Enforcement of data privacy law is growing, and new legislation continues to come into force each year. This means that businesses need to get user consent for collecting and processing user data. Many websites use manipulative technologies like dark patterns to acquire user permission to use cookies.
But what are dark patterns and how do they affect users? How to know if your Cookie Banner design is legal or not? What does the GDPR say about the usage of dark patterns?
In this article, we’ll investigate what dark patterns are, what type of Cookie Banner design is legal and what is not, and what privacy laws say about dark patterns.
What are Dark Patterns in Cookie Banners?
The term Dark Patterns was first used by Harry Brignull in 2010. It was used to refer to deceptive design and marketing techniques in user interfaces deliberately intended to manipulate users into making certain choices or taking specific actions they didn’t mean to do if they had a real choice or understood it.
Dark patterns are deceptive designs, user interfaces, and marketing techniques, deliberately intended to mislead users or manipulate them to influence their actions. Dark patterns exploit human psychology for the website to achieve the desired outcome: get user consent to collect their data, increase sale, get the signup, etc.
For example, it could be easy to create an account at some company, but difficult to get out. If you want to delete your account, you need to search many hidden subpages. The road to the cancellation is long and with many obstacles.
Another example could be pre-checked checkboxes that force users into subscribing to marketing emails when they sign up for a product or service.
The most common place to see many dark patterns is cookie banners. Cookie banners often nudge users into giving user consent to cookies.
If dark patterns violate the consumer’s right to grant informed and free consent, they violate data protection laws such as the GDPR in the EU or the DPA 2018 in the UK, that require explicit user consent.
However, dark patterns aren’t always deliberately manipulative. They can also include poorly designed UI or UX elements that aren’t intended to manipulate user behavior but can be misleading or produce results contrary to user intention.
How do Dark Patterns Influence User Behavior?
In the past, many people didn’t care much about the usage of their data, but that is changing, More and more people care about the safety of their personal information. Awareness of dark patterns is also growing, both among users and privacy authorities.
A 2019 study of 80,000 German users has shown that cookie notice design (such as cookie notice position, type of choice, and content framing on consent) has much influence on users’ willingness to grant or reject cookie consent. For example, the study found that users are more likely to grant Cookie Consent when a cookie notice is presented in the bottom-left part of the screen.
Sometimes website owners use so-called consent fatigue to get Cookie Consent from users. Users, browsing many websites, presented with another one, just want to dismiss the banner as fast as possible, granting Cookie Consent and agreeing to share way more personal data than they would like under normal conditions. While consent fatigue is not a dark pattern per se, its implementation changes user behavior.
Ten Types of Dark Patterns in Cookie Banners
Here are the most common examples of dark patterns and best practices on how to comply with the GDPR.
1. No Reject button in the cookie banner
You may find cookie banners that do not have a Reject button at all in the first layer. These banners do not give the users the possibility to reject cookies or rejecting cookies is more difficult than accepting them.
Some cookie banners include a Settings button instead of a Reject button. If you click the button, you will go to the second layer of the Cookie Banner, where you most probably can reject Cookie Consent. Even if you can reject cookie consent, it is more difficult to reject cookies than to accept them. Users tend to choose the least resistance option and therefore choose to grant consent rather than to go to the second level. This practice is also not allowed under the GDPR.
It’s an infringement of the user right to freely give consent, which led to huge fines. In 2022, Amazon was fined €746 million, Facebook was fined €60 million, and Google LLC was also fined €60 million for this practice. It was very easy to accept cookies but more difficult to refuse them.
An example of a dark pattern Cookie Banner, where the Reject button is missing.
For consent to be valid, a Cookie Banner must include a reject button in the first layer of the banner.
2. Notice-only Cookie Banner
Certain cookie banners have neither accept nor reject buttons, they simply inform users that cookies are used on the website. Such banners assume that if users continue browsing the website, they give Cookie Consent.
This practice is not allowed under the GDPR and other privacy laws. Implied cookie consent is not valid. Cookie Consent must be explicit, involving a clear affirmative action.
An example of a notice-only Cookie Banner, which is a dark pattern.
For consent to be valid, a Cookie Banner must provide clear options for users to accept and reject cookies.
3. Pre-ticked checkboxes
Sometimes, cookie banners have pre-checked boxes on the cookie banner. This means that pre-checked categories of cookies will be enabled by default. This violates the GDPR since rejecting these categories of cookies takes more time than accepting them and is considered as a dark pattern.
