipulative design in its Guidelines 3/2022 on dark patterns in social media platforms, and multiple DPAs have applied these principles directly to cookie consent mechanisms. Any consent obtained through manipulative design is invalid under the GDPR, meaning every cookie set based on that consent is unlawfully placed.

This article examines the six categories of dark patterns found in cookie banners, analyzes real enforcement actions, explains how DPAs test for manipulative design, and provides concrete principles for compliant alternatives.

EDPB Guidelines 3/2022: The Framework

The EDPB adopted Guidelines 3/2022 on “Deceptive design patterns in social media platform interfaces” in February 2023. While the title references social media, the principles apply to any interface that collects consent — including cookie banners.

The guidelines identify six overarching categories of dark patterns:

  1. Overloading — Presenting too many choices, requests, or information to nudge users toward sharing more data
  2. Skipping — Designing interfaces that skip privacy-protective options or default to data-sharing
  3. Stirring — Using emotional or visual manipulation to influence decisions
  4. Hindering — Making privacy-protective actions difficult or impossible
  5. Fickle — Inconsistent or unclear interfaces that confuse users
  6. Left in the dark — Hiding information or making it difficult to find

These categories are not merely theoretical. DPAs use them as an analytical framework when evaluating cookie consent mechanisms.

1. Pre-Ticked Boxes (Skipping)

What it looks like: Cookie categories (analytics, marketing) are already toggled to “on” when the consent dialog appears. The user must actively deselect them to refuse.

Legal status: Unambiguously illegal. The CJEU ruled in Planet49 (C-673/17, 2019) that pre-ticked checkboxes do not constitute valid consent. This is settled law across the entire EU.

Enforcement example: The Garante (Italian DPA) fined a company 20,000 EUR in 2023 specifically for pre-selected consent toggles in their cookie banner.

Compliant alternative: All non-essential cookie categories must default to “off.” Users must take an affirmative action to enable them.

2. Hidden or Absent Reject Option (Hindering)

What it looks like: The first layer of the cookie banner shows a prominent “Accept all” button, but rejecting requires navigating to a second layer (“Manage settings” or “More options”), then toggling each category off, then clicking “Save.”

Legal status: Multiple DPAs have ruled that reject must be available on the first layer with the same number of clicks as accept.

Enforcement examples:

  • CNIL fined Google (150M EUR) and Facebook (60M EUR) in January 2022 for making rejection significantly harder than acceptance.
  • The Austrian DSB ruled that a “Continue without accepting” link hidden as plain text while “Accept” was a prominent button did not constitute valid consent.

Compliant alternative: “Reject all” (or “Only necessary”) must appear on the first layer with the same visual prominence as “Accept all.”

3. Color and Visual Manipulation (Stirring)

What it looks like: The accept button is styled with a bright, inviting color (green, blue) while the reject button is styled as a muted gray ghost button, a text-only link, or a less prominent design element.

Legal status: The EDPB’s “Stirring” category directly addresses emotional and visual manipulation. Multiple DPAs have found that visual asymmetry between accept and reject invalidates consent.

Enforcement example: CNIL’s 2022 guidance explicitly states that the refusal mechanism “must be presented at the same level and in a form that is equally easy to understand” as the acceptance mechanism.

Compliant alternative: Both buttons should have equal size, equal visual weight, and comparable styling. If accept is a filled primary-color button, reject should be a filled button of equal prominence — not a ghost button or text link.

4. Confusing Language (Left in the Dark / Fickle)

What it looks like: Using double negatives, euphemisms, or ambiguous language to confuse users about what they are consenting to. Examples:

  • “Don’t not allow personalization” (double negative)
  • “We value your experience” instead of “We track your behavior for advertising"
  • "Continue with recommended settings” without explaining what those settings are
  • ”Legitimate interest” listed as a legal basis alongside consent toggles without explanation

Legal status: Article 7(2) GDPR requires that consent requests be presented in “clear and plain language.” The EDPB guidelines classify confusing language under both “Fickle” (inconsistency) and “Left in the dark” (hiding information).

Compliant alternative: Use straightforward, honest language. “We use cookies for analytics and advertising” is clear. “We enhance your browsing experience with personalized content journeys” is not.

5. Forced Action (Overloading)

What it looks like: Cookie walls that block access to content unless the user accepts cookies. Also: banners that cannot be dismissed without making a choice, combined with no option to proceed without accepting.

Legal status: The EDPB’s Guidelines 05/2020 on consent state that consent is not freely given if access to a service is conditional on consenting to unnecessary data processing. The exception is narrow: if a genuine, equivalent alternative access method exists (e.g., a paid subscription without tracking).

Enforcement example: The Belgian DPA found in 2023 that a news website’s cookie wall violated the GDPR because no alternative access was provided.

Compliant alternative: Users must be able to access the website without consenting to non-essential cookies. If a cookie wall is used, a genuine equivalent alternative (not a degraded experience) must be available.

