TrustYourWebsite
GDPR & Privacy

Cookie Banner Dark Patterns: Why They Are Illegal

Steven | TrustYourWebsite · 6 April 2026 · Last updated: May 2026

Cookie banners are supposed to give users a genuine choice. Many do not. Instead, they use design techniques that nudge, pressure or confuse users into accepting tracking. The European Data Protection Board (EDPB) classifies these techniques as "dark patterns."

Using them invalidates consent. Under GDPR Article 7, consent must be freely given. It cannot result from manipulation. The Dutch Autoriteit Persoonsgegevens (AP) enforces this for tracking cookies, alongside Article 11.7a of the Telecommunicatiewet. Want a quick check before you read on? Scan your cookie banner for these patterns in two minutes.

The EDPB Taxonomy: Six Categories of Dark Patterns

In its Guidelines 03/2022 on Deceptive Design Patterns (version 2.0, adopted 14 February 2023), the EDPB identified six categories. The Cookie Banner Taskforce report of 18 January 2023 applied this taxonomy specifically to cookie consent interfaces.

CategoryWhat it meansCommon cookie banner example
OverloadingToo much information or too many choices, making decisions hardEndless lists of advertising partners users must opt out of one by one
SkippingDesigning so users skip past the choiceBanner that auto-dismisses after a few seconds and treats that as consent
StirringEmotional or visual nudging toward a choiceGreen "Accept" button next to a grey "Reject" link
HinderingMaking the privacy-friendly choice harder than the defaultThree clicks to reject, one click to accept
FickleInconsistent design that confuses purpose or effectToggle that says "on" but blocks the cookie
Left in the darkWithholding information or presenting it confusinglyMarketing cookies labelled as "functional"

Each category breaks a different consent requirement. Overloading breaks the "informed" requirement. Skipping and stirring break "freely given." Hindering breaks the equal-effort rule in Article 7(3). Fickle and left in the dark break the "specific" and "unambiguous" requirements in Article 4(11) GDPR.

The Twelve Most Common Dark Patterns in Practice

The table below maps the twelve patterns the AP and EDPB Cookie Banner Taskforce encounter most often. Each row shows the pattern, how it manipulates, why consent becomes invalid and a compliant alternative.

PatternHow it manipulatesWhy consent is invalidCompliant alternative
1. False hierarchyAccept is a large coloured button. Reject is a small link or secondary buttonVisual imbalance pushes the choice. Not "freely given"Both buttons the same size, weight and colour
2. Hidden rejectNo reject option on the first layer. Users must open settingsReject is not as easy as accept. Breaks Article 7(3)"Reject all" button at the first layer, next to "Accept all"
3. Pre-ticked boxesNon-essential cookie categories ticked by defaultConsent must be an active opt-in. Breaks Article 4(11)All non-essential categories off by default
4. Confirm shamingReject button labelled "No thanks, I prefer to miss out"Emotional pressure breaches freely given consentNeutral wording: "Reject all non-essential cookies"
5. Forced scrollingReject is only visible after scrolling through long consent textUsers do not see the option. Not informedReject visible above the fold, same height as accept
6. Visual camouflageReject button has the same colour as the backgroundUsers cannot find the option. Not informedBoth buttons clearly visible with adequate contrast
7. Asymmetric clicksAccept takes one click, reject takes three to five clicksReject is not as easy as accept. Breaks Article 7(3)Same number of clicks for both choices
8. Ambiguous "Continue""Continue" or "OK" implies acceptance without saying soConsent must be unambiguous. Breaks Article 4(11)Explicit "Accept all" and "Reject all" buttons
9. Consent bundlingAll categories bundled into one accept or rejectConsent must be specific per purpose. Breaks Article 4(11)Granular toggles per category
10. Re-promptingBanner reappears on every page until the user acceptsWearing down users is duress. Not freely givenRemember the reject choice for a reasonable period
11. Moving targetsPreference centre design hides previously set preferencesUsers cannot withdraw consent easily. Breaks Article 7(3)Persistent, predictable preference link in the footer
12. Misleading framingAnalytics described as "necessary for site functionality"Consent is not informed. Breaks Article 4(11)Accurate plain-language labels per category

What a Compliant Banner Looks Like

The two wireframes below contrast a banner with dark patterns against a compliant version. Both diagrams are simplified for clarity.

<svg viewBox="0 0 600 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Non-compliant cookie banner with false hierarchy dark pattern" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff' }}>

<title>Non-compliant cookie banner</title> <rect x="20" y="20" width="560" height="180" fill="#f9fafb" stroke="#d1d5db" strokeWidth="1" rx="6" /> <text x="40" y="50" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#111827">We use cookies</text> <text x="40" y="72" fontFamily="system-ui, sans-serif" fontSize="11" fill="#6b7280">We and our 312 partners use cookies to improve your experience.</text> <text x="40" y="88" fontFamily="system-ui, sans-serif" fontSize="11" fill="#6b7280">By continuing, you accept our use of cookies.</text> <rect x="40" y="120" width="200" height="48" fill="#16a34a" rx="6" /> <text x="140" y="150" fontFamily="system-ui, sans-serif" fontSize="14" fontWeight="700" fill="#ffffff" textAnchor="middle">Accept all</text> <text x="280" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#9ca3af" textDecoration="underline">manage preferences</text> <text x="40" y="190" fontFamily="system-ui, sans-serif" fontSize="10" fill="#dc2626" fontWeight="600">DARK PATTERNS: false hierarchy, hidden reject, ambiguous "continuing", overloading</text> </svg>