To be GDPR compliant, Cookie Consent should be specific and should involve affirmative action. Cookie banners should not include pre-ticked checkboxes of cookie categories. Only strictly necessary cookies can be enabled by default.
4. Deceptive button colors and contrast
Sometimes cookie consent widgets have colors with different contrasts, where the Accept button stands out or is highlighted, which attracts users’ attention and minimizes their attention to the Reject button. For example, the Accept button could have larger fonts or higher contrast.
Although color design is never mentioned in the GDPR, this is a nudging technique to get Cookie Consent. Even if it is not explicitly illegal, some Data Protection Authorities, like the Danish DPA, would say that it is manipulative or misleading and thus illegal.
Avoid using deceptive colors or contrast for your cookie banner buttons that force users to accept cookies.
5. Defining marketing cookies as essential cookies
You may find some cookie banners, that define marketing cookies as essential cookies and thus do not ask for cookie consent.
Companies may claim that certain marketing cookies are strictly necessary cookies, essential for their business practices. However, privacy laws like the GDPR have strict rules regarding the usage of marketing cookies. Marketing cookies collect personal information about users. Therefore, you are required to get cookie consent for using them.
Do not mark advertising cookies or other categories of cookies as strictly necessary cookies.
6. Using legitimate interest
Some websites use legitimate interest as their legal basis for setting up non-essential cookies without getting valid cookie consent. Legitimate interest can only be used when obtaining personal data is necessary for business practices. A legitimate interest could not be used for analytics cookies or advertising cookies.
Get explicit consent for setting non-necessary cookies. Legitimate interest could not be used for non-necessary cookies.
7. No easy way to withdraw consent
Some websites could collect valid cookie consent, but later, there is no easily accessible option on the website to withdraw consent. Such practice does not comply with the GDPR. The GDPR says that it must be as easy to withdraw consent as it is to give it.
Users could be able to withdraw their consent later easily at any time and without any explanations. Provide an easy way for users to withdraw their consent, such as a dedicated web page or a prominently located link.
8. Manipulative language
Some banners use confusing language, emphasizing on benefits of accepting cookies and not providing the full information about the collection and usage of personal data. For example, a cookie notice could just say: “We use cookies to deliver the best possible user experience” without mentioning the use of personal data in targeted advertising.
Another manipulative example of a cookie notice: “If you decline cookies some features of the site may be unavailable”.
This misleads users and they may agree with cookies without realizing what they are agreeing to.
For consent to be valid, use clear language and include full information regarding the types of cookies used, their purposes, and how to consent and/or reject these cookies.
9. Complex, legal language
Some cookie consent notices use complex legal language or jargon that confuses an average user, and the user may think that he has no choice except to accept cookies. Cookie notice must be simple and easily understandable by non-professionals.
Do not use complex legal language or jargon. Use plain and simple language, understandable by non-professionals, to provide the information and get informed cookie consent.
10. Cookie walls
Even if cookie walls are not so common nowadays, they are obviously considered dark patterns. Cookie walls block the content of a website by default, and users can only access the website if they accept cookies.
If refusing consent prevent someone from accessing the service, then cookie consent cannot be considered as freely given consent, as required under the GDPR.
Do not use cookie walls that deny users access to the website unless consent is given.
GDPR on Dark Patterns in Cookie Consent
The GDPR is one of the strictest privacy regulations in the world. However, dark patterns are not explicitly mentioned in the GDPR to date.
For consent to be valid, it has to be “a freely given, specific, informed, and unambiguous indication of the data subject’s wishes”. This is the requirement of the GDPR regarding cookie consent, which implies that dark patterns could not be used for getting cookie consent.
A study, performed in 2020, found that dark patterns remain common practice. Businesses use questionable gray area tactics or even clearly illegal noncompliant practices to get user consent.
However, the regulatory landscape for understanding and regulating dark patterns is changing.
French data protection authority CNIL in 2019 released a report called Shaping Choices in the Digital World, introducing the terms Abusive design, Deceptive design, Dangerous design, and Dark patterns as biased methods for data collection. The CNIL’s € 50 million fine to Google was also partly set because of dark pattern usage regarding privacy settings.
In 2022, the European Data Protection Board (EDPB) published guidelines on dark patterns in social media platforms and stated that cookie consent must be “freely given, specific, informed and unambiguous” to comply with the GDPR. The guidelines noted that dark patterns fail to provide valid consent, and thus dark patterns shouldn’t be used.
In 2023, the EDPB and the supervisory authorities from EEA member states investigated and published their findings on dark patterns in cookie banners.
