Cookie consent dark patterns: what they are and how to fix them

A dark pattern is a design pattern intended to influence a user to take an action that may not be in their best interest. In the scope of privacy, dark patterns are often found in consent banners and modals. Companies that employ dark patterns in consent banners do so to dissuade a user from opting out of cookies, tracking, or data sharing. Some dark patterns can be so subtle that companies don’t realize they are using them.

Dark pattern examples

To start us off, let’s look at a particularly egregious example of dark patterns in action. The following example is a real cookie banner taken from a real website with the company name redacted.

First, let’s point out the classic consent dark pattern. The banner presents two options: one to accept all cookies and one to launch a modal to control which categories of cookies may be placed on the user’s browser. Visually speaking, the button to accept all cookies is presented in a bold green. The alternative choice to manage cookies is given less visual weight in the user interface, presented as a gray link with the white background. At a quick glance as a banner displays on a user’s browser, the user’s eye is drawn to the brighter green, influencing their likelihood of clicking on the button to accept cookies.

Another set of dark patterns that are present in this example is in the wording of the banner. This company chose to associate accepting cookies with happiness. Doing so affects users in two ways. First, it leans into the user’s emotional state. It paints the placement of cookies as a positive thing. It also engages in “emotional steering,” because the positive outlook may make users feel more safe. Second, it distracts the user from the actual decision they are making. Notice the wording on the button to accept cookies: “Yes, I’m happy.” Instead of stating the actual action, the company completely removes “cookies” from the action. These two effects increase the likelihood of a user clicking the button to accept cookies. 

Finally, notice how it’s easier to accept all cookies (one button click) than it is to only accept necessary cookies (click “show details,” deselect all non-essential cookie categories, and then click save). Generally speaking, people don’t want to do more work than they have to. By making it easier to accept than to reject, users are more likely to accept the cookies.

In the next example, the options to “accept all and “continue without accepting” are presented as a button and link, respectively. Additionally, they are not located in the same area of the user interface.

In this example, there is no option to reject non-essential cookies. To reject cookies, a user would need to click on “Cookie preferences” and ensure all non-essential cookies are unchecked. This adds another step to the process of rejecting cookies. 

The deceptiveness of dark patterns

Ultimately, users are human and are subject to cognitive heuristics and biases that help us all make decisions in the world around us. Because these heuristics are meant to speed up information processing in our brain, they can lead to imperfect decision-making. Cognitive heuristics and biases are natural functions of our brains and aren’t inherently bad. But companies can take advantage of these imprecise measures to influence users’ decisions to place cookies on their browsers, and ultimately track them.

In the case of cookies that are used for tracking user behavior, when a user accepts the cookies, the company benefits from the loss of privacy of the user. It should be the decision of the user whether to forfeit a piece of their privacy to grant the company the ability to track their behavior. However, when companies use dark patterns in their banners, they shift the power balance and exert undue influence over their users’ decisions.

Dark patterns are not only an ethical matter. Regulators are beginning to take a stance on the presence of dark patterns in privacy interfaces. With respect to consent, the California Privacy Rights Act (CPRA) notes that “agreement obtained through use of dark patterns does not constitute consent.” Additionally, the European Data Protection Board (EDPB) has issued guidance on dark patterns and notes that “data protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements.”

How to fix consent banner dark patterns

Here’s an example of a well-constructed consent banner that allows users to accept all cookies, accept all non-essential cookies, and manage which cookies they allow.

In this example, the options to accept cookies and to decline cookies are displayed using the same UI component with the same color. Additionally, the buttons don’t use emotionally charged words, guilt, or shame to influence the user. There is also no technical jargon, and there are links to provide the user with additional information and context.

So how might you go about building a consent banner without dark patterns? Here are some things you should consider:

Wording

• Focus on what the consent banner does.
• All text should objectively state what the user is about to consent to and what their options are.
• Leave emotions out of it.
• Use clear, concise language that could easily be understood by the general public.

Design

• Give equal visual weight to affirmative and negative consent selections. For example, both accept and reject options should be the same type of user interface element.
• Make it as easy to opt-out as it is to opt-in.
• For cookie banners, include three choices: accept all, reject all, and an option to customize which cookie categories to accept.