6. Nagging (Overloading)

What it looks like: After a user rejects cookies, the consent banner reappears on every page, on every visit, or after a short interval. The intent is to wear down the user until they accept out of frustration.

Legal status: The EDPB classifies repeated prompts as “Overloading.” Once a user has made a choice, that choice must be respected for a reasonable period. Pestering users into changing their decision is not valid consent.

Enforcement example: CNIL’s recommendation is to store the user’s refusal for at least 6 months before re-prompting. The EDPB suggests that consent (and refusal) should be valid for a comparable period.

Compliant alternative: Store the user’s choice (accept or reject) in a first-party cookie for 6-12 months. Do not re-prompt during this period unless the user clears their cookies or the website’s cookie practices change materially.

How DPAs Test for Dark Patterns

European DPAs use a combination of methods to identify dark patterns in cookie banners:

Automated Scanning

Several DPAs deploy automated tools that visit websites and analyze cookie consent implementations:

  • CNIL uses automated crawlers to check whether cookies are set before consent, whether reject is available on the first layer, and whether the banner respects user choices.
  • ICO (UK) has developed tools that scan websites for cookie compliance at scale.
  • DSB (Austria) has analyzed banner implementations across hundreds of websites in sectoral audits.

User Journey Analysis

DPAs evaluate the complete user journey:

  1. How many clicks does it take to accept? (Should be 1)
  2. How many clicks does it take to reject? (Must be the same or fewer)
  3. What is the visual hierarchy? (Accept and reject must be equivalent)
  4. What happens after rejection? (No nagging, no degraded experience)
  5. Can the user change their choice later? (Must be accessible)

Complaint-Driven Investigation

Organizations like noyb (None of Your Business, founded by Max Schrems) have filed hundreds of complaints against websites with non-compliant cookie banners. These complaints systematically document:

  • Screenshots of the banner design
  • Click counts for accept vs. reject
  • Technical evidence of cookies set before consent
  • Comparison with EDPB guidelines

Any consent obtained through dark patterns is not “freely given” under Article 4(11) GDPR and is therefore invalid. This means:

  • Every cookie set on the basis of that consent is unlawfully placed (ePrivacy Directive violation)
  • Every piece of personal data processed on the basis of that consent lacks a legal basis (GDPR violation)
  • Every downstream use of that data (analytics, advertising, profiling) is unlawful

Fine Calculation

Dark pattern violations can attract fines under both:

  • Article 83(5)(a) — violation of basic processing principles (consent requirements): up to 20M EUR or 4% of global turnover
  • Article 83(5)(b) — violation of data subject rights (right to withdraw consent, right to information): same maximum

Competitive Disadvantage

Websites that use dark patterns to inflate their consent rates gain an unfair advantage over competitors that implement honest, compliant banners. As enforcement intensifies, this advantage becomes a liability rather than an asset.

Compliant Design Principles

Principle 1: Symmetry

Accept and reject must be symmetric in every dimension: same layer, same size, same visual weight, same number of clicks.

Principle 2: Honesty

Describe what you do in plain language. Do not disguise tracking as “experience improvement” or advertising as “personalization.”

Principle 3: Respect

When a user rejects, respect that decision. Store it, do not re-prompt, and do not degrade the experience as punishment.

Principle 4: Accessibility

The cookie banner itself must be accessible: keyboard navigable, screen reader compatible, sufficient contrast, appropriately sized touch targets.

Principle 5: Transparency

Show users what they are consenting to — categories, purposes, and third parties — before they make a choice, not after.

Compliance Checklist

  • No pre-ticked checkboxes or pre-selected toggles
  • Reject option is on the first layer of the banner
  • Reject button has equal visual prominence as accept button
  • Both buttons are the same size, shape, and color weight
  • Language is clear, plain, and not manipulative
  • No double negatives or confusing euphemisms
  • No cookie wall without a genuine alternative
  • User’s rejection is stored for at least 6 months
  • No re-prompting after rejection (no nagging)
  • Banner is accessible (keyboard, screen reader, contrast)
  • Cookie categories default to “off”
  • Purposes and third parties are disclosed before consent

Detect Dark Patterns With Compliso

Compliso’s website scanner includes dedicated dark pattern detection checks. It analyzes your cookie banner for hidden reject options, visual asymmetry, pre-selected toggles, and other manipulative patterns that put your consent at legal risk.

The scanner flags specific issues with remediation guidance, so you know exactly what to fix. Combined with Compliso’s dark-pattern-free banner widget, you can replace a risky implementation with a compliant one in minutes.

Scan your website for dark patterns or deploy a compliant banner with Compliso.

dark-patterns cookie-banner edpb consent manipulation

Make your website GDPR-compliant?

Compliso automatically checks your website for cookies, trackers, dark patterns, and accessibility issues.

Scan for free Sign up for free