CPRA on Dark Patterns in Cookie Consent
Even though the CCPA does not explicitly mention dark patterns, it requires transparency to get valid cookie consent.
The CPRA, a new and more strict consumer privacy law of California, already encompasses dark patterns in the legislation. The Act defines dark patterns in the following way: “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”
The CPRA notes that dark patterns could not be used to get valid cookie consent: “agreement obtained through use of dark patterns does not constitute consent.”
According to the CPRA, cookie consent must be:
- Easy to understand. Use plain, straightforward language and avoid technical or legal jargon.
- Symmetry in choice. Consumers must have options to “Accept” or “Decline” the sale or use of their personal data instead of using options like “Yes” or “Ask me later”.
- No confusing language or interactive elements. Avoid confusing the meaning of buttons, do not use double negatives.
- No manipulative language. For example, it’s not allowed to use manipulative language such as “Yes” to accept and “No, I like paying full price” to decline.
- Easy to execute. If users want to opt out of cookie consent, they must be able to do it simply, without searching or scrolling through a Privacy Policy or many subpages. Don’t use circular or broken links for your opt-out requests.
Similar to the CPRA, other state-level data privacy regulations in the US like the Colorado Privacy Act also prohibit the usage of dark patterns when obtaining cookie consent.
PIPEDA on Dark Patterns in Cookie Consent
Canada’s privacy law PIPEDA stresses the importance of obtaining clear, free, and informed consent from individuals for specific purposes, but does not explicitly address dark patterns.
However, the Privacy Commissioner of Canada wants to introduce meaningful consent requirements applicable under privacy law to limit the usage of dark patterns. With Bill C-27 and the arrival of heightened consent requirements through the Bill 64 amendments, the usage of dark patterns will be addressed and regulated more strictly.
LGPD on Dark Patterns in Cookie Consent
Brazil’s privacy law LGPD emphasizes data subjects’ rights regarding the usage of their personal data. However, the regulation does not address dark patterns. The usage of dark patterns is not regulated. Dark patterns themselves are not defined by the law.
How to Get a GDPR Compliant Cookie Banner
The best way to comply with privacy laws and avoid dark patterns on your website is to use Consent Management platforms (CMP).
CookieScript CMP allows you to obtain valid consent without using dark patterns, so you can be sure you comply with all major privacy laws without risking penalties for non-compliance.
CookieScript CMP offers geo-targeting, which allows you to comply with privacy laws based on the location of a consumer.
Frequently Asked Questions
What are dark patterns in cookie banners?
Dark patterns are deceptive designs, user interfaces, and marketing techniques, deliberately intended to mislead users or manipulate them to influence their actions. Dark patterns exploit human psychology for the website to achieve the desired outcome: get user consent to collect their data, increase sale, get the signup, etc. CookieScript CMP allows you to obtain valid consent without using dark patterns.
Does GDPR allow dark patterns in cookie consent?
Even though dark patterns are not explicitly mentioned in the GDPR, they are not allowed to get cookie consent. For consent to be valid, it has to be “a freely given, specific, informed, and unambiguous indication of the data subject’s wishes”. CookieScript CMP allows you to obtain valid consent without using dark patterns.
Does CCPA allow dark patterns in cookie consent?
Even though the CCPA does not explicitly mention dark patterns, it requires transparency to get valid cookie consent. The CPRA, a new and more strict consumer privacy law of California, already encompasses dark patterns in the legislation. The CPRA notes that dark patterns could not be used to get valid cookie consent: “agreement obtained through use of dark patterns does not constitute consent.” With CookieScript CMP, you can get valid cookie consent from consumers without violating privacy laws.
What are the examples of dark patterns in cookie consent?
The most common examples of dark patterns are the following: no Reject button in the cookie banner, notice-only cookie banner, link to settings instead of a Reject button, pre-ticked checkboxes, deceptive button colors and contrast, defining marketing cookies as essential cookies, using legitimate interest, no easy way to withdraw consent, manipulative or complex language, and cookie walls. Use CookieScript CMP to avoid dark patterns and don’t risk being fined for non-compliance.
Does Canada’s PIPEDA allow dark patterns in cookie consent?
Canada’s privacy law PIPEDA stresses the importance of obtaining clear, free, and informed consent from individuals for specific purposes, but does not explicitly address dark patterns. However, with Bill C-27 and the arrival of heightened consent requirements through the Bill 64 amendments, the usage of dark patterns will be addressed and regulated more strictly. Use CookieScript CMP to avoid dark patterns and comply with PIPEDA.