Dark patterns in cookie banners — which tricks are not allowed?
Dark patterns — or "deceptive design patterns" as the EU's data protection authorities call them — are design choices that steer the visitor towards a yes instead of letting them choose freely. In cookie banners they are common: categories that are already ticked, consent that cannot be withdrawn, reject buttons that end up outside the mobile screen. The problem is not just ethical. Consent that was steered or tricked into existence is not freely given — and involuntary consent is invalid. Here we walk through the tricks, where the line is drawn and how to test your own banner.
What does the law say?
The GDPR defines consent as freely given, specific, informed and unambiguous (article 4.11), and article 7 adds the quality requirements — including that withdrawing consent must be as easy as giving it (article 7.3). Every dark pattern attacks one of those requirements: pre-selection undermines unambiguity, an impossible withdrawal breaches article 7.3, and a reject button that cannot be reached makes the choice involuntary.
The EU Court of Justice put its foot down in Planet49 (C-673/17, 2019): pre-ticked boxes are not valid consent. And the EDPB — the cooperation body of the European data protection authorities — describes the whole family of patterns that deceive or steer users in its guidelines 03/2022: pre-selection, visual nudging, hidden options and a more cumbersome path for no than for yes.
Two of the most debated tricks — a reject button hidden behind menus or toned down compared to accept, and cookie walls that force a yes — are covered as their own checks and described on a separate page. Here we focus on three other tricks that are at least as common: pre-ticked categories, consent that cannot be withdrawn and reject buttons that disappear on mobile.
Pre-ticked categories — the choice is already made
The oldest trick is also the most clearly rejected one: the banner opens with the statistics and marketing categories already ticked, and the visitor who clicks "Save my choices" believes they made an active choice — even though the ticks were set in advance.
That is exactly the construction the EU Court of Justice rejected in Planet49: valid consent requires an active action from the visitor, and a box someone else ticked says nothing about what the visitor actually wanted. Strictly necessary cookies need no consent and may be pre-selected — but all non-necessary categories must start unticked.
The consent that cannot be withdrawn
Article 7.3 is clear: withdrawing consent must be as easy as giving it. In practice it often looks different. The banner appears once, the visitor clicks accept, the banner disappears — and with it the entire possibility of changing your mind. No gear icon in the corner, no link in the footer, no settings page to find your way back to.
Then the consent is easy to give but in practice impossible to withdraw — the exact opposite of what the law requires. The visitor should not have to clear the browser's cookies or guess their way around to take back a choice made with a single click.
The reject button that disappears on mobile
A banner designed and tested on a large desktop screen can look completely different on a phone. When the content does not fit, the bottom gets cut off — and what ends up below the fold is strikingly often the reject button. The mobile visitor sees some text and a large accept button; that a no option existed is never apparent.
That the button technically exists in the code does not help. For the visitor who can never see or reach it there is no real choice — the same freely-given problem as a hidden button on desktop. And the flaw is rarely discovered, because whoever built the banner tested it on their own desktop screen.
How CompliantHQ tests this
All three checks are deterministic — the scanner measures what the banner actually does, not what the cookie policy claims. Pre-ticked non-necessary categories are detected and flagged directly in the banner review.
The scanner also checks that withdrawing consent afterwards is as easy as giving it was — if there is no reasonable way back after an accept, it is flagged.
And since mobile is not desktop, the scanner loads the banner in a mobile viewport and checks that the reject button is reachable — not cut off or hidden below the fold. All three checks are included already in the trial.
How to fix it
- Let all non-necessary categories be unticked when the banner opens — only strictly necessary cookies may be pre-selected.
- Create a permanent way back to the choice: a link in the footer or a floating icon that reopens the cookie settings, at any time.
- Treat a withdrawn consent as a no — the tracking must stop, not just the setting change.
- Test the banner at real mobile dimensions, not just in a shrunken browser window. Both accept and reject must be visible and tappable without scrolling.
- Review the banner against the EDPB's pattern list: no pre-selection, no visual nudging towards yes, no hidden options, no longer path for no than for yes.
What the check covers
- That no non-essential categories are pre-ticked in the banner.
- That withdrawing consent afterwards is as easy as giving it was.
- That the reject button is reachable on a mobile screen too — not cut off or hidden below the fold.
Common questions
Are pre-ticked boxes in the cookie banner allowed?
No. The EU Court of Justice ruled in Planet49 (C-673/17) that pre-ticked boxes are not valid consent — the visitor must make an active choice. Only strictly necessary cookies, which need no consent, may be pre-selected.
Must the visitor be able to withdraw their consent afterwards?
Yes. Under GDPR article 7.3, withdrawing consent must be as easy as giving it. A permanent entry point — for example a footer link that reopens the settings — is the simplest way to meet the requirement.
What is a dark pattern in a cookie banner?
A design trick that deceives or steers the visitor towards a yes: pre-ticked choices, visual nudging, hidden options or a more cumbersome path for no than for yes. The EDPB describes the patterns in its guidelines 03/2022 — and consent steered into existence that way risks being invalid.
My banner works on the computer — is that enough?
No. A banner that looks correct on desktop can cut off the reject button on a mobile screen, and then mobile visitors have no real choice. Test in a mobile viewport — our scanner does that automatically.
Want to see what we find on your site?
Run a free scan — all four modules included for 30 days, no card required.