What Counts as a Dark Pattern in Cookie Consent?
A dark pattern is a user interface design that steers visitors toward a choice they would not otherwise make. In cookie consent, that typically means making it harder to refuse tracking than to accept it. The term itself comes from UX researcher Harry Brignull, but regulators across Europe now use it in formal enforcement decisions.
The ePrivacy Directive and GDPR both require consent to be freely given, specific, informed, and unambiguous. Article 4(11) of the GDPR defines consent as an act by a "clear affirmative action." Any design that undermines these conditions risks regulatory action.
Dark patterns do not need to be intentional. A poorly designed banner that buries the reject option behind two extra clicks qualifies just as readily as one built to deceive on purpose.
CNIL's Record Fines: SHEIN and Google
France's data protection authority, the CNIL, issued two landmark fines in 2025 that put cookie dark patterns at the centre of European enforcement.
SHEIN received a 150 million euro fine in September 2025. The CNIL found that advertising cookies were placed on visitors' devices the moment they arrived on shein.com, before any interaction with the consent banner. When a user clicked "Refuse all," new cookies were still set and existing ones continued to be read. The banner itself was split across two incomplete interfaces, neither of which explained the advertising purpose of the cookies being placed.
Google was fined 325 million euros for cookie violations on google.fr and youtube.com. The core issue was asymmetric friction: accepting all cookies required a single click, while refusing them demanded multiple steps across different screens. The CNIL had already fined Google 150 million euros in January 2022 for the same structural problem, making the 2025 penalty a repeat-offender escalation.
Both cases confirm that regulators treat asymmetric consent flows as a direct breach of the GDPR's valid consent requirements.
The Six Most Common Dark Patterns in Cookie Banners
Enforcement actions and CNIL guidance reveal a clear pattern of recurring violations. The table below summarises the designs that draw the most regulatory attention.
| Dark Pattern | What It Looks Like | Why It Breaches GDPR |
|---|---|---|
| Hidden reject button | "Accept All" is prominent; "Reject" is buried in settings or a second layer | Consent is not freely given if refusal requires more effort than acceptance |
| Pre-ticked boxes | Cookie categories are selected by default; user must untick them | CJEU Planet49 ruling: pre-ticked boxes do not constitute valid consent (Recital 32 GDPR) |
| Confusing colour contrast | "Accept" is a bright button; "Manage Preferences" is a faint text link | Visual hierarchy manipulates the user's choice, undermining "freely given" consent |
| Confirm-shaming language | "No thanks, I don't care about my experience" as the reject option | Emotional manipulation is incompatible with informed, freely given consent |
| Forced action (cookie walls) | Content is blocked entirely unless the user clicks "Accept" | EDPB Guidelines 05/2020: consent obtained through a cookie wall is generally not freely given |
| Incomplete information | Banner lists no purposes, no cookie names, no third parties | Article 5(3) ePrivacy Directive requires clear and comprehensive information before storing data on a device |
Pre-Ticked Boxes: The Planet49 Legacy
The Court of Justice of the European Union settled the pre-ticked box question in the Planet49 case (C-673/17) in October 2019. The ruling established that consent within the meaning of the ePrivacy Directive requires an active indication of the user's wishes. A pre-selected checkbox does not meet this standard.
Despite the ruling being over six years old, enforcement continues. Sweden's IMY issued penalties in April 2025 against three companies that pre-selected non-essential cookie categories and hid privacy controls behind additional navigation layers. The Belgian DPA threatened daily fines of 25,000 euros against four press websites at the end of 2024 for similar violations.
If your cookie banner loads with any category other than strictly necessary already ticked, it fails this test.
Hidden Reject Buttons and the "Equal Friction" Rule
The CNIL's enforcement against Google established what privacy practitioners now call the "equal friction" rule: refusing cookies must be as easy as accepting them. A single-click "Accept All" button paired with a multi-step rejection path violates Article 5(3) of the ePrivacy Directive.
Following its 2022 fine, Google redesigned its consent interface to show three options on the first layer: "Accept all," "Reject all," and "More options." The CNIL had given Google three months to comply, with a penalty of 100,000 euros per day of delay.
The one-click reject principle is now standard across multiple European data protection authorities. Your banner should present both choices on the same screen, with equivalent visual weight.
How to Audit Your Banner for Dark Patterns
Run through this checklist against your live banner. Every "no" is a compliance risk.
- Is "Reject All" (or equivalent) visible on the first layer of the banner?
- Does clicking "Reject All" require the same number of clicks as "Accept All"?
- Are both buttons the same size, colour prominence, and position?
- Are all non-essential cookie categories unticked by default?
