Key Takeaways
- Google: $165M (asymmetric buttons, CNIL 2022) + $358M (consent violations, CNIL 2025)
- SHEIN: $165M (non-functional reject button, CNIL 2025)
- Facebook: $66M (no equivalent reject button, CNIL 2022)
- Microsoft: $66M (asymmetric buttons, CNIL 2022)
- Meta: $429M (forced consent, DPC Ireland 2023)
What Are Dark Patterns in Cookie Consent?
Dark patterns are interface designs that trick users into choices they wouldn't otherwise make. In cookie consent, they push visitors toward accepting tracking while making it difficult to decline.
Why They Matter Legally
GDPR defines consent as "freely given, specific, informed, and unambiguous." The EDPB has made clear that consent obtained through manipulative design doesn't meet this standard. If 95% of users click "Accept" and 5% manage to find "Reject," that's evidence of manipulation, not preference. Regulators now treat it as such.
Why They Matter Ethically
Companies using dark patterns report consent rates above 90%. When users get a genuinely fair choice (symmetric buttons, no manipulation), actual consent rates hover around 3-10% for marketing cookies. That gap represents millions of people tracked without genuine consent.
"Companies use dark patterns to get >90% consent rates, while industry statistics show only ~3% of users actually want to consent." -- noyb
The Dark Pattern Taxonomy
1. Asymmetric Buttons and Color Weighting
"Accept All" is large and colored. Reject is a small text link or muted button. The most-enforced cookie consent violation globally. Google fined $165 million, Facebook $66 million, Microsoft $66 million.
2. Hidden Reject Options
"Reject All" doesn't appear on the first layer. Users must click "Manage Preferences," navigate toggles, and find reject buried at the bottom. noyb found only 2.18% of users visit the second layer. Hiding reject there ensures 97.82% never see it.
3. Pre-Checked Boxes
Optional categories pre-selected by default. Exploits the default effect (users are 3-5x more likely to stay with a default). Explicitly ruled invalid by the CJEU in Planet49 (2019). Apple fined $8.8 million. Kruidvat fined $660,000.
4. Confusing Language
"Functional partners" instead of "advertising networks." Marketing cookies described as "experience enhancement." When cognitive effort exceeds a threshold, users default to "Accept All."
5. Fake Processing Delays
Clicking "Reject" triggers a 15-60 second loading animation. Accepting is instant. No actual processing occurs. Users learn "Accept" is fast and "Reject" is slow.
6. Cookie Walls
Website unusable without accepting cookies. Meta fined $429 million by DPC Ireland for conditioning service access on consent.
7. Confirmshaming
"No, I prefer a worse experience." Frames rejection as self-punishing.
8. Visual Misdirection
Layout and positioning draw attention to Accept and away from Reject. Falls under the EDPB's "interface interference" category.
Dark Pattern Taxonomy Table
| Pattern | How It Works | Regulatory Status |
|---|---|---|
| Asymmetric buttons | Accept prominent; reject hidden or muted | Most-enforced globally. Google $165M, Facebook $66M, Microsoft $66M (CNIL). |
| Hidden reject | Reject buried behind "Manage Preferences" | Non-compliant per EDPB Cookie Banner Taskforce (Jan 2023). |
| Pre-checked boxes | Optional categories toggled on by default | Illegal since CJEU Planet49 (2019). Apple $8.8M, Kruidvat $660K. |
| Confusing language | Euphemistic descriptions obscure tracking | Violates GDPR "informed" consent requirement. |
| Fake processing delays | Artificial 30-60s wait when opting out | Violates GDPR Art. 7(3) equal-ease requirement. |
| Cookie walls | Content blocked until consent given | EDPB: generally makes consent not "freely given." Meta $429M. |
| Confirmshaming | Guilt-inducing reject language | EDPB classifies as "emotional steering." |
| Visual misdirection | Layout directs attention to Accept | EDPB "interface interference" category. |
The CMPs That Got Caught
TrustArc: Fake Delays and a Listing on Deceptive.design
When users opt out through TrustArc, an artificial loading screen lasts 30-60 seconds. Accepting is instant. Network inspection confirms no actual server communication. This is documented on deceptive.design, the authoritative database of manipulative design maintained by Harry Brignull.
