GDPR Dark Patterns: What Regulators Are Cracking Down On
Your consent banner might be illegal — not because it's missing, but because of how it's designed.
For years, companies operated on the assumption that displaying any form of consent notice was enough to satisfy GDPR. Regulators have made clear that assumption is wrong. The European Data Protection Board (EDPB) published dedicated guidelines on dark patterns in 2022, and enforcement authorities across the EU have since issued hundreds of millions in fines specifically targeting manipulative consent UX.
GDPR dark patterns are now a named enforcement priority. Here's what they are, what regulators look for, and how to check whether your own consent flow passes scrutiny.
What Are GDPR Dark Patterns?
In the privacy context, GDPR dark patterns are design techniques that manipulate users into consenting to data collection they would not otherwise agree to — or that make it deliberately difficult to exercise their privacy rights.
The term "dark pattern" was coined by UX designer Harry Brignull in 2010 to describe interface designs that trick users into doing things against their interests. In the GDPR context, the European Data Protection Board formalised the concept: dark patterns are design choices that work against users' ability to make free and informed choices about their personal data.
Dark patterns don't have to be intentional deception. A consent banner can be a GDPR dark pattern through poor design, careless defaults, or misaligned incentives — without anyone at the company consciously deciding to mislead users. But the effect is the same: consent obtained through dark patterns is not valid consent under GDPR Article 7.
This matters because invalid consent is no consent at all. If a user clicks "Accept All" because the "Reject" option was buried three clicks deep or written in grey text against a white background, that click doesn't constitute valid consent. The data collected on the basis of that click has no lawful basis. That's a GDPR violation.
The EDPB Guidelines 3/2022 on Dark Patterns
In March 2022, the European Data Protection Board published Guidelines 03/2022 on Dark Patterns in Social Media Platforms — a landmark document that set out the official regulatory framework for identifying and penalising GDPR dark patterns. Though the guidelines focused on social media, they established principles that supervisory authorities apply across all sectors.
The EDPB defined dark patterns as "interfaces and user experiences implemented on social media platforms that lead users to unintentionally, unknowingly and without free choice, providing personal data and rights, and are exploited by the platform against their own interests."
The guidelines identified six categories of dark patterns and provided concrete examples of each. These categories are now the standard framework that supervisory authorities use when reviewing consent implementations.
The 6 Categories of GDPR Dark Patterns Regulators Identify
1. Overloading
Overloading means confronting users with an excessive number of requests, information, choices, or possibilities — deliberately overwhelming them to the point where they simply accept everything to make the notifications stop.
Common examples:
- Constant, repeated consent requests every time a user visits a page
- Presenting dozens of consent toggle options simultaneously with no clear hierarchy
- Displaying layers of privacy options spread across multiple screens when a user tries to access basic settings
- Making the consent process so complex that users give up and click "Accept All" to proceed
Overloading exploits a genuine cognitive limitation: when confronted with too many choices, people default to the easiest path. If "Accept All" is one click and "Manage Preferences" requires navigating through 50 individual vendor toggles, the design is doing work on behalf of the data collector.
2. Skipping
Skipping involves designing the interface so that users naturally bypass the information and choices they need to make an informed decision about their personal data.
Common examples:
- Auto-advancing through consent flows with timers
- Hiding privacy-relevant information behind "More information" links that users aren't prompted to click
- Structuring consent flows so the default path bypasses the settings entirely
- Making the "Accept" button the natural progression of a process (like checkout) while making "Manage Preferences" a sidebar option
The regulatory test is whether a reasonably attentive user would encounter and understand the relevant information. If the design makes it likely they'll skip past it, it's a skipping dark pattern.
3. Stirring
Stirring uses emotional manipulation — fear, urgency, shame, or social pressure — to push users toward sharing more data than they would choose to based on neutral information.
Common examples:
- Warnings that "your experience will be degraded" or "features will be unavailable" if you decline certain non-essential cookies (when those warnings are exaggerated or false)
- Using language like "Help us improve!" for consent acceptance while framing rejection as selfish or unhelpful
- Countdown timers on consent banners implying urgency around data decisions
- Making the "Reject" button text passive-aggressive ("No thanks, I don't want a better experience")
The EDPB is explicit: emotional manipulation that affects the freedom of choice constitutes a dark pattern, even if the information itself is technically accurate.
4. Obstructing
Obstructing means making it unreasonably difficult for users to exercise their privacy rights — withdrawing consent, accessing their data, requesting deletion, or updating their preferences.
Common examples:
- Hiding the "Reject All" or "Withdraw Consent" option many clicks deep in settings menus
- Making withdrawal of consent require contacting a support team rather than using a self-service interface
- Cookie preference panels that reset to default (all accepted) when users return
- Settings pages that are hard to find, broken, or don't actually implement the user's choices
Under GDPR Article 7(3), withdrawing consent must be as easy as giving it. If a user can accept cookies in one click but needs to navigate through Account > Settings > Privacy > Cookie Preferences > Manage > Third Parties to withdraw, that's an obstructing dark pattern.
5. Flustering
Flustering uses confusing language, contradictory information, or disorienting interface design to prevent users from understanding what they're consenting to.
Common examples:
- Toggle switches where "on" means the company collects data and "off" means they don't — but described using double negatives ("Uncheck to disable personalisation off")
- Inconsistent visual language (some toggles are blue when active, others when inactive)
- Using technical jargon ("legitimate interest", "functional tracking", "social media cookies") without explanation
- Button labels that don't match their function ("Save preferences" that accepts all rather than saving the selections made)
Flustering is particularly common in consent management platform implementations. A vendor may provide a technically compliant consent banner, but the way it's configured or skinned can still introduce confusing elements.
6. Left in the Lurch
Left in the lurch means failing to provide users with the information they need to make a genuinely informed decision about their personal data.
Common examples:
- Consent banners that don't name the specific third parties whose cookies are being set
- Vague descriptions like "analytics and advertising partners" without identifying who those partners are
- Omitting information about data retention periods
- Not explaining what happens to data collected before consent is withdrawn
- Missing information about users' rights (to access, rectification, erasure, restriction, portability)
GDPR requires that consent be "informed" — which means users need substantive information about what they're consenting to. A banner that says "We use cookies for analytics and advertising" without identifying specific tools and data uses leaves users in the lurch.
Specific Dark Patterns in Consent Banners
The EDPB guidelines and subsequent enforcement actions have identified recurring patterns in cookie consent banners specifically:
Accept/Reject asymmetry: "Accept All" is displayed as a prominent, coloured button while "Reject All" is either absent, displayed as a plain text link, requires multiple additional steps, or is only accessible through a "Manage Preferences" sub-menu. Regulators have been explicit: if one option is one click, the other must also be one click.
Pre-ticked boxes: Presenting consent checkboxes pre-selected and requiring users to actively un-tick them. Pre-ticked boxes have been explicitly prohibited under GDPR since it came into force in 2018 — consent must be an affirmative action, not a passive failure to object.
Colour contrast manipulation: Making the "Accept" button visually prominent (bright colour, large size, high contrast) while styling the "Reject" option in low-contrast grey, small text, or as a barely visible link. The visual design itself creates a dark pattern even if both options are technically present.
Misleading button labels: Using labels like "I agree" for acceptance and "I would prefer limited privacy" for rejection, or "Continue" for acceptance and "Exit" for rejection — creating the impression that declining consent means leaving the site.
Cookie walls: Making access to content or functionality conditional on accepting non-essential cookies. If users can't read your article, access your service, or complete a basic task unless they accept advertising cookies, that's a cookie wall — and regulators consider it a dark pattern because "consent" given under that condition isn't freely given.
Enforcement Examples: When Regulators Act
GDPR dark patterns enforcement has produced some of the largest fines in the regulation's history.
CNIL vs. Google and Facebook (2022): France's data protection authority fined Google €150 million and Facebook (Meta) €60 million for making it harder to reject cookies than to accept them. Google's French site had a simple one-click "Accept All" button, but required users to navigate through multiple steps to refuse non-essential cookies. The CNIL found this asymmetric design constituted a violation of consent requirements under GDPR.
CNIL vs. Microsoft (2023): The CNIL fined Microsoft €60 million for Bing's cookie consent interface, which had a one-click "Accept All" option but no equivalent single-click option for refusing all non-essential cookies.
