The French data protection authority (CNIL) issued formal notices to website publishers in December 2024 for deploying deceptive cookie consent patterns. The violations weren’t technical non-compliance—they were UX failures. Publishers emphasized “Accept” over “Reject” through color, font size, and placement. They presented the reject option multiple times as “I decline non-essential purposes” while “Accept” appeared three times in clear language. They buried “Reject” deep in information blocks without visual distinction.
These aren’t accidents. They’re the product of a decade-long tension between regulatory requirements and conversion rate obsession. But here’s the non-obvious insight that emerges from combining CNIL enforcement, EDPB dark pattern guidelines, Nielsen Norman Group user research, and Spain’s AEPD audience measurement exemption: If you design symmetrical, plain-language consent (accept = reject in one step) and use the AEPD’s audience-measurement exemption correctly, you can keep essential analytics while reducing legal risk and user frustration—no dark patterns, no drop in trust.
The regulatory landscape has matured past the point where companies can weaponize UX to manufacture consent. The EDPB’s February 2023 Guidelines on Deceptive Design Patterns codified what manipulative consent looks like across six categories. The CNIL’s December 2024 enforcement proved regulators now issue orders to comply based purely on interface design. And user research shows that deceptive banners don’t just violate regulations—they destroy trust with your most privacy-conscious users while annoying everyone else. Poorly designed or intrusive cookie banners can frustrate users, leading to negative experiences and potential legal issues.
But there’s a path forward that respects both compliance obligations and business needs. It requires understanding three things: what makes consent UX deceptive, what makes it user-friendly, and how Spain’s AEPD exemption creates space to maintain essential analytics without consent friction. Clear consent UX is also essential for ensuring legal compliance.
Understanding what makes consent UX user-friendly means you must inform visitors transparently about data collection and consent options, so users know exactly what they are agreeing to.
The six dark patterns that trigger enforcement
The EDPB’s Guidelines on Deceptive Design Patterns in Social Media Platform Interfaces (adopted February 14, 2023) categorize manipulative UX into six types. While focused on social media, data protection authorities apply these principles to cookie consent, as evidenced by CNIL’s December 2024 enforcement actions. The cookie banner appears as soon as a user visits the site, making its immediate visibility and design crucial for transparency and accessibility:
1. Overloading: Burying users under excessive requests, information, or options to discourage them from protecting their data. In cookie consent: Walls of text in preference centers, endless toggle switches for individual vendors, or repeatedly prompting users who already declined.
2. Skipping: Making privacy-protective choices require more steps than privacy-invasive ones. In cookie consent: “Accept All” is one button, but “Reject” requires clicking “Manage Settings,” then navigating to a second layer, then toggling 47 individual categories, then clicking “Save” (which may be at the bottom of a scroll).
3. Stirring: Using emotional manipulation or misleading visuals to push users toward specific choices. In cookie consent: Sad emojis next to “Reject,” warnings that rejecting cookies will “break the site,” or framing acceptance as supporting “free content you love.”
4. Obstructing: Hiding or making information difficult to access. In cookie consent: Reject option presented as tiny grey text, burying the preference center three clicks deep, or using vague labels like “Learn More” instead of “Manage Cookie Settings.”
5. Fickle: Inconsistent or unclear interfaces that confuse users. In cookie consent: Toggle switches with labels like “Do not sell my personal information” (double negatives), ambiguous “X” buttons that might mean “Accept” or “Close without accepting,” or changing what “X” means between visits.
6. Left in the Dark: Withholding information users need to make informed decisions. In cookie consent: Not explaining what each cookie category does, omitting information about which third parties receive data, or failing to disclose data retention periods.
Some cookie consent designs use dark patterns aimed at forcing users to accept cookies by making the option to decline cookies less accessible or more difficult to find, which undermines genuine user choice.
CNIL’s December 2024 enforcement hit publishers for violations across multiple categories:
Skipping: “Accept” required one click; “Reject” required navigating to a preference center
Stirring: High-contrast “Accept All” buttons paired with low-contrast “Manage Settings” links
Obstructing: Reject option embedded in information blocks without visual distinction
Fickle: Multiple “Accept” buttons throughout the banner; single “Reject” option hidden as “I decline non-essential purposes”
The CNIL made clear: “Rejecting cookies should be just as easy as accepting them.” Users must be able to decline cookies as easily as they can accept them. This isn’t a suggestion—it’s the legal standard under Article 82 of the French Data Protection Act and the GDPR’s requirement for freely given consent.
What users actually want: Nielsen Norman Group research findings
Nielsen Norman Group’s November 2023 study on cookie permissions revealed a spectrum of user behaviors, from “the denier” (adjusts cookies every time to share minimal data) to “the enthusiast” (wants personalized ads). But across all user types, several patterns emerged. The study also observed how users interact with cookie banners, noting that design elements such as button highlighting and option placement significantly influence their choices and interaction patterns.
Users notice and resent deceptive patterns. When one participant encountered a banner with only “Accept All,” he said: “I am kind of used to opt out options. It doesn’t seem to give the option to reject it or to tailor the cookies… which makes me feel a bit uneasy.”
Users prefer small, unobtrusive banners that don’t block content. Large cookie overlays that prevented viewing the page were “intrusive and annoying.” One participant: “I don’t want it to cover my page. I definitely don’t want it to cover the page when I can’t even see what the page is.”
However, users accepted larger banners if they could scroll the underlying page. The UK government used a large cookie banner at the top, but it pushed content down rather than overlaying it. A participant: “It’s big but it’s not actually covering up the rest of the site. It just kind of pushes the site down so I can still see what the site is.”
Users want options immediately available—not hidden behind “Learn More.” Harper’s Bazaar required clicking “Learn More” to access “Reject.” The NN/g study found this pattern has low information scent: users assume “Learn More” only provides cookie explanations, not additional options.
Plain language matters. Cricut offered two options both starting with “Accept,” creating the impression users had no choice. Fenwick & West’s clear distinction between “I consent to cookies” and “I do not consent” supported quick decision-making.
Users divide by platform trust. “The skeptic” shares data only with familiar or trustworthy sites. “The tech-savvy” clicks “Accept All” but clears cookies later. “The impatient” selects “Accept All” to remove the overlay. Understanding these user types reveals whom your design alienates. Accommodating different user preferences in consent UX is essential to ensure all users feel their choices are respected and their browsing experience is tailored.
For users who quickly dismiss banners, it’s important to note that many users do not engage deeply with cookie settings, often acting as passive acceptors or indifferent clickers who simply want to continue browsing.
The critical insight: Deceptive UX doesn’t just violate regulations—it alienates users who care about privacy, trains “impatient” users to reflexively click “Accept” without reading, and erodes trust even among users willing to share data. Well-designed banners can improve user engagement with privacy options by making choices clear and accessible. Privacy concerns also vary among users, influencing their willingness to share data—some users value transparency even if their concerns are limited, while others are motivated by convenience rather than awareness.
Spain’s AEPD audience measurement exemption: analytics without consent fatigue
In January 2024, Spain’s data protection authority (AEPD) published guidance that creates space for essential analytics without consent friction. The exemption allows audience measurement cookies to bypass consent requirements under specific conditions. However, it is important to note that audience measurement cookies often involve processing personal data, such as online identifiers, and must comply with privacy regulations like GDPR and CCPA.
Exempt audience measurement purposes (when properly configured):
Page-by-page audience tracking
Referral source identification (aggregated daily)
Device, browser, screen size analysis (aggregated daily)
Page loading time and engagement metrics like bounce rate, scroll depth (aggregated hourly/daily)
User action statistics—clicks, selections (aggregated daily)
Geographic origin of web requests (aggregated daily)
Mandatory safeguards for exemption:
Users informed via privacy policy about cookie use
Users must be clearly informed about how the website will collect data and record data through cookies
Cookie lifespan limited to 13 months (no auto-extension on new visits)
Collected data retained maximum 25 months
No cross-referencing with other data processing
No transmission to third parties
No unified identifiers across multiple sites
No user tracking across various sites or apps
Additional requirements for third-party analytics providers:
Documented evaluation of tool configuration
Contractual commitment not to reuse data for own purposes
GDPR compliance for data transfers outside EU
Independent collection, processing, and storage for each publisher
The AEPD’s position follows France’s CNIL, which maintains a list of 20+ analytics tools that meet exemption criteria when properly configured. Tools like Matomo (self-hosted or cloud with specific configurations), Plausible, and Fathom can qualify. Google Analytics 4 can qualify if configured with:
IP anonymization enabled
Data sharing with Google disabled
Remarketing features disabled
User-ID feature disabled
Cross-domain tracking disabled
Data retention set to 2 months
The strategic implication: Companies can maintain visibility into core performance metrics (traffic sources, page engagement, conversion funnels) without triggering consent requirements—IF they configure analytics to meet exemption criteria and don’t use data for advertising, cross-site tracking, or personalization beyond the site itself. To ensure websites comply with all relevant data protection laws and privacy regulations, it is essential to handle personal data transparently and adhere to legal requirements when collecting or processing personal data.
This creates a two-tier analytics strategy:
Exempt audience measurement: Core performance metrics, no consent required
Behavioral/advertising cookies: Personalization, remarketing, cross-site tracking—requires explicit consent with symmetrical UX
The symmetrical cookie consent banner pattern: design that complies and converts
Combining regulatory requirements, user research, and the AEPD exemption yields a consent UX pattern that satisfies all stakeholders:
Layer 1: Initial consent banner (small, non-blocking)
Required elements:
Equal visual weight for “Accept All” and “Reject All” buttons
Plain language labels: “Accept All Cookies” / “Reject All Cookies” / “Manage Cookie Preferences”
Brief, scannable explanation: “We use cookies for [essential functions] (no consent needed) and [optional purposes] (your choice)”
Immediate access to all three options (accept, reject, manage)
Small banner at top or bottom that doesn’t block content
Manage Preferences button to allow users to customize their cookie settings for each cookie category
Cookie banners serve to inform users about data collection and facilitate compliance with GDPR. Clear design elements, such as accessible buttons and balanced layout, enhance user experience and ensure the banner is both user-friendly and aligned with branding standards.
Example compliant banner:
We use cookies for site functionality (always active) and optional purposes like analytics and personalized content.
[Accept All Cookies] [Reject All Cookies] [Manage Cookie Preferences]
This is a GDPR compliant cookie banner.
Visual implementation:
Both primary buttons same size, same color contrast
“Manage Cookie Preferences” can be styled as link but must be equally visible
No sad emojis, guilt trips, or warnings about “reduced experience”
No high-contrast “Accept” paired with low-contrast “Reject”
Layer 2: Preference center (for users who click “Manage”)
Required elements:
Category-level controls, not individual vendor toggles (unless user explicitly requests vendor-level detail)
Bullet-point descriptions for each category explaining what cookies do
Pre-selected to OFF for non-essential categories (GDPR opt-in requirement)
“Save Preferences” and “Reject All” buttons at both top and bottom of list
No “Accept All” button in Layer 2 (user came here to customize, don’t push them toward blanket acceptance)
Users can manage preferences for each cookie category, such as essential, analytics, functional, and marketing cookies, providing granular control over their data.
Example categories (using NN/g and EDPB guidance):
✅ Essential (always on): Session management, security, load balancing, content delivery
☐ Analytics (exempt under AEPD if configured properly): “Helps us understand which pages are most visited and how users navigate the site. Data is aggregated and not used for advertising.”
☐ Functional: “Remembers your preferences like language and region”
☐ Marketing: “Enables personalized ads and measures ad campaign effectiveness”
Preference centers should allow users to manage cookies and manage consent for different purposes, including the ability to accept, reject, or customize settings for each category.
Implementation note: If your analytics meet AEPD exemption criteria, you can remove “Analytics” from the consent flow entirely and only disclose its use in your privacy policy. This reduces consent fatigue while maintaining compliance. A consent management platform can help facilitate compliance and give users control by providing customizable banners, granular preferences, and easy consent management.
Edge case: The “X” or “Close” button
EDPB guidelines and user research reveal “X” buttons create ambiguity: does clicking “X” mean “Accept All,” “Reject All,” or “Don’t decide now”?
Compliant approaches:
No “X” button (forces explicit choice)
“X” equals “Reject All” (disclose this in banner: “Closing this banner without selecting rejects optional cookies”)
“X” equals “Continue with essential only” (if analytics are exempt under AEPD)
Never: “X” means “Accept All” (this creates fickle, deceptive pattern)
Users must always have the ability to withdraw consent at any time, ensuring ongoing control over their data and compliance with GDPR. Giving users control over their data and cookie choices builds trust and supports privacy best practices.
Designing for accessibility in consent UX
Designing a cookie consent banner that is accessible to all users is essential for ensuring everyone can make an informed decision about their data privacy. Accessibility in consent UX means that every website visitor—regardless of ability—can easily read, understand, and interact with the cookie banner to give or withhold consent. This not only supports user privacy and legal compliance but also demonstrates a commitment to inclusivity and user trust.
To inform users effectively and obtain consent, cookie banners must be immediately visible when a user lands on the website. The banner should use clear, straightforward language to explain cookie usage, the types of data collected, and the options available for managing cookies. Both the “accept” button and the “reject” button should be equally prominent, allowing users to easily accept or reject non essential cookies without confusion or frustration.
Accessibility best practices go beyond visual design. Website owners should ensure that cookie consent banners are compatible with screen readers and other assistive technologies, so users with visual impairments can understand and interact with the banner. Keyboard navigation is also crucial—users should be able to move between options and make selections without needing a mouse. Sufficient color contrast helps users with low vision, while larger, well-spaced buttons support those with motor impairments.
Complying with data privacy laws like GDPR and CCPA means obtaining explicit consent for non essential cookies and avoiding dark patterns that might trick users into giving consent. Transparent, user-friendly cookie banners that prioritize accessibility help website owners meet these legal requirements while enhancing user experience and building trust.
