What are dark patterns in cookie compliance banners & how can you avoid them?

So what is a dark pattern? Dark patterns (also referred to as “deceptive patterns”) are design choices that are chosen to lead users into taking actions they may not otherwise make. The designs are deliberately made to exploit human behaviour, tricking the user into making the decision that is most desirable for the website owner, even if it is not in the best interest of the user. 

Dark patterns do not only exist in cookie banners, we also see them in email marketing which makes it difficult for a user to unsubscribe, and in hidden costs in checkout processes. In this article we will focus only on the dark patterns seen in cookie banners. In this case, there is one outcome that these dark patterns are pushing users towards… accepting cookies!

Here are some examples that you are likely to see during a short browsing session:

• Using formatting, colours and highlighting to influence choice

This is one of the most obvious ones to spot and is incredibly common. In this dark pattern, the choice of different colours, font sizes and visual design is used to encourage clicks on the Accept button. 

For example, you may notice that the “Accept” button is highlighted in green, or in a bright colour, whereas the “Reject” button blends in with the banner in a dull or grey colour. 

Similarly, you might see the “Accept” option in a large, interactive, prominent button, with the “Reject” option being presented simply as a small text hyperlink (rather than a button) making it difficult to find. 

• No immediate option to reject

Another tactic used to influence users to give more consent than they may like is to remove the option to “Reject” consent on the first layer of the Cookie Banner. This plays on the fact that web users are often short on time and may not take the time to click through to a second layer of the banner in order to reject. In fact, a 2024 report by Austrian privacy activist organization NOYB reported that only 2.18% of data subjects visit the second layer of a consent banner, indicating the massive impact that this dark pattern has on influencing consent status. 

• Difficulty to withdraw consent

Once consent has been given, a website user should have the ability to change their consent status at any given time, being able to withdraw consent as easily as they gave it. The consent banner should describe how consent can be withdrawn if the user changes their mind and this process should be easily accessible. However, to avoid consent being withdrawn, some websites use the dark pattern of making it difficult to change or withdraw their consent selection, hiding the withdraw option in small links that are not permanently visible. 

• Pre-ticked checkboxes

The next dark pattern is the use of pre-ticked checkboxes or switches that are already in the ‘ON’ position for non-essential cookies in consent banners. This can cause the user to accept cookies that they otherwise wouldn’t for two main reasons. The first is that having pre-ticked boxes indicates to the users that they ‘should’ accept those types of cookies, making them feel as though they are needed. Secondly, if a consent banner contains pre-ticked boxes, in order to reject cookies, the user must untick each box which is time consuming and requires additional effort compared to accepting all cookies. 

Guidelines in several European countries state that consent is not valid if it is collected through pre-ticked checkboxes as it is not an active opt-in from the user.  

The European Court of Justice agreed with this in 2019, stating that the use of pre-ticked boxes in consent banners does not constitute consent. 

• Confusing or vague language

In some cases, websites may simply choose to confuse! If a consent banner uses vague language, double negatives or complex tech jargon, website users may be tricked into accepting cookies they didn’t want simply due to confusion or misunderstanding. 

• Incorrectly classifying cookies as “Essential”

If you browse through a range of websites, you will see that a large proportion of them contain the words ‘essential’ and ‘strictly necessary’ in their consent banner. But do you know which cookies really are essential? Essential or strictly necessary should only be used for cookies that are needed in order for the website to function. 

Therefore, as much as they are useful to website owners, marketing and analytics cookies are not ‘essential’ or ‘strictly necessary’ and misclassifying them in this way in order to collect consent is another example of a dark pattern. 

Do these seem familiar to you? If so, it is unsurprising, with a research study in 2022 showing that of the 376 sites they reviewed, over 79% used some sort of dark pattern in their Cookie Consent Banner to encourage accepted consent from users. 

Consent banners have the purpose of giving control to website users over how their data is collected and used. In order for users to make meaningful decisions about their data, it is crucial that website owners are transparent, honest and open in their consent banners about what data is being collected. By using dark patterns, some control is taken away from the users as they may be influenced to make a decision about their consent that they otherwise would not have chosen. 

Although using dark patterns may earn a website a higher consent acceptance rate, there are some large consequences to using these deceptive practices. 

The first consequence is receiving a warning or even a fine from a regulatory body, whether that is the ICO in the UK or one of the DPAs in Europe. Over the past year as data laws and regulations have developed, these regulatory bodies have been focusing on identifying websites that are using dark patterns and enforcing actions against them for failing to comply with regulations. DPAs across Europe have been increasing the number of websites reviewed (with the UK’s DPA, the ICO, announcing in January 2025 that it is extending the number of websites included in its review process this year). DPAs have been issuing formal warnings (and in some cases, large fines) to websites that they consider to mislead, pressure or trick users into sharing data using dark patterns. For example, at the end of 2024, the Belgian DPA threatened financial penalties of 25,000 euros per day of continued non-compliance to 4 press websites for using dark patterns in their consent banners. 

The second consequence comes back to the users of your website. Using dark patterns could cause your website users and potential customers to distrust your website, and even your brand. If a user lands on your website and is unable to easily Reject cookies, they may feel uneasy about using your site, potentially causing them to leave the site completely. In addition, if your dark patterns get noticed by a regulatory body such as the ICO, you may be fined, which could lead to further negative press, once again bringing damage to your reputation and trustworthiness in the eyes of website users. 

The good news is that now you know what dark patterns are, it is easy to avoid them! To help you out, we’ve put together a quick dos and don’t list to help you avoid dark patterns and create a user-friendly and compliant cookie consent banner:

DON’Ts

• Don’t pre-tick boxes for non-essential cookies
• Don’t use misleading, overly complex or confusing language
• Don’t incorrectly mark analytics, marketing or other cookies as ‘essential’ or ‘strictly necessary’ if they aren’t required for the website to function
• Don’t make it difficult to withdraw consent
• Don’t make it easier to Accept than to Reject cookies
• Don’t influence user choice with colours, highlighting or sizing

DOs

• Ensure the consent banner is easy to understand, using clear language that explains what data is being collected
• Make consent banners user friendly with an intuitive design
• Ensure consent choices are clear and transparent with it being equally as easy to Accept, Reject or customise cookie consent
• Ensure the consent banner is clear and visible from the user’s first visit to the site
• Allow users to have full, granular control over the cookies they accept and reject rather than lumping them all together
• Provide links to more information such as a cookie policy
• Let users know that they can withdraw consent at any time and explain how
• Have any checkboxes for non-essential cookies un-ticked and switch sliders set to ‘OFF’
• Only mark cookies as ‘essential’ or ‘strictly necessary’ if they are needed for the website to work
• Ensure that cookies are only loaded once users have actively given consent
• Check your consent banner with your legal team to ensure compliance

So how about taking a minute to review your consent banner. Do you notice any influencing design choices, misleading words or difficult routes to Reject consent? It is likely that you weren’t aware you were using any dark patterns, but now that you know how to identify and avoid them, it is the perfect time to update your consent banner to be compliant, and to prioritise user choice. Not only will this help you to align with compliance regulations and avoid warnings and fines from DPAs, but by respecting user consent decisions, you can help to build trust in your website and brand reputation. 

Once you have ensured that the design of your consent banner is fully compliant, don’t forget to check that your consent signals are configured correctly and are being sent through to GA4. For more information on this next step, check out our previous blog on consent settings.