How to Avoid These Common Deceptive Design Mistakes in Your Cookie Consent Banner

Almost every consumer can recount a time they’ve had a bad user experience. 

Perhaps you’ve tried to cancel a gym membership, only to discover you have to go through hoops to do so. Or maybe you signed up for a free trial that rolled over into a paid subscription without you knowing and you had to scour their site to discover how to cancel the subscription. 

It can be incredibly frustrating. And companies know it. 

There are many names for practices like this: dark patterns, deceptive UI, and manipulative design. These design practices are everywhere in our daily lives, but sometimes they are harder to spot. For example, cookie consent banners. 

Unfortunately, many websites have cookie consent pop-ups that either by accident or purposefully include deceptive design with language, button colors, sizing, limited options, and more that can push consumers toward the banner owner’s desired outcome. 

The California Privacy Rights Act (CPRA) defines manipulative design as: “[a] user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation” and further states that,“agreement obtained through the use of dark patterns does not constitute consent”. 

After a recent investigation by the Office of the New York State Attorney General, the Attorney General stated that:

More than a dozen popular websites with privacy controls [were] effectively broken. Visitors to these websites who attempted to disable tracking technologies would nevertheless continue to be tracked. The OAG also encountered websites with privacy controls and disclosures that were confusing and even potentially misleading.

Often, companies don’t intend to manipulate or confuse consumers. They may not realize their banners could be viewed as engaging in dark pattern practices. 

To get a better understanding of how to avoid deceptive design patterns in cookie consent banners, we sat down with Chris Asta, who until recently was associate general counsel at Skillshare. 

To start, we’d love to hear a bit about your background and your role at SkillShare.

I’ve been a practicing attorney for a little over 10 years now. I started working at Skillshare about two years ago. Skillshare has a relatively small legal team so I had to have my hand in almost everything that went on there from a legal perspective, including, importantly, all of the privacy work that we were doing. I’ve helped build out Skillshare’s privacy systems, and a lot of that involved working with DataGrail, including the recent launch of DataGrail Consent on our site. 

Can you tell us more about the challenges companies often face when implementing a consent solution?

Businesses want to ensure they are meeting their legal obligations without sacrificing a positive user experience.

Additionally, several different compliance regulations exist around the world that can require somewhat different approaches to how you handle cookie consent and it’s not always easy to comply in a straightforward way without taking a one-size-fits-all approach. But there can be significant advantages to being able to tailor the consent experience to the jurisdiction and that can be difficult to do in a scalable way without tools that allow you to do that. 

Dark patterns or deceptive UI practices are something that can take data autonomy out of consumers’ hands. You’ve been an advocate against practices like these. Can you explain a bit more about why dark patterns are so exploitative? 

The main issue with dark patterns is they can take advantage of the behavioral or psychological tendencies of users to act in particular ways for perfectly reasonable reasons like efficiency, needing to process information quickly, or not having time to consider choices at great length. Taking advantage of these tendencies can push consumers to act in a way that a business might want, but that the consumer might not.

When you take that choice away from the consumer, you’re limiting their options, which, at least in some small way, is robbing them of their autonomy. And that can be detrimental for businesses in the long-term; you’re not providing consumers with the respect and self-determination they deserve. And if you do that enough, they’ll ultimately start looking elsewhere. 

What are some examples of dark patterns in the design of consent banners? 

The cookie consent experience can be particularly pernicious because it’s so prevalent. Practically every single time consumers visit a web page they’re presented with a cookie banner that they have to click through in order to get to the content they want to see. 

So, even more than in many other situations, consumers are very likely going to take whatever is the path of least resistance. The average person visits countless web pages every day and they’re not going to spend the time and energy thinking through their cookie settings each time. 

In the past, organizations would often provide consumers with two options: either something like ‘accept cookies’ or something like ‘more options.’ If you were one of the brave souls who clicked the more options settings, you could ultimately find your way to opting out of cookies. But I suspect most people, certainly myself included, are just going to click accept cookies and move on.

If instead, organizations present users with two kinds of equal options on the face of the banner–either accept cookies or deny cookies–then you’re presenting users with an equivalent choice, and they can decide quickly, do I want to accept or not?

The choice they make then better captures their actual wishes, instead of whatever choice the business wanted them to take. 

A lot of companies probably aren’t maliciously going out and creating banners this way. Some consent solutions are hard to set up or they may have lacked guidance. Let’s review Skillshare’s banner which you recently implemented with DataGrail Consent. Can you walk me through a few best practices in this banner? 

1. We’ve drafted the statement included on our banner to be as clear as we can–it’s devoid of legalese and the language we use should be easy for the average consumer to understand without effort.

2. There are three buttons provided:

• Accept all, which allows our users to accept all cookies 
• Accept Essentials Only, which allows users to deny all cookies other than those that have to be there for the site to function
• Update Preferences, which allows users to get even more granular with their consent if they’re so inclined

Each of those buttons is equally presented in terms of size, font, color, boldness, etc, so there’s nothing driving a user who’s moving very quickly to select one of them over another.

3. There’s the ability to choose the language that you want to view the notice in right up at the top, which hopefully helps with comprehension.

4. The banner includes a link to an opt-out form that allows users in the US to opt out of certain ways in which their data might be otherwise be used. 

What are your predictions for the future of consent and how some of these deceptive UI patterns might get policed in the future? 

Policing of dark patterns is somewhat in its toddler stage and I suspect that we are going to start seeing much more of it, both in terms of it being a focus for companies who want to make sure they’re doing the right thing by their users and I suspect we’re going to start seeing more and more enforcement actions around dark patterns from regulators like the FTC, the California AG, and the UK CMA.

It’s already happening, of course, but I think it’s going to happen more. I suspect there will come a time when we will look back a number of years from now and say, man, I can’t believe companies used to do these things. 

Download our consent banner style guide to ensure your banner is following best practices and is fully compliant. 

If you’d like to learn more about DataGrail Consent, you can request a demo here.