Compliance

Dark Patterns in Cookie Banners: What the ICO Is Looking For in 2026

·3 min read ·Updated April 5, 2026
DARK PATTERNS

When the ICO reviewed the UK top 1,000 websites in 2025, one of the three things they specifically checked was whether cookie banners used design tricks to push visitors toward accepting tracking.

These design tricks are called dark patterns, and regulators across Europe and the UK now actively look for them. Getting this wrong can invalidate all the consent your website has collected, making every analytics data point and every marketing cookie technically unlawful.

The most common dark pattern is making the “Accept” button visually dominant. If “Accept All” is a large, brightly coloured button while “Reject All” is plain text or a different, muted colour, that is a dark pattern. The ICO and EU regulators have been clear: rejecting cookies must be as easy as accepting them.

The second common pattern is hiding the reject option. Some banners show “Accept All” and “Customise” but no reject button. The visitor has to click Customise, then deselect categories, then click Save. This adds friction to rejection that does not exist for acceptance. The ICO considers this non-compliant.

The third pattern is pre-ticked consent boxes. If a visitor opens the cookie preferences panel and finds all categories already ticked, that is not valid consent. Consent must be actively given, not passively assumed.

The fourth pattern is confusing language. Banners that say “By continuing to browse, you accept cookies” are not valid consent mechanisms. Scrolling or continuing to use a site is not consent.

What regulators are doing about it

The Dutch DPA warned over 200 websites about their cookie banners in 2025 and monitors approximately 10,000 Dutch websites annually. The CNIL in France fined SHEIN 150 million euros partly because of how their consent mechanism was designed. In the UK, the ICO issued preliminary enforcement notices to 17 major websites after finding non-compliant cookie practices.

Enforcement is no longer limited to large companies. The ICO has stated publicly that small businesses are in scope for cookie compliance enforcement in 2026.

How to check your own banner

Visit your site in an incognito window and look at your cookie banner with fresh eyes. Ask yourself these questions. Is “Reject All” the same size and visual weight as “Accept All”? Can a visitor reject all non-essential cookies in one click, without opening a preferences panel? Are all cookie categories unticked by default in the preferences panel? Does the banner clearly explain what types of cookies you use?

If the answer to any of these is no, your banner may be using a dark pattern that could invalidate consent and create regulatory exposure.

The fix is usually simple

Most consent management platforms like CookieYes, Complianz, and OneTrust allow you to configure button styling, default states, and banner layout. Adjusting these settings to show equally prominent Accept and Reject buttons typically takes under 10 minutes.

The investment of 10 minutes protects you from the risk of having all your consent data considered invalid, which would affect your analytics, your marketing, and your regulatory standing.

Want to check your website? LaunchKitty scans your site across 14 dimensions in 30 seconds. Free scan, no signup needed. Scan your website now.

Share this