The technical stack: exempt analytics + consent management for data privacy laws
Step 1: Configure analytics for AEPD exemption
If using Google Analytics 4:
javascript
// GA4 configuration for AEPD exemption
gtag('config', 'G-XXXXXXXXXX', {
'anonymize_ip': true,
'allow_google_signals': false,
'allow_ad_personalization_signals': false,
'allow_google_analytics_4_cookie_data_collection': false
});
Set in GA4 admin:
Data Settings → Data Collection → Deactivate Google signals
Data Settings → Data Retention → Set to 2 months
User-ID feature: Off
Cross-domain tracking: Disabled
All advertising features: Disabled
If using Matomo:
Self-host in EU or use Matomo Cloud with EU hosting
Anonymize IPs (2 bytes minimum)
Disable tracking of outlinks to different domains
Set cookie lifetime to 13 months
Disable user tracking across domains
Step 2: Implement consent banner for remaining cookies
If you’ve configured analytics to meet AEPD exemption, your consent banner only needs to manage:
Functional cookies (preferences, language)
Marketing/advertising cookies
Third-party embeds (social media, video players)
There are different consent mechanisms available for managing cookies, such as banners with technical language, links to privacy policies, and granular options for users to accept or reject specific categories.
This dramatically simplifies the consent flow and reduces user fatigue.
Step 3: Respect consent choices technically
javascript
// Pseudocode for consent implementation
function handleConsent(userChoice) {
if (userChoice === 'accept_all') {
enableFunctionalCookies();
enableMarketingCookies();
enableThirdPartyEmbeds();
} else if (userChoice === 'reject_all') {
// Only essential cookies remain active
// No action needed as these are already loaded
} else if (userChoice === 'customize') {
if (userPreferences.functional) enableFunctionalCookies();
if (userPreferences.marketing) enableMarketingCookies();
if (userPreferences.embeds) enableThirdPartyEmbeds();
}
// Store consent choice for 12 months (AEPD guidance)
setConsent Cookie(userChoice, 365);
}
Step 4: Handle consent refresh
GDPR requires “fresh” consent periodically. AEPD guidance suggests:
Prompt for new consent every 12-24 months
Re-prompt immediately if cookie policy changes materially
Store consent timestamp and check on each visit
The consent banner should be displayed during user visits, especially on the initial visit, and reappear as needed to maintain compliance and inform visitors as they navigate the website.
Measuring success without measuring manipulation
Traditional cookie consent metrics—“acceptance rate”—optimize for the wrong outcome. A 95% acceptance rate achieved through deceptive patterns is a compliance failure, not a success.
Better metrics:
Informed decision rate: % of users who either accepted, rejected, or customized (vs. ignoring/closing banner)
Customization rate: % of users who clicked “Manage Cookie Preferences” and made granular choices
Re-prompt engagement: When consent expires, do users make the same choice or reconsider?
Support ticket reduction: Fewer “how do I disable tracking” questions signals better UX
Regulatory risk: Zero enforcement actions, zero formal notices
Collecting user feedback is also crucial for understanding how users interact with your cookie consent UX and identifying areas for improvement.
Most importantly: Page engagement metrics for users who rejected vs. accepted cookies. If reject users have dramatically lower engagement, your analytics dependencies may be too aggressive. If engagement is comparable, you’ve found the right balance.
Conclusion
The privacy-regulation landscape of 2025 creates an opportunity disguised as a constraint. By combining:
AEPD’s audience measurement exemption (essential analytics without consent)
Symmetrical consent UX (accept = reject in visual weight and steps)
Plain language (no dark patterns, no manipulation)
…companies can maintain the analytics they need to run their business while reducing legal exposure and building trust with users.
The CNIL’s December 2024 enforcement and EDPB’s February 2023 guidelines make clear that deceptive consent UX will trigger formal notices and potential fines. Nielsen Norman Group’s research shows these same patterns alienate privacy-conscious users and train others to reflexively click “Accept” without reading.
The path forward isn’t choosing between compliance and usability—it’s recognizing they’re aligned. Users don’t hate cookie banners because they provide choice; they hate cookie banners that use deceptive design to eliminate choice while pretending to offer it.
Design consent UX that respects the user’s decision, configure analytics to meet exemption criteria for essential measurements, and require explicit consent only for genuinely optional purposes. This approach satisfies regulators, respects users, and maintains business-critical visibility into site performance.
The era of dark-pattern consent is over. The question for 2025 isn’t “how do we trick users into accepting?” It’s “how do we build trust by making privacy choices genuinely easy?” Companies that answer the latter question correctly will find compliance and engagement aren’t opposing forces—they’re complementary outcomes of ethical UX design. Ethical consent UX benefits website visitors by making privacy choices clear and accessible, empowering them to manage their preferences confidently.