- Does the banner clearly state the purposes of the cookies (analytics, advertising, functional)?
- Can visitors change their mind after consenting, and is the mechanism easy to find?
- Does the banner avoid emotional language that shames users into accepting?
- Are cookies actually blocked until consent is given? (Test with Chrome DevTools)
Automated scanning can catch some of these issues. A cookie scanner will reveal whether tracking cookies fire before the user interacts with the banner, the same violation that cost SHEIN 150 million euros.
Testing Reject Functionality
Click "Reject All" on your own banner, then open the browser's Application panel in DevTools. Filter by third-party domains. If you see cookies from doubleclick.net, facebook.com, or analytics.google.com, your reject mechanism is broken. The CNIL specifically cited this failure in the SHEIN decision: the "Refuse all" button did not actually prevent new cookies from being set.
Enforcement Beyond France: A Growing Trend
The CNIL has been the most active enforcer on cookie dark patterns, but other authorities are following. The Belgian DPA's 2024 action against press websites targeted both pre-ticked boxes and cookie walls that conditioned access to news content on accepting tracking. Sweden's IMY fined companies for pre-selected categories and hidden controls in 2025.
The UK ICO has taken a softer approach but has published detailed guidance warning against "nudge" designs that push users toward acceptance. The ICO's design expectations mirror the CNIL's equal friction principle, even if fines have been less frequent.
Regulators are also exploring automated enforcement. The CNIL announced plans to use scanning tools capable of checking millions of websites for dark pattern indicators, a shift from complaint-driven to proactive enforcement.
How to Design a Compliant Cookie Banner
A well-designed banner does not need dark patterns to achieve reasonable consent rates. The following principles keep your banner on the right side of enforcement.
Button Parity
Place "Accept All" and "Reject All" side by side on the first layer. Use the same button size, font weight, and colour treatment. A third "Manage Preferences" option can link to granular controls, but the binary choice must be immediately available.
Default State
Every toggle and checkbox for non-essential cookies must be off by default. Only strictly necessary cookies should be pre-enabled, and these should not have a toggle at all since they do not require consent.
Clear Purpose Labels
Label each category with plain language: "Advertising," "Analytics," "Functional." Name the third parties involved. Vague labels like "Improve your experience" obscure the actual data processing and fail the informed consent test.
Withdraw Consent Easily
GDPR Article 7(3) states that withdrawing consent must be as easy as giving it. A persistent icon or footer link that reopens the consent preferences satisfies this requirement. Hiding the option in a privacy policy buried three clicks deep does not.
The Business Case Against Dark Patterns
Dark patterns may inflate consent rates in the short term, but the risk calculation has shifted. CNIL's 150 million euro fine against SHEIN exceeds what most businesses would gain from inflated tracking consent over a decade. The GDPR's fine framework allows penalties of up to 4% of global annual turnover.
Transparent banners also perform better than many expect. Studies from EDPB-supported research show that banners with clear reject options achieve consent rates between 40% and 60%, which is sufficient for meaningful analytics when paired with consent mode modelling.
Building trust with visitors creates long-term value that inflated consent numbers cannot replicate.
Frequently Asked Questions
What is a dark pattern in a cookie banner?
A dark pattern is any design choice that manipulates visitors into accepting cookies they would otherwise refuse. Common examples include hiding the reject button behind extra clicks, using pre-ticked boxes, or making the accept button visually dominant.
Is it illegal to make the reject button smaller than the accept button?
The CNIL and other European regulators consider asymmetric button designs a violation of freely given consent under the GDPR. Both buttons should have equivalent visual prominence to avoid enforcement action.
How much was SHEIN fined for cookie dark patterns?
SHEIN was fined 150 million euros by the CNIL in September 2025 for placing advertising cookies before consent, providing incomplete information in the banner, and continuing to set cookies after users clicked "Refuse all."
Are pre-ticked cookie consent boxes legal under GDPR?
No. The CJEU ruled in the Planet49 case (C-673/17) that pre-ticked boxes do not constitute valid consent. GDPR Recital 32 explicitly excludes silence, pre-ticked boxes, and inactivity as forms of consent.
Do I need a reject all button on my cookie banner?
European regulators expect a "Reject All" option on the first layer of the banner that requires the same number of clicks as "Accept All." The CNIL has fined both Google and SHEIN for failing to provide this.
Can I use a cookie wall to block content until users accept cookies?
The EDPB's Guidelines 05/2020 state that consent obtained through a cookie wall is generally not freely given. Some authorities allow "pay or consent" models for publishers, but a blanket cookie wall is a high-risk approach.
Take Control of Your Cookie Compliance
If you are not sure whether your banner uses dark patterns, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
