Dark Patterns in Cookie Banners and Consent Interfaces: What Regulators are Cracking Down on Under GDPR and DPDPA

The consent-based frameworks that anchor both the GDPR and the DPDPA rest on the premise that individuals can make meaningful decisions about how their personal information is used, and that those decisions, once made, constitute a legitimate legal basis for processing. Dark patterns in cookie banners and consent interfaces undermine this premise systematically. They produce consent records that satisfy the technical requirements of affirmative action while enabling a practical outcome that is a data-invasive choice. 

Dark Patterns and The Consent Standard 

The term dark pattern was introduced by Harry ​​Brignull to describe interface designs that steer users toward outcomes that serve the platform rather than the user. The European Data Protection Board (EDPB) defines deceptive design patterns in its Guidelines 03/2022, as interfaces and user experiences that lead users into making unintended, unwilling, and potentially harmful decisions regarding the processing of their personal data. India’s CCPA Guidelines for Prevention and Regulation of Dark Patterns, 2023, define them as practices or deceptive design patterns using user interface or user experience interactions that are designed to mislead or trick users into doing something they originally did not intend or want to do. 

The legal significance of dark patterns derives directly from the consent validity conditions both frameworks impose. Under Article 4(11) of the GDPR, consent must be freely given, specific, informed, and unambiguous, indicated by a clear affirmative action. additionally requires that withdrawal of consent be as easy as its grant and that consent requests be presented in clear and plain language. The EDPB has affirmed that dark patterns violate the principle of fair processing under Article 5(1)(a) GDPR, which functions as an overarching obligation: personal data must not be processed in a detrimental, discriminatory, unexpected, or misleading way to the data subject. An interface that systematically steers users toward the more data-invasive option fails this standard irrespective of whether a technical opt-out mechanism exists somewhere within the consent flow. 

The EDPB taxonomy in Guidelines 03/​​2022 organises deceptive design patterns into six categories.  

1. Overloading overwhelms users with information or consent requests to induce indiscriminate agreement.  

   
   

2. Skipping causes users to overlook data protection choices by enabling the most invasive settings by default.  

   
   

3. Stirring uses visual nudges or emotional cues to steer users away from privacy-protective choices, such as making the Accept All button visually prominent. 

   
   

4. Hindering makes it difficult to refuse consent or exercise data rights, most commonly by placing reject behind multiple navigational steps.  

   
   

5. Fickle design creates inconsistent interfaces where users cannot reliably determine what choices they have made and which persists.  

   
   

6. Disparate treatment applies different standards to the exercise of privacy choices depending on whether the user is accepting or refusing data collection. 

The GDPR Framework: Consent Architecture and ePrivacy Requirements 

The cookie consent obligation in the EU derives from two instruments operating together. The ePrivacy Directive’s Article 5(3), requires prior opt-in consent before any information is stored on or accessed from a user’s terminal device, subject only to a narrow exemption for strictly necessary operations. The GDPR then governs the standard to which that consent must conform. Together, these instruments mean that a cookie banner must not only solicit consent before tracking commences but must do so in a manner that meets the freely given, specific, informed, and unambiguous threshold. Pre-loading cookies before the user has responded to the banner fails the ePrivacy requirement. Asymmetric button design fails the freely given requirement. Neither failure is cured by the existence of a privacy policy that discloses the tracking in question. 

The EDPB Cookie Banner Task force report (2023), analysed by multiple national DPAs, reached consensus on the operational requirements for compliant first-layer design. It confirmed that pre-checked consent boxes do not constitute valid consent, reaffirming a standard that the CJEU had established in the Planet49 Case (2019). It also confirmed that legitimate interest cannot be used as an alternative legal basis to circumvent the consent requirement for non-essential cookies. The practical effect is to impose a first-layer equivalency requirement: the reject option must impose no more friction than the accept pathway, and the initial screen must contain both options with equal visual prominence. 

The GDPR Recital 32 explicitly states that silence, pre-ticked boxes, or inactivity do not constitute consent. Cookie walls, which condition access to content on acceptance of all non-essential cookies, are non-compliant because they deny users a genuine alternative and render the resulting consent coerced rather than freely given.  

Regulatory Enforcement: What the Sanctions Record Establishes 

The most consequential actions targeting dark patterns in cookie consent interfaces have been taken by France’s CNIL. In January 2022, the CNIL fined Google a total of €150 ​​million and Facebook €60 million for not providing a cookie rejection mechanism as accessible as acceptance. The CNIL found that accepting all cookies required one click while refusing required three clicks on Facebook and five on Google. The regulator characterised this asymmetry as an infringement of Article 82 of the French Data Protection Act and issued injunctions requiring equivalent mechanisms within three months, with daily non-compliance penalties of €100,000. 

