Skip to main content

Just click accept - why cookie banner dark patterns matter more than you think

·5 mins
Data Protection Cookie Compliance Dark Patterns Consent Deceptive Design GDPR EPrivacy Transparency Data Subject Rights

I met up with a former colleague a couple of weeks ago, and knowing that I work in the data protection space he asked me what all the fuss was about cookies and cookie banners. He’s smart person, senior role working with data every day. This all came about because he was showing me a couple of sites on his phone and he just tapped ‘accept’ on both.

I understand his reaction because cookie banners are annoying. The fastest route through them is to hit the most obvious button and move on - as he did. That is exactly what the companies designing those banners are counting on.

What just happened in Austria? #

In my RSS feed this morning was noyb’s news item explaining that the Austrian Federal Administrative Court confirmed that the cookie banner on ORF.at - Austria’s most visited news website - violates the GDPR. The “Accept” button was highlighted in colour while “Reject” was visually downplayed. The court upheld an earlier decision by the Austrian Data Protection Authority, following a complaint by noyb in 2021. The ruling is clear: both options must be equally prominent.

This is not an isolated case. It is part of a pattern of enforcement that is accelerating across Europe - the requirement to obtain consent for non-essential cookies comes from the ePrivacy Directive, and the GDPR sets the standard for what valid consent looks like. noyb itself has filed 422 formal GDPR complaints against non-compliant cookie banners. We’re talking dark patterns.

What are dark patterns? #

Dark patterns are interface design techniques that steer you toward a choice that serves the company, not you. In cookie banners, the most common forms are visual imbalance (a large, colourful “Accept” next to a small, grey “Reject”), forced action (no reject option on the first screen - you have to dig through settings), and pre-ticked boxes for non-essential cookie categories.

I made this collage graphic this week while browsing mostly Danish websites. Many use the same techniques the Austrian court has just ruled against. Several of the data websites were law firms with big data protection reputations.

A collage of cookie banners from various websites, showing dark pattern techniques including colour-highlighted accept buttons, hidden reject options, and misleading button placement

And in case you’re wondering why there’s no cookie banner on my Purpose and Means website. It’s because this site does not use cookies, it does not track or monitor your behaviour.

What actually happens when you click accept? #

When you hit “Accept all” on a manipulative banner, you are not just letting a website remember your language preference. You are typically giving consent to dozens - sometimes hundreds - of third-party trackers that begin building a profile of your online behaviour. What you read. What you search for. What you shop for. Which health conditions you research. Which political content you engage with. Where you physically go.

That profile does not stay with the website you visited. It is shared with advertising networks, data brokers, and companies you have never heard of and would never knowingly choose to share information with. It follows you across websites, across devices, and across years.

The consequences are real, even if they are mostly invisible to you. The prices you see online may differ from what someone else is shown, based on your browsing history. The insurance quotes you receive may reflect what you searched for last month. The job advertisements in your feed may be filtered by a profile you never agreed to build. The news and content you are shown may be narrowed into a filter bubble shaped by tracking data rather than your actual interests.

It goes further than commercial inconvenience. If you have ever searched for information about a health condition, a mental health concern, a political cause, or a religious question, that data may have been captured and categorised according to inferences that say, you have a specific health condition. Under the GDPR, such inferences may constitute special category data - it requires explicit consent and a clear lawful basis, neither of which a manipulative cookie banner provides. You did not make an informed choice. The banner was designed to make sure of that.

What you can do #

Next time you encounter a cookie banner, look at it critically. Is the “Reject” option as easy to find and click as “Accept”? Are there pre-ticked boxes? Is the reject button hidden behind “Settings”? If so, the consent it collects is likely invalid.

You have the right to refuse non-essential cookies without friction. If a website makes that difficult, you can raise a complaint with the relevant supervisory authority - in Denmark, that is Datatilsynet. In most EU member states, complaints can be submitted online and without cost.

And next time someone tells you to just click accept - you will know why it matters.

Frequently Asked Questions #

What data is actually collected when I click accept? It depends on the website, but in most cases you are consenting to third-party tracking cookies that monitor your browsing activity across multiple sites. This can include the pages you visit, the searches you make, the products you view, your location data, and the content you engage with. That information is typically shared with advertising networks and data brokers who use it to build a profile of you that persists over time.

Can cookie tracking actually affect the prices I see or the services I am offered? Yes. Online price discrimination based on browsing profiles has been documented in multiple studies. Your tracked behaviour can influence the prices displayed to you, the financial products you are shown, the job advertisements in your feed, and the insurance quotes you receive. You have no visibility into how these decisions are made, and in most cases no way to challenge them.

Can I complain about a manipulative cookie banner? Yes. Under the GDPR, any data subject can lodge a complaint with a supervisory authority. In Denmark, complaints can be submitted to Datatilsynet online and without cost. Organisations like noyb also accept reports of non-compliant cookie banners. Courts and supervisory authorities across Europe are increasingly ruling against companies that use dark patterns - the ORF.at decision is the latest example.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts