Dark Patterns on Cookie Banners: CNIL's New Target
A 'Refuse' button in pale gray, a vibrant green 'Accept', five submenus to customize: these manipulative designs are in CNIL's crosshairs. Since 2022, they constitute an autonomous sanction ground. Here's what is prohibited, the fines imposed, and how to comply.
What is a dark pattern and why is it sanctioned
The term 'dark pattern' refers to interface design techniques that exploit users' cognitive biases to lead them to take actions contrary to their interests or intentions. On a cookie banner, the objective is to maximize the acceptance rate by making refusal difficult, low-visibility or discouraging.
Legally, dark patterns invalidate the obtained consent. GDPR requires consent to be 'freely given, specific, informed and unambiguous' (Article 4§11). Consent obtained through manipulation or design asymmetry is not freely given under GDPR. Result: all data collected via this flawed consent constitutes processing without a valid legal basis.
The 7 practices sanctioned by CNIL
1. Accept/Refuse asymmetry
'Accept all' button immediately visible, 'Refuse' button absent or accessible only via a discreet text link or multiple clicks. CNIL requires both options to be at the same hierarchical level.
2. Asymmetric colors
'Accept' button in vivid, contrasting color (green, blue), 'Refuse' button in neutral gray or white. Visual contrast creates an attention bias that favors acceptance.
3. Deceptive framing
Texts that present refusal as a loss ('Continue without personalized benefits') or acceptance as a positive act ('Improve my experience'). Text neutrality is required.
4. Refusal labyrinth
Multiplying steps to refuse: click on 'Manage my preferences', deactivate 15 sliders one by one, confirm, then validate. CNIL requires refusal to be as simple as acceptance.
5. Pre-ticking
Pre-ticked checkboxes for non-necessary cookies. Prohibited by GDPR since 2018 (CJEU Planet49 ruling). Consent through inaction is not valid.
6. Reappearing banner
Displaying the banner on every visit, every page or very frequently even after explicit refusal, hoping to wear down the user until acceptance.
7. Linking refusal to service degradation
Conditioning access to certain non-essential functionalities on acceptance of non-necessary cookies (cookie wall). Tolerated only if a free and equivalent alternative is offered.
Does your cookie banner contain dark patterns?
RGPDScan automatically analyzes your cookie banners for compliance: asymmetry, deposit before consent, missing refusal options.
The EDPB 2022 report: the European reference
In March 2022, the European Data Protection Board (EDPB) published its Guidelines 3/2022 on dark patterns in social media platform interfaces. This European reference document classifies dark patterns into 6 conceptual categories:
- Overloading — information overload to discourage reading (10-page policy, too many options)
- Skipping — design that encourages users to skip privacy settings
- Stirring — manipulation of emotions or biases (fear of missing out, feeling of loss)
- Obstructing — obstacles in the withdrawal or refusal of consent process
- Faking — false choices, false visual hierarchy, false urgencies
- Hindering — hindering the exercise of data subjects' rights
Documented sanctions in France and Europe
The CNIL sanctioned Google and Meta for making cookie refusal more difficult than acceptance. Google: immediate 'I accept' button, refusal requiring several clicks. Meta: same practice on Facebook. Deliberations SAN-2021-024 and SAN-2021-023. The largest cookie fines ever imposed in France.
Orange sanctioned notably for dark patterns on its cookie banner (button asymmetry, oriented text). Deliberation SAN-2022-025.
The Italian Garante sanctioned OpenAI for multiple violations, including the absence of a compliant cookie banner and practices comparable to dark patterns on the ChatGPT website.
The compliant banner: concrete before/after examples
Non-compliant
- Green 'Accept all' button
- Gray 'Manage preferences' link
- 15 categories to deactivate one by one
- No direct 'Refuse all'
Compliant
- Blue 'Accept all' button
- Identical blue 'Refuse all' button
- Neutral 'Customize' link
- 1 click to refuse = 1 click to accept
Cookie banner compliance checklist
- 'Refuse all' button as visible as 'Accept all' (size, color, contrast)
- No non-necessary cookie deposited before the 'Accept' click
- The banner is not redisplayed after explicit refusal
- Neutral texts (no emotional framing)
- No pre-ticked checkboxes for non-necessary cookies
- Consent by category possible (not only all or nothing)
- Consent withdrawal option as simple as initial consent
Going further
- The 7 fatal errors on your cookie banner
- CNIL Fines 2026: all documented sanctions
- GDPR compliance checklist 2026
- CMP comparison (Axeptio, Didomi, Cookiebot)
- GDPR vs ePrivacy: who governs cookies?