TrustArc (then TRUSTe) also settled with the FTC in 2014 for misrepresenting its privacy certification practices. Over 1,000 companies displayed TRUSTe's seal without current certification. Trustpilot rating: 1.9/5. See our TrustArc alternative comparison
"The fake delay, and the whole UX in general, is intensely irritating, and it just feels like the darkest of dark patterns." -- GordonS, Hacker News
Cookiebot (Usercentrics): Asymmetric Defaults
Cookiebot's out-of-the-box templates have historically presented "Accept All" with greater visual prominence than reject. While customizable, the defaults matter enormously. Most site owners deploy the default template. If the default is asymmetric, the majority of deployments will be asymmetric.
A CMP that defaults to asymmetric buttons and relies on customers to fix the problem is a CMP that knows its defaults are non-compliant and ships them anyway. See our Cookiebot alternative comparison
OneTrust: Misconfiguration at Scale
The CPPA reached a $632,000 settlement with Honda and specifically named OneTrust as the misconfigured CMP that caused the violation. This was a landmark: a regulator naming the consent tool, not just the company.
OneTrust's configuration involves multiple layers of settings, category definitions, and integration points. When a platform requires weeks of professional services to configure correctly, misconfiguration isn't user error. It's a product design failure. Trustpilot rating: 1.5/5.
Industry-Wide Issues
Osano: 275ms INP (worst of 9 CMPs). Free tier shows a banner but blocks nothing.
Termly: 30-37 PageSpeed point drops. Auto Blocker breaks site functionality, incentivizing users to weaken consent configuration.
CookieYes: 48,000 DOM elements in certain configurations. Performance forces a choice between the CMP and a functional site.
The baseline: 59% of websites with CMPs still set cookies before consent. The majority of deployments are fundamentally non-compliant.
Regulatory Enforcement
Key Fines for Dark Patterns
- Google: $165M (asymmetric buttons, CNIL 2022) + $358M (consent violations, CNIL 2025)
- SHEIN: $165M (non-functional reject button, CNIL 2025)
- Facebook: $66M (no equivalent reject button, CNIL 2022)
- Microsoft: $66M (asymmetric buttons, CNIL 2022)
- Meta: $429M (forced consent, DPC Ireland 2023)
- Apple: $8.8M (pre-checked boxes, CNIL 2023)
- TikTok: $5.5M (reject not equally accessible, CNIL 2023)
CNIL issued $523 million in consent fines in September 2025 alone. The trajectory is acceleration, not stabilization.
Systematic Enforcement
The Dutch DPA monitors ~10,000 websites annually. noyb has filed 500+ complaints, finding 72% of banners contain dark patterns and only 20% of companies fully comply after receiving complaints. The Belgian DPA found IAB TCF itself violates GDPR.
The CPPA's Honda settlement broke new ground by naming the CMP in the enforcement action. If regulators routinely identify the CMP, the industry's "the customer configured it wrong" defense becomes untenable.
The Legal Standard: What "Freely Given" Means
"Freely given" = no negative consequences for declining. No cookie walls, no degraded functionality, no artificial delays.
"Specific" = granular category-level controls, not a single accept/reject binary.
"Informed" = clear, plain-language descriptions. No euphemisms.
"Unambiguous" = active affirmative action. Pre-checked boxes and "continued browsing = consent" do not qualify.
Article 7(3) = withdrawing consent must be as easy as giving it. Count clicks and time for each path. GDPR cookie consent requirements guide
How to Audit Your Cookie Banner
- Screenshot test. Show your banner to someone. Can they find "Reject" within 3 seconds?
- Click count. Accept path clicks vs. reject path clicks. Must be equal (GDPR Art. 7(3)).