<svg viewBox="0 0 600 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Compliant cookie banner with equal accept and reject buttons" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff', marginTop: '12px' }}>

<title>Compliant cookie banner</title> <rect x="20" y="20" width="560" height="180" fill="#f9fafb" stroke="#d1d5db" strokeWidth="1" rx="6" /> <text x="40" y="50" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#111827">Cookie choice</text> <text x="40" y="72" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151">We use analytics and marketing cookies only with your consent.</text> <text x="40" y="88" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151">You can change this any time via Cookie settings in the footer.</text> <rect x="40" y="120" width="160" height="44" fill="#1f2937" rx="6" /> <text x="120" y="148" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#ffffff" textAnchor="middle">Accept all</text> <rect x="220" y="120" width="160" height="44" fill="#1f2937" rx="6" /> <text x="300" y="148" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#ffffff" textAnchor="middle">Reject all</text> <rect x="400" y="120" width="160" height="44" fill="#ffffff" stroke="#1f2937" strokeWidth="1.5" rx="6" /> <text x="480" y="148" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#1f2937" textAnchor="middle">Customize</text> <text x="40" y="190" fontFamily="system-ui, sans-serif" fontSize="10" fill="#15803d" fontWeight="600">COMPLIANT: equal buttons, reject on first layer, no pre-ticked boxes, plain language</text> </svg>

The non-compliant version mixes four dark patterns at once. The compliant version offers three equally weighted choices, each labelled in plain language. It places no tracking cookies before the user picks "Accept all" or "Customize."

Enforcement in the Netherlands

The AP has been clear about what it expects. In April 2025 it sent the first 50 warning letters to organisations with misleading banners. By mid-2025, more than 200 websites had been warned. Roughly three quarters fixed their banners within the deadline. Investigations were opened against the rest. The AP has a structural budget of 500.000 euro per year for this enforcement work.

Specific enforcement on cookie consent quality in the Netherlands includes:

  • Kruidvat (AS Watson): an initial 600.000 euro fine for tracking before consent and pre-ticked boxes, reduced to 50.000 euro on objection. The violation itself was confirmed.
  • Coolblue: a 40.000 euro fine for treating "Continue" as cookie acceptance and for pre-ticked boxes.

The AP also issued its vuistregels for cookie banners in early 2024. These are the rules of thumb the regulator applies during checks. The AP enforces GDPR consent quality for tracking cookies. The ACM enforces the cookie article of the Telecommunicatiewet that requires consent in the first place. Both regulators look at the same banner.

The AP does not exempt small businesses. Warning letters go to webshops, media companies, insurers and small service providers alike. If your banner mirrors any pattern in the table above, treat it as a fix-now task, not a fix-later one.

What Valid Consent Looks Like

For contrast, here are the markers of a compliant, non-manipulative cookie banner:

  • Equal prominence. Accept and reject are both primary buttons of the same size and colour weight.
  • One-click reject. Rejecting all non-essential cookies takes the same number of clicks as accepting.
  • Clear labelling. Categories are described in plain language, for example "Google Analytics tracks pages you visit."
  • No default selections. All non-functional categories are unchecked by default.
  • Named third parties. Third parties such as Google, Meta and Hotjar are listed by name.
  • Persistent preference centre. A "Cookie settings" link is accessible from the footer of every page.
  • Immediate effect. After rejecting, no tracking scripts load. This is verifiable in browser developer tools.

Testing Your Banner for Dark Patterns

Run through this checklist:

  • Both accept and reject are primary buttons, not one button and one link
  • Accept and reject require the same number of clicks
  • No boxes are pre-ticked
  • "Continue" or "OK" does not mean acceptance
  • No countdown timers or urgency language
  • Reject button is visible without scrolling
  • All non-functional cookie categories are off by default
  • A "Reject all" option is available on the first layer
  • Cookie settings are accessible from the footer of every page

To automate the last and hardest check, whether your banner actually stops tracking after rejection, run a free scan. The scanner clicks "Reject all" and watches what loads next.

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR Fines Netherlands: Real AP Cases | TrustYourWebsite

GDPR fines in the Netherlands: real cases and amounts from the Dutch DPA (AP), including Uber, Booking.com, TikTok and Kruidvat.

Cookie Banner Required in NL: What the AP Enforces in 2026

A cookie banner is required in the Netherlands once your site sets non-functional cookies. What the AP enforces in 2026 and how to test compliance.

Website Trust Check: Free GDPR & Security Scan in 60 Seconds

Check your website free for GDPR violations, cookie issues, security and accessibility. Results in 60 seconds, no account required.

Dutch Privacy Policy: 10-Step GDPR Guide

Privacy policy requirements for Dutch websites: 10 steps under the GDPR, what each section must contain, common AP findings, scanner check.

Dutch Privacy Policy: 14 GDPR Required Elements

Under GDPR Articles 13 and 14, Dutch sites collecting personal data need a privacy policy. 14 mandatory elements and what the AP checks.