Dark patterns in cookie consent banners have become one of the most widespread GDPR violations on the web. These design choices — intentional or not — manipulate users into accepting tracking they would otherwise reject. European Data Protection Authorities have taken an increasingly hard line against these practices, with fines and enforcement actions accelerating throughout 2025.
The most common dark pattern is the asymmetric choice architecture: a large, brightly colored 'Accept All' button paired with a small, gray, or hidden 'Reject' option. The EDPB guidelines on consent make clear that this fails the 'freely given' requirement. The French CNIL fined Google EUR 150 million in part for exactly this pattern, and similar enforcement has followed across the EU.
Pre-ticked consent boxes remain surprisingly common despite being explicitly prohibited by the CJEU's Planet49 judgment. Any consent mechanism that defaults to accepting cookies — whether through checked boxes, pre-selected toggles, or implied consent through continued browsing — is legally invalid. Consent must be an affirmative act.
Consent walls that block access to content unless cookies are accepted are another problematic pattern. While the EDPB has not issued a blanket prohibition, the prevailing interpretation across most DPAs is that consent obtained through a cookie wall is not freely given. Some authorities accept a 'pay or consent' model as an alternative, but this requires a genuine, reasonable paid option — not a fig leaf.
Manipulative language is a subtler but equally problematic pattern. Phrases like 'By continuing to browse, you accept cookies' conflate browsing with consent. Framing rejection as 'I don't care about my experience' or 'Reject personalization' uses emotional manipulation to discourage the reject option. Consent language must be clear, neutral, and informative.
Repeated consent prompts — showing the banner again after a user has rejected cookies, or using interstitials that re-request consent — undermine the right to withdraw consent. Once a user has made their choice, that choice must be respected until they actively change it.
Vakteye's scanner detects all of these patterns automatically. We analyze the layout and design of consent banners, measure how prominent each button is, verify that clicking reject actually stops tracking, and check whether cookies reappear after rejection. Our findings are backed by evidence — screenshots, network traffic recordings, and before-and-after cookie comparisons — that would satisfy a regulator's evidentiary standards.