- Timing test. Time both paths. Any artificial delay on reject is a red flag.
- Default state. All optional categories must default to off (illegal since Planet49, 2019).
- Visual weight. Compare Accept and Reject: size, color, position, typography.
- Network test. Open DevTools Network tab, load site, do NOT interact with banner. If trackers fire before interaction, script blocking is broken. Then click Reject and check again. SHEIN's non-functional reject cost $165M.
"The 'Refuse all' button was completely non-functional. Cookies continued to fire regardless." -- CNIL ruling on SHEIN
- Language review. No euphemisms, no confirmshaming.
- Re-entry. Can users change preferences after dismissing the banner?
Audit your cookie banner with ConsentStack
What "No Dark Patterns by Design" Looks Like
Symmetric buttons. Accept and Reject with equal visual weight: same size, same fill style, same font treatment.
No pre-checked boxes. All optional categories default to off. ConsentStack has no configuration option to pre-check them, because pre-checking is illegal.
Instant processing. Reject closes the banner immediately. Same speed as Accept. Consent processing is a simple state write, not a 30-second punishment.
First-layer reject. Both Accept All and Reject All on the first layer. No forcing users through "Manage Preferences."
Neutral language. Factual descriptions, not persuasive framing.
The principle: compliance should be the default state, not an exception requiring extra configuration. When a CMP ships with asymmetric defaults, it's betting most customers won't fix them. The 72% dark pattern rate proves the bet is correct.
ConsentStack takes the opposite approach. Every layout ships with symmetric buttons, first-layer reject, and optional categories defaulted to off. The compliance fundamentals aren't optional. They're structural. See ConsentStack's banner builder
Frequently Asked Questions
Asymmetric button design. "Accept All" is large and colorful while reject is a small text link or hidden behind a secondary screen. noyb found 72% of EU banners contain at least one dark pattern. CNIL fined Google ($165M), Facebook ($66M), and Microsoft ($66M) specifically for this pattern.
Historically, regulators held the website owner responsible. This is changing. The CPPA's Honda settlement ($632,000) specifically named OneTrust as the misconfigured CMP. If a CMP's default configuration uses asymmetric buttons and most customers deploy that default, the CMP bears design responsibility for non-compliance at scale.
The EDPB has stated cookie walls generally make consent not "freely given." Meta was fined $429M for conditioning access on consent. Limited exceptions exist if a genuine paid alternative is available, but the standard is high.
Documented fines exceed $1.1 billion combined. The largest: Google ($165M + $358M), SHEIN ($165M for a non-functional reject button), Meta ($429M for forced consent), Facebook ($66M), Microsoft ($66M), Apple ($8.8M for pre-checked boxes), TikTok ($5.5M). CNIL issued $523M in September 2025 alone.
Install with default settings on a test page, then check: Are Accept and Reject the same size, color, and weight? Is Reject on the first layer? Are optional categories defaulted to off? Does Reject process instantly? Do trackers fire before banner interaction? If any check fails with defaults, your CMP ships with dark patterns out of the box. ---
Conclusion
The evidence is public. TrustArc deploys artificial delays. Cookiebot ships asymmetric defaults. OneTrust's complexity generates misconfigurations that produce fines. 59% of CMP-equipped websites still set cookies before consent.
CNIL has issued hundreds of millions in fines. noyb has filed 500+ complaints. The CPPA has started naming CMPs in enforcement actions.
The fix isn't complicated. Symmetric buttons. First-layer reject. No pre-checked boxes. Instant processing. Neutral language. Parse-time script blocking. These aren't aspirational goals. They're the minimum requirements of the law.
ConsentStack was built on these principles. Symmetric buttons by default. All optional categories off. No artificial delays. Parse-time blocking via MutationObserver. <10KB SDK. 32 regulations. $29/month, not $10,000/year.
Your consent banner is either a genuine privacy tool or a dark pattern dressed up as compliance. The enforcement data says most of the industry is shipping the latter.