GDPR came into force in May 2018. The regulation was blunt: you need meaningful consent before processing personal data for tracking. People have to be able to say no as easily as they say yes.
The industry heard this and got to work. Not on making consent easier. On making refusal harder.
What followed was one of the more elegant pieces of adversarial design in software history. Eight years later, most cookie banners are still dark patterns. They just look more legitimate than they used to.
Act 1: The asymmetry
The first and most durable weapon in the consent dark pattern arsenal is asymmetric friction.
"Accept All" is a single button, front and center, styled in the brand's primary color. It is the path of least resistance, designed to be clicked without reading.
Rejecting all cookies requires finding the route through. On a typical banner this might be: click "Manage Preferences," wait for a second layer to load, locate the "Reject All" option (sometimes at the bottom, sometimes behind a tab, sometimes absent entirely), click it, then confirm. Four to seven interactions to do what the law says should be equally easy.
The friction is not accidental. Cookie consent management platforms (CMPs) - the industry that built the tools publishers use to run these banners - have a financial incentive to maximize consent rates. They charge based on performance. A CMP that delivers 80% acceptance rates has a story to tell. A CMP that makes rejection as easy as acceptance has a much harder sales pitch.
The numbers are documented. Studies across thousands of European websites found that when "Reject All" appears on the first layer of a banner - same prominence as "Accept All" - opt-out rates increase by 20 percentage points or more. So the industry largely doesn't do that. Instead, they do everything they can to make rejection feel like extra work, or make it feel uncertain, or make it feel like you might break something.
Some patterns are so common they've become almost invisible: grayed-out "Reject" buttons next to bright "Accept" buttons. Accept buttons labeled "I agree" next to vague buttons labeled "Options." Banners that say "We value your privacy" in the header while burying "Reject All" behind three clicks in the fine print.
Act 2: The confusion layer
Beyond friction, there's confusion. The goal here is to make meaningful consent structurally impossible.
Pre-ticked boxes are the obvious version. A list of 40 tracking purposes with every checkbox already selected, requiring the user to individually untick each one. This was explicitly prohibited by GDPR. It still appears regularly.
More sophisticated is the labeling. "Personalized advertising" sounds pleasant. "Legitimate interest" sounds like something you'd want to support. "Technical cookies" sounds necessary even when it's not. The language is optimized to make you feel like acceptance is reasonable and refusal is churlish.
There's also the dark pattern of implied necessity. Banners that warn you the site "may not work correctly" if you decline. Banners that show a cookie policy wall, implying that declining means you can't use the site at all. The ePrivacy Directive says you can't condition service access on tracking consent. But a warning that implies this effect is technically different from a hard gate, so it proliferates.
The most sophisticated confusion pattern is the category flip. A banner that gives you two options: "Accept all cookies" and "Accept necessary cookies only." Neither of these is a reject button. "Necessary only" sounds like refusal, but in practice "necessary" often includes a wide range of analytics and functional tracking that a genuinely minimal implementation wouldn't require. You've navigated the banner and you think you've protected yourself. You haven't.
Act 3: The legitimate interest endgame
The third act is where it gets structurally interesting.
The IAB (Interactive Advertising Bureau) runs a framework called the Transparency and Consent Framework (TCF). The TCF is how the ad industry processes consent signals at scale. When you interact with a cookie banner on most commercial websites, your choices get encoded into a TCF string that flows through the supply chain.
The TCF includes a mechanism called "legitimate interest." Under GDPR, companies can claim legitimate interest as a legal basis for processing personal data when they judge that their interest outweighs the user's privacy rights. The TCF industrialized this loophole.
A publisher running the IAB TCF framework can present you with a list of vendors. Not a short list. The TCF vendor list has more than 800 registered vendors. Each vendor can claim "legitimate interest" as a basis for processing your data. Unless you actively object to each one - individually, one by one - they can proceed. The banner tells you that you've managed your preferences. Your data is going to hundreds of companies you've never heard of, on a legal basis that you were never asked to authorize, and objecting requires finding and clicking 800 individual toggles.
The Court of Justice of the EU ruled in 2024 that certain implementations of the TCF violated GDPR. The framework was revised. The violations largely continued in different form. The enforcement gap between what the law says and what the industry does remains wide.
What good consent looks like
It is not complicated. The regulators have described it. The researchers have shown it. The industry simply hasn't adopted it at scale because it costs consent rates.
Good consent is symmetric. One click to accept. One click to reject. Both options on the same layer, with the same visual weight.
Good consent is specific. Not "we and our partners may use your data." A short, plain-English description of what each tracking purpose actually involves and who actually receives the data.
Good consent has a real "no" option. Not "necessary only" as a pseudo-rejection. A button that says "Reject All" and means it.
Good consent doesn't expire silently. If you said no in 2023, a banner in 2025 shouldn't treat that as an expired permission and ask you again with fresh asymmetric friction.
Good consent doesn't use legitimate interest as a backdoor. If you haven't said yes, the default answer is no.
Some sites do this. Smaller publishers, often. Sites that have thought about trust as a design value. They exist and they're not appreciably harder to monetize than sites running the dark pattern playbook.
The cookie banner is not a privacy tool. It was built to manage legal risk while preserving data flows. The companies that built the infrastructure have done exactly what you'd expect them to do: optimize for their own outcome, not yours.
The comedy is that we call this consent at all.