IAB Europe TCF (2022): The Belgian data protection authority ruled that the Interactive Advertising Bureau's Transparency and Consent Framework — used by thousands of websites — was itself illegal, partly because the framework's design made it difficult for users to exercise meaningful choice.
DSK guidelines (Germany): The German supervisory authorities have issued guidance specifically addressing dark patterns in consent implementations, including requirements for equal prominence of accept and reject options.
The pattern across enforcement actions is consistent: regulators are specifically targeting the asymmetry between accepting and rejecting consent, and any design element that systematically nudges users toward acceptance.
How to Audit Your Consent Implementation for Dark Patterns
Conducting a dark patterns audit involves reviewing your consent flow against each of the EDPB's six categories. Here's a practical framework:
Map the user journeys: Document every path a user can take through your consent banner. How many clicks does it take to accept all? How many to reject all? How many to manage preferences? How many to withdraw consent after the fact?
Test the information quality: Can a user who reads only your consent banner — not your privacy policy — identify the specific third-party services being consented to? If not, you may have a "left in the lurch" problem.
Review visual hierarchy: Take a screenshot of your consent banner and assess it objectively. Is accept more prominent than reject? Are both options equally discoverable by a user who hasn't specifically gone looking for the reject option?
Check the language: Read your consent banner out loud. Does the language create any emotional pressure? Are the descriptions of what data is collected accurate and comprehensible without technical knowledge?
Test withdrawal: Without any existing consent in place, go through the process of giving consent, then withdrawing it. Count the clicks. Is it as easy as accepting was?
Legitimate UX vs. Dark Pattern: The Distinction
Not every design decision that leads more users to accept consent is a dark pattern. There is legitimate UX design that presents information clearly and makes it easy to consent if that's what users want.
The distinction regulators draw is between:
Legitimate UX: Clear, well-designed interfaces that make the consent decision easy to understand and act on. A consent banner that is visually clean, uses plain language, and makes both "Accept" and "Reject" equally accessible is well-designed — even if a higher percentage of users choose to accept.
GDPR dark pattern: Any design element that systematically manipulates users toward a particular outcome, makes it harder to exercise rights, obscures information, or exploits cognitive biases to override genuine user preference.
The test is whether an ordinary user, paying normal levels of attention, can make a free and informed choice. If your design works against that — even if the information is technically present — it's likely a dark pattern.
Practical Checklist: 7 Things to Check in Your Consent Flow
Use this checklist to identify GDPR dark patterns in your current implementation:
Equal-click parity: Does "Reject All" require the same number of clicks as "Accept All"? If not, you have an asymmetry problem that regulators specifically target.
No pre-ticked boxes: Are all consent checkboxes unchecked by default? Any pre-ticked box is a direct GDPR violation.
Visual equivalence: Do accept and reject options have comparable visual weight — similar button size, contrast, and placement? Or is one visually dominant?
Named vendors: Does your consent banner identify the specific services (Google Analytics, Meta Pixel, HubSpot, etc.) rather than just categories ("analytics", "advertising")?
Withdrawal accessibility: Can users easily find and use a consent withdrawal option after they've consented? Is it accessible without contacting support?
Neutral language: Is the language used in your consent banner emotionally neutral? Does it describe what each category of cookies does without implying that declining will cause harm?
Post-consent compliance: After a user rejects non-essential cookies, do those cookies actually not fire? Use browser developer tools or a privacy scanner to verify scripts aren't loading before or despite rejection.
See What's Actually Firing Before Consent Is Collected
The most common discovery when auditing consent flows is that tracking scripts are already firing before any consent is collected — rendering the entire consent banner moot from a GDPR perspective.
Scan your site at Custodia to see exactly which trackers, pixels, and analytics tools are active on your website before a user has given consent. The scan takes 60 seconds and shows you the gap between what your consent banner claims and what's actually happening in your users' browsers.
If scripts are firing before consent, that's the starting point. No amount of consent banner redesign addresses a pre-consent data collection problem.
Last updated: March 27, 2026. This post provides general information about GDPR dark patterns and enforcement. It does not constitute legal advice. Consult a qualified privacy professional for advice tailored to your organisation's specific implementation.
Top comments (0)