Cookie dark patterns: what the CNIL prohibits in consent banners

TL;DR

A cookie dark pattern is a design technique that pushes users into accepting cookies without a real choice, for example by hiding the Reject button or making it less visible than the Accept button. The CNIL (French Data Protection Authority) considers that these practices invalidate the consent collected, because it is neither freely given nor informed as required by the GDPR. In December 2024, the CNIL issued formal notices to several website publishers for using dark patterns in their cookie banners, giving them one month to comply.

What is a dark pattern in a cookie banner?

A dark pattern is a deliberate interface design choice that steers the user toward an action that serves the website publisher, not the user. In the context of cookies, this means pushing visitors to click "Accept all" without giving them a genuine choice.

The term was coined by designer Harry Brignull, who created the darkpatterns.org website to document these practices. European data protection authorities also refer to them as "deceptive design patterns" or "misleading interfaces."

A cookie dark pattern is a manipulation of the consent interface that prevents the user from making a free and informed decision about the use of their data. The CNIL, the EDPB (European Data Protection Board) and other authorities consider that consent obtained through a dark pattern is not valid under the GDPR.

What are the most common dark patterns in cookie banners?

Data protection authorities have identified several recurring practices in consent banners. Here are the six most common types of cookie dark patterns.

Visual asymmetry between Accept and Reject

The "Accept all" button is displayed in a bright color, large font, and prominent position. The "Reject" or "Continue without accepting" button is in grey text, smaller font, or presented as a plain text link. This asymmetry creates a visual hierarchy that steers the user's choice. This is the most widespread dark pattern in cookie banners.

Asymmetric journey (more clicks to reject)

Accepting cookies takes one click. Rejecting requires navigating to a sub-menu, unchecking categories one by one, then confirming. This imbalance in the number of steps makes rejection more burdensome than acceptance. The CNIL requires that rejecting cookies be just as simple as accepting them, both in number of clicks and effort.

No Reject button on the first screen

Some banners display "Accept all" and "Customize my choices" but no "Reject all" button at the first level. Users who want to refuse must open the customization panel, which adds an extra step. The CNIL considers this practice non-compliant.

Ambiguous or guilt-inducing wording

Using labels like "I decline non-essential features" instead of "Reject" creates confusion. Some sites go further with guilt-inducing wording like "I refuse to improve my experience." These "confirmshaming" techniques aim to discourage rejection.

Pre-ticked boxes

Presenting cookie categories with all boxes checked by default forces the user to manually uncheck each option. The GDPR is explicit on this point: silence or pre-ticked boxes do not constitute valid consent (Recital 32 of the GDPR, confirmed by the CJEU Planet49 ruling).

Cookie wall

A cookie wall blocks access to the website content until the user has accepted cookies. The user has no real choice: accept or leave. The CNIL allows cookie walls under very strict conditions (a fair alternative must exist), but in most cases, this practice invalidates consent.

Why does the CNIL sanction cookie dark patterns?

The answer comes down to one principle: cookie consent must be freely given, specific, informed and unambiguous, in accordance with the GDPR (Article 4, paragraph 11) and Article 82 of the French Data Protection Act, which transposes the ePrivacy Directive.

A dark pattern prevents consent from being "freely given" since it steers the decision. It also prevents consent from being "informed" when wording is ambiguous. Consent collected through a banner using dark patterns is therefore legally invalid. And if consent is invalid, all cookies placed on that basis are invalid too.

The CNIL does not sanction "bad design" as such. It sanctions the fact that the consent obtained is not compliant, which amounts to placing cookies without a legal basis.

What happened in December 2024?

In December 2024, the CNIL announced it had issued formal notices to several website publishers after receiving complaints about dark patterns in their cookie banners. The publishers concerned were given a one-month deadline to modify their consent interfaces.

The practices identified by the CNIL in these formal notices included Accept buttons made prominent through color, size, or font style, while the Reject option was presented as a plain text link that was barely visible. Other sites displayed multiple Accept buttons but only one Reject button, or placed the reject button in a hard-to-find location.

This wave of formal notices is part of a broader trend. The CNIL has already imposed fines for cookie-related issues on several occasions: Google (150 million euros), Facebook (60 million euros), Amazon (35 million euros), TikTok (5 million euros). These amounts concerned cookie regulation breaches in general, not only dark patterns, but the message is clear: the CNIL takes this topic seriously.

How to check if your banner uses dark patterns

The simplest method is to test your own banner as an ordinary user. Ask yourself these questions while looking at it.

Is the Reject button as visible as the Accept button? Same size, same color, same relative placement. If one is bright green and the other is light grey, that is a dark pattern.

Does rejecting cookies require the same number of clicks as accepting? If accepting = 1 click and rejecting = 3 clicks (open preferences, uncheck everything, confirm), that is an asymmetric journey.

Is the wording neutral? "Accept all" and "Reject all" are neutral. "Accept and continue" versus "I decline experience improvement services" is not.

Are any boxes pre-ticked? If the user arrives in the customization panel with categories already enabled (other than strictly necessary cookies), it is non-compliant.

A cookie scanner can also help you identify scripts that load before consent is given, which is a separate issue but often linked to poorly configured banners.

Common mistakes (and how to avoid them)

Thinking a small visual imbalance is not a problem. The CNIL does not set a tolerance threshold. If the Reject button is objectively less visible than the Accept button, consent is potentially invalid. Fix: use the same size, font weight, and equivalent contrast for both options.

Confusing "Customize" with "Reject." Offering "Accept all" and "Customize my choices" without a "Reject all" button is not sufficient. The user must be able to refuse in one click, without going through a customization screen. Fix: add a "Reject all" button at the first level of the banner.

Using ambiguous wording for the reject option. Labels like "Continue with default settings" or "I decline non-essential features" are not clear. Fix: use an explicit label like "Reject all" or "Reject non-essential cookies."

Assuming cookie walls are always prohibited. The CNIL has clarified that cookie walls can be acceptable if a fair alternative is offered (for example, paid access without cookies). But in practice, very few sites meet these conditions. Fix: review the cookie wall guidelines and assess whether your case truly qualifies.

Not testing the mobile rendering. A button that is clearly visible on desktop can become nearly invisible on mobile if responsive design is not handled properly. Unintentional dark patterns on mobile are common. Fix: test your banner on at least three screen sizes before going live.

Leaving pre-ticked boxes in the customization panel. By default, only strictly necessary cookies (which do not require consent) should be enabled. All other categories must be unchecked. Fix: check the configuration of your CMP to ensure optional categories are disabled by default.

Cookie dark patterns: what regulators check

To understand the level of scrutiny, here is a summary of what the CNIL and other European authorities look for in consent banners.

Checklist: cookie banner without dark patterns

1. The "Reject all" button is present at the first level of the banner, with no additional click required.
2. The "Accept all" and "Reject all" buttons have the same size, color, and visual weight.
3. Rejecting cookies requires exactly the same number of clicks as accepting.
4. The wording is neutral and explicit ("Accept all" / "Reject all"), with no jargon or guilt-tripping.
5. In the customization panel, only strictly necessary cookies are checked by default.
6. No non-essential script (analytics, advertising, social media) loads before the user has made their choice.
7. The banner is tested and readable on mobile (accessible buttons, readable text, no unintentional dark pattern).
8. Closing the banner (if a close button exists) does not count as acceptance.
9. The user can change their choice at any time via a link accessible on the site (usually in the footer).
10. The cookie policy is accessible from the banner.

Conclusion

Dark patterns in cookie banners are not a design detail. They are practices that invalidate consent and expose your site to sanctions. The CNIL reaffirmed this at the end of 2024 by issuing formal notices to publishers, and the trend is not reversing.

The rule is simple: rejecting cookies must be as easy as accepting them. Same visibility, same number of clicks, same clarity. If your banner does not respect this symmetry, the consent it collects is legally fragile.

To check the state of your banner and identify scripts that load before consent, scan your site for free with FlowConsent.