In September 2025, the CNIL further escalated enforcement, issuing a €325 million fine to Google and a €150 million fine to Shein for cookie consent violations. The Shein investigation found that the platform’s banner made accepting all cookies the visually prominent first-layer option while requiring multiple additional steps to reject. Similar actions were taken across Europe explicitly citing the use of dark patterns and the failure to block cookies prior to consent, manipulative consent banner designs following formal notice. The ICO announced in January 2025 that it was expanding the number of websites reviewed for cookie compliance, signalling a broadening of enforcement across EEA jurisdictions and the UK.  

India’s Regulatory Framework: DPDPA Consent Standards and the CCPA Guidelines 

India’s approach to dark patterns in consent interfaces operates across two legal instruments enacted in the same year. The first is the DPDPA 2023. Section 6(1) requires that consent frontiers the data minimisation condition and directly prohibits bundled consent covering multiple unrelated processing purposes in a single affirmative action. provides the right to a proportionate withdrawal of consent. Both provisions validate that using a consent interface that makes acceptance simple and withdrawal laborious violates the withdrawal symmetry requirement under the DPDPA. 

The DPDP Rules, 2025, operationalise the consent architecture with enforcement provisions subject to a phased implementation timeline of 12 to 18 months. The Data Protection Board of India is empowered to impose penalties of up to ₹250 crore for processing personal data without valid consent. A breach of the unconditional or unambiguous consent requirements through dark pattern design constitutes invalid consent and therefore unlawful processing under Section 4(1) of the Act.  

The second instrument is the CCPA’s Guidelines for Prevention and Regulation of Dark Patterns, 2023, under the Consumer Protection Act, 2019. Of the thirteen prohibited patterns, several intersect directly with the DPDPA’s consent obligations. Confirm shaming, the use of emotionally manipulative language to discourage refusal of consent, constitutes both an unfair trade practice and a failure to meet the free and unconditional requirements of Section 6. Forced action, requiring a user to consent to data processing beyond what is necessary as a condition of service, is characterised as a personal data breach under Section 2(u) of the DPDPA. As the IAPP has noted, the CCPA advisory currently lacks a dedicated penalty mechanism, making the DPDPA’s enforcement provisions the primary sanctions lever as the phased implementation proceeds. 

Where the Tensions Lie Across Jurisdictions 

For organisations operating digital platforms or e-commerce services in both the EU and India, three operational tensions are significant for compliance professionals. 

1.  The First-Layer Equivalency Requirement: Both frameworks require proportionate accessibility at the first layer of interaction. The CNIL’s enforcement establishes this as an objective test applied to the visual and navigational architecture of the banner itself. CNIL’s decisions act as an operative compliance standard for organisations designing interfaces to maximise opt-in rates through asymmetric first-layer design. 

   
   

2. Bundled and Conditional Consent: Both frameworks prohibit consent bundled across unrelated purposes or conditioned on access to a service. The frameworks converge on the same outcome: a single accept all button covering analytics, advertising, and personalisation simultaneously does not produce valid consent for any individual purpose. Cookie walls conditioning access to content on acceptance of all non-essential cookies are non-compliant.  

   
   

3. Accountability for Third-Party Consent Interface Design: it is established that the data controller bears liability for the consent interface design regardless of whether a third-party CMP produces it. This accountability principle is consistent with Article 5(2) GDPR and DPDPA’s Section 6(10), which places the burden of proof of compliance on the controller. Reliance on a CMP vendor’s assertion of GDPR compliance does not discharge the controller’s obligation. 

Conclusion 

The regulatory trajectory across both the EU and India meets at one point; refusal of consent must be as easy as acceptance, and any interface design that makes this symmetry more difficult is a legal violation rather than a grey area. The GDPR’s enforcement record demonstrates that regulators are prepared to sanction the largest platforms in their jurisdictions repeatedly and based on navigational asymmetry alone. The DPDPA’s consent framework establishes equivalent standards in India with penalty exposure of up to ₹250 crore per violation. The CCPA’s dark pattern guidelines extend compliance to the broader consumer journey within which data consent decisions are made. For organisations, the practical consequence is that consent UI design can attract accountability within the consent framework. Its visuals, navigation, and accessibility are reviewable by regulators and, where they produce asymmetric outcomes, constitute evidence of a dark pattern regardless of whether manipulation was the design intent. Managing compliance with it requires treating interface design as a legal function rather than a marketing one, ensuring that the consent architecture an organisation deploys reflects the genuine, uncoerced choice that both the GDPR and the DPDPA are designed to protect.