Cookie Consent Dark Patterns: 6 GDPR Violations Hiding in Your Banner
Guide to dark patterns in cookie banners: which practices violate GDPR and how to detect them programmatically.
Introduction: Why Data Protection Authorities Are Fighting Dark Patterns
Dark patterns in cookie banners are deliberately designed interfaces that nudge users into consenting to data processing against their interests. Although often subtle, they are increasingly effectively combated by supervisory authorities: CNIL (France), UODO (Poland), BfDI (Germany), and ICO (UK) have collectively issued dozens of decisions and fines specifically targeting improper cookie banners.
In 2022, CNIL fined Google €150 million and Meta €60 million for dark patterns in cookie banners. EDPB published Guidelines 03/2022 on dark patterns in 2022, which effectively constitute the binding interpretation of consent requirements across the EU.
Pre-ticked boxes
Violation: Checkboxes for cookie categories (analytics, marketing, personalization) are ticked by default. Users must actively untick each category to refuse consent.
Legal basis: Art. 4(11) GDPR defines consent as "a freely given, specific, informed and unambiguous indication of wishes." Pre-ticking eliminates the "unambiguous indication" (affirmative action) requirement. The CJEU in Planet49 (C-673/17) explicitly confirmed that pre-ticked boxes do not constitute valid consent.
How to detect programmatically: Check the HTML checked attribute state on banner checkboxes at their initial render (before any user interaction).
Hidden or small reject button
Violation: The "Reject All" button is smaller, less visible (lower contrast), hidden in a submenu, or requires more clicks than "Accept All."
Legal basis: Under the voluntariness principle (Art. 4(11) GDPR), refusing consent must not be harder than giving it. EDPB Guidelines 03/2022 (section 2.1) explicitly require that accept and reject buttons be "visually equivalent."
How to detect programmatically: Compare font size, background color, WCAG contrast, and number of clicks required to reach refusal vs. acceptance.
Cookie wall: access denied without consent
Violation: The website blocks content or displays only the cookie banner until consent is given. Users cannot use the service without accepting cookies.
Legal basis: Art. 7(4) GDPR states that when assessing voluntariness, account shall be taken of whether consent is a condition for the performance of a contract. EDPB has explicitly stated that cookie walls violate the voluntariness principle. Exception: a pay-or-consent model may be permissible, but only if the price is fair and the user has a genuine choice.
How to detect programmatically: Check whether the page renders content without analytics/marketing cookies, or whether JavaScript blocks interaction before banner acceptance.
Bundled consent (lack of granularity)
Violation: The banner offers only two options: "Accept All" or "Reject All," without the ability to selectively consent to individual categories (e.g., analytics yes, marketing no).
Legal basis: Consent must be "specific" — Art. 4(11) GDPR. Recital 32 GDPR states that "consent should not be regarded as freely given if the data subject has no genuine or free choice." Lack of granularity means no genuine choice.
How to detect programmatically: Check whether the banner offers separate controls for at least three categories: necessary, analytics, marketing.
Confusing language ("legitimate interest" used to hide processing)
Violation: The banner uses the phrase "we process your data on the basis of legitimate interest" as the default basis for marketing or analytics cookies, thereby concealing that consent would actually be required.
Legal basis: The ePrivacy Directive (implemented in Poland via the Telecommunications Law, Art. 173) unconditionally requires consent for non-functional cookies — "legitimate interest" cannot replace consent in this context. EDPB in Guidelines 06/2020 on cookies confirmed that lex specialis (ePrivacy Directive) takes precedence over general bases under Art. 6 GDPR for cookies.
How to detect programmatically: Check whether the banner contains the phrase "legitimate interest" in the context of non-functional cookies — this is a warning signal.
Withdrawal harder than giving consent
Violation: Giving consent requires one click, but withdrawing it requires multiple steps (e.g., settings → privacy → cookies → untick all → save). Or: the link to manage preferences is hidden in the footer in small print.
Legal basis: Art. 7(3) GDPR states explicitly that "it shall be as easy to withdraw consent as to give it." This is one of the most commonly violated requirements — and one of the easiest for a supervisory authority to verify.
How to detect programmatically: Count the number of clicks required to give vs. withdraw consent. Check the visibility of the preferences management link (font size, contrast, location on the page).
Regulatory Enforcement Examples
Dark patterns in cookie banners are actively sanctioned:
- CNIL vs. Google (2022): €150 million fine for lack of an equivalent reject button and a complex consent withdrawal procedure.
- CNIL vs. Facebook/Meta (2022): €60 million fine for the same violations — one click was sufficient to accept, while withdrawal required multiple steps.
- UODO — 2023 Guidelines: UODO published guidelines explicitly prohibiting dark patterns, referencing EDPB Guidelines 03/2022.
- ICO (UK) — Cookie Sweep 2023: ICO audited the 100 largest UK websites and sent letters requiring changes to those using dark patterns.
How to Detect Dark Patterns Programmatically
Automated cookie banner scanning can include:
- DOM tree analysis of the cookie banner at initial page load.
- Comparison of accept and reject button size and contrast.
- Checking which scripts load before the user interacts with the banner.
- Verifying that consent withdrawal is accessible from the same location as consent giving.
- Language analysis of the banner for misleading terminology.
Tools such as Juralex Audit automate these checks, generating detailed reports identifying specific dark patterns on the website along with the legal basis for the violation.