CNIL 2026 11 min read·

Dark Patterns on Cookie Banners: CNIL's New Target

A 'Refuse' button in pale gray, a vibrant green 'Accept', five submenus to customize: these manipulative designs are in CNIL's crosshairs. Since 2022, they constitute an autonomous sanction ground. Here's what is prohibited, the fines imposed, and how to comply.

What is a dark pattern and why is it sanctioned

The term 'dark pattern' refers to interface design techniques that exploit users' cognitive biases to lead them to take actions contrary to their interests or intentions. On a cookie banner, the objective is to maximize the acceptance rate by making refusal difficult, low-visibility or discouraging.

Legally, dark patterns invalidate the obtained consent. GDPR requires consent to be 'freely given, specific, informed and unambiguous' (Article 4§11). Consent obtained through manipulation or design asymmetry is not freely given under GDPR. Result: all data collected via this flawed consent constitutes processing without a valid legal basis.

The 7 practices sanctioned by CNIL

1. Accept/Refuse asymmetry

'Accept all' button immediately visible, 'Refuse' button absent or accessible only via a discreet text link or multiple clicks. CNIL requires both options to be at the same hierarchical level.

2. Asymmetric colors

'Accept' button in vivid, contrasting color (green, blue), 'Refuse' button in neutral gray or white. Visual contrast creates an attention bias that favors acceptance.

3. Deceptive framing

Texts that present refusal as a loss ('Continue without personalized benefits') or acceptance as a positive act ('Improve my experience'). Text neutrality is required.

4. Refusal labyrinth

Multiplying steps to refuse: click on 'Manage my preferences', deactivate 15 sliders one by one, confirm, then validate. CNIL requires refusal to be as simple as acceptance.

5. Pre-ticking

Pre-ticked checkboxes for non-necessary cookies. Prohibited by GDPR since 2018 (CJEU Planet49 ruling). Consent through inaction is not valid.

6. Reappearing banner

Displaying the banner on every visit, every page or very frequently even after explicit refusal, hoping to wear down the user until acceptance.

7. Linking refusal to service degradation

Conditioning access to certain non-essential functionalities on acceptance of non-necessary cookies (cookie wall). Tolerated only if a free and equivalent alternative is offered.

Does your cookie banner contain dark patterns?

RGPDScan automatically analyzes your cookie banners for compliance: asymmetry, deposit before consent, missing refusal options.

The EDPB 2022 report: the European reference

In March 2022, the European Data Protection Board (EDPB) published its Guidelines 3/2022 on dark patterns in social media platform interfaces. This European reference document classifies dark patterns into 6 conceptual categories:

  • Overloadinginformation overload to discourage reading (10-page policy, too many options)
  • Skippingdesign that encourages users to skip privacy settings
  • Stirringmanipulation of emotions or biases (fear of missing out, feeling of loss)
  • Obstructingobstacles in the withdrawal or refusal of consent process
  • Fakingfalse choices, false visual hierarchy, false urgencies
  • Hinderinghindering the exercise of data subjects' rights

Documented sanctions in France and Europe

January 2022 — France
Google LLC — €150M · Meta — €60M

The CNIL sanctioned Google and Meta for making cookie refusal more difficult than acceptance. Google: immediate 'I accept' button, refusal requiring several clicks. Meta: same practice on Facebook. Deliberations SAN-2021-024 and SAN-2021-023. The largest cookie fines ever imposed in France.

December 2022 — France
Orange — €150,000

Orange sanctioned notably for dark patterns on its cookie banner (button asymmetry, oriented text). Deliberation SAN-2022-025.

2023 — Italy (Garante)
OpenAI — €20M (including dark patterns)

The Italian Garante sanctioned OpenAI for multiple violations, including the absence of a compliant cookie banner and practices comparable to dark patterns on the ChatGPT website.

The compliant banner: concrete before/after examples

Non-compliant

  • Green 'Accept all' button
  • Gray 'Manage preferences' link
  • 15 categories to deactivate one by one
  • No direct 'Refuse all'

Compliant

  • Blue 'Accept all' button
  • Identical blue 'Refuse all' button
  • Neutral 'Customize' link
  • 1 click to refuse = 1 click to accept

Cookie banner compliance checklist

  • 'Refuse all' button as visible as 'Accept all' (size, color, contrast)
  • No non-necessary cookie deposited before the 'Accept' click
  • The banner is not redisplayed after explicit refusal
  • Neutral texts (no emotional framing)
  • No pre-ticked checkboxes for non-necessary cookies
  • Consent by category possible (not only all or nothing)
  • Consent withdrawal option as simple as initial consent

Going further

Frequently asked questions

What is a dark pattern on a cookie banner?
A dark pattern (deceptive interface) is a design technique that manipulates the user into consenting to cookies without being fully aware or wanting to. Examples: 'Accept' button in bright green, 'Refuse' button in discreet gray, 5 clicks needed to refuse vs 1 click to accept, ambiguous text like 'Continue' that equates to accepting.
Are dark patterns on cookies sanctioned in France?
Yes. The CNIL has explicitly integrated the fight against dark patterns in its 2020 cookie guidelines (updated 2022). The principle: refusal must be as simple as acceptance. In practice, the 'Refuse all' button must be as visible as 'Accept all' in terms of size, position and color contrast. Sanctions have been imposed in France and Europe on this basis.
What is the EDPB 2022 report on dark patterns?
The European Data Protection Board (EDPB) published in March 2022 guidelines 3/2022 on dark patterns in social media platform interfaces. This report classifies dark patterns into 6 categories: overloading, skipping, stirring, obstructing, faking, hindering. While targeting social networks, these guidelines serve as a reference for all types of sites.
Does a 'Close' or 'Continue' button count as consent?
No. According to CNIL and EDPB guidelines, consent must be a positive and unambiguous action. Closing a banner, continuing to browse or scrolling the page does NOT constitute valid consent. The CNIL has sanctioned several sites using this practice.
Does my market CMP (Axeptio, Didomi, Cookiebot) protect me from dark patterns?
Not automatically. CMPs provide the technology, but configuration is up to you. A CMP can very well be configured with dark patterns (hidden refuse button, asymmetric colors). Verify that your configuration respects the fairness principle: same colors, same size, same position for Accept and Refuse.
What is the maximum penalty for cookie dark patterns?
In France, the CNIL can impose up to €20,000 for violation of Article 82 LIL (deposit without valid consent). If dark patterns also constitute a GDPR violation (invalid legal basis, infringement of consent freedom), the sanction can reach 4% of global revenue. Orange was fined €150,000 in 2022 for a problematic cookie banner.

Detect dark patterns on your site

RGPDScan automatically verifies your cookie banner compliance: asymmetry, deposit before consent, missing options. Result in 60 seconds.