GDPR Dark Patterns: The Tricks Regulators Are Actively Fining

Why Dark Patterns Violate GDPR

GDPR Article 7 requires that consent be "freely given, specific, informed, and unambiguous." Dark patterns manipulate users into giving consent they wouldn't give if the choice were presented fairly. That manipulation makes the consent legally invalid — it wasn't freely given. The cookie banner requirements under GDPR spell out what a compliant banner must look like.

The EDPB's Guidelines 03/2022 on deceptive design patterns in social media platforms specifically identify six categories. They're framed around social media, but the principles apply to any consent interface — including cookie banners.

Dark Pattern 1: Confusing Language

Using vague, confusing, or technically complex language that makes it hard to understand what you're consenting to. Cookie banners that say "We use cookies to enhance your experience" without explaining what that means in plain terms.

Compliant version: "We use analytics cookies (Google Analytics) to measure how people use our site, and advertising cookies (Meta Pixel) to show you relevant ads on Facebook and Instagram." Specific, clear, honest.

Dark Pattern 2: Interface Interference

This is the Google/Facebook fine. Making "Accept" visually prominent (large, colored button) while making "Reject" hard to find (small text, low contrast, grey link, buried in settings). The CNIL found that both companies made accepting cookies a single click, while rejecting required multiple steps through settings menus.

Compliant version: "Accept All" and "Reject All" buttons that are the same size, position, and visual weight. Both achievable in one click.

Dark Pattern 3: Nagging and Guilt-Tripping

Repeatedly asking for consent after it's been declined, or using emotionally manipulative language for the decline option (sometimes called "confirm shaming"). "No thanks, I don't want to support this free website" as the reject option.

Showing the consent banner again every time the user visits, despite them having already declined, is nagging. After a legitimate consent choice is made, it should be respected until there's a genuine reason to ask again (significant change in data practices, consent expiry).

Dark Pattern 4: Obstruction

Making it unreasonably difficult to exercise privacy rights. Requiring users to opt out of each cookie individually when "Accept All" is a single click. Hiding the privacy settings deep in account menus. Requiring users to email a specific address to request consent revocation, when consent was granted via one click.

Dark Pattern 5: Continuance

Designing the default state or the path of least resistance to be consent — pre-ticked boxes, defaults that include everything unless you actively opt out. This includes scroll-to-consent patterns ("By continuing to browse, you consent") which have been ruled invalid by multiple DPAs.

The scroll-to-consent pattern was specifically addressed by the EDPB: "continued browsing cannot be considered as a valid indication of consent." Scrolling is not an affirmative action.

Dark Pattern 6: Forced Action

Requiring users to create an account or provide personal information as a condition for accessing content, where this isn't strictly necessary. "Sign up to read this article" where sign-up includes consent to marketing. Or paywalling privacy controls — "upgrade to remove ads and tracking."