Skip to main content
Insights,
Compliance

Digital Services Act in action: Dark patterns & nudging? The recipe for a good cookie needs to change

Are you familiar with Dark Patterns? It sounds like something out of an exciting movie. "What shall I do to disarm this Klingon, Captain Kirk?” - “You need to decipher his dark pattern, Commander Spock!" Unfortunately, it’s not as thrilling as it sounds. You might be using them yourself, knowingly or unknowingly. However, the Digital Services Act, just like the GDPR, is clear: dark patterns must go.


The term Dark Patterns, sometimes referred to as Deceptive Design Patterns, refers to misleading techniques used to obtain opt-ins in a cookie banner. Translate cookies to tracking tools, and it immediately sounds less innocent. Our Data Protection Authority is clear: it involves storing information or gaining access to information already stored in the end user’s equipment.1 Nothing innocent about that. Sometimes you also hear the term nudging2, where you are subtly encouraged to exhibit the desired behavior.

The Digital Services Act, a recent European legislation, puts an end to these misleading techniques. On the European Commission’s website3, you’ll find:

The Digital Services Act (DSA) contains an obligation that equates to a ban on using so-called dark patterns on online platforms. Under this obligation, online platforms will have to design their services in a way that does not deceive, manipulate, or otherwise materially distort or impair the ability of users to make free and informed decisions.”

This applies to every website that uses cookies, not just the online giants like Meta (Instagram, Facebook) or Alphabet (Google). So your website must also comply with the new rules. That’s exactly what the Digital Services Act aims for: safe and reliable online environments. This European act has been in effect since February 17, 2024.

Read more about how the Digital Services Act and Digital Markets Act mark significant shifts in the online landscape.

Let’s explore five techniques that many websites still eagerly use. Beware: Dark Patterns ahead!

What are these dark patterns, these subtle but deliberate attempts to extract opt-ins from you?

1. Where can you refuse?

A common technique is to hide the refuse button. According to best practices, the 'accept' and 'refuse' buttons should be neatly placed next to each other. This means on the first screen of the cookie banner, not a layer deeper. However, you often see: on the first screen, you find an 'accept' and a 'customize' button. Only when you click 'customize' do you get to a page where you can also refuse. As a surfer, you must make an extra effort if you don’t want cookies, and that’s not correct.4 Refusing cookies should be just as easy as accepting them.

2. What is already checked?

Recently, I came across this on the site of an interior company: all options were pre-checked. You only discovered this when you clicked 'Set preferences'. That’s also not okay. The cookie banner should show nothing pre-checked by default. Only the necessary (required) cookies should be checked, as you really need those for your visit to the site to run smoothly. All other categories should not be checked, and as a visitor, you should make a conscious and informed choice. Pre-checking for the visitor, and thus already making a choice, is not done.

3. What colors do you see?

This approach is more discreet but no less effective. The option to refuse is embedded as a clickable word somewhere in a text. Or you see a large, colorful, inviting button to accept everything. The refuse option, on the other hand, is a miserable little button in gray tones that stands sadly in the shadow of its big brother. Your attention naturally goes to the inviting button. Searching for a refuse button requires extra determination. Although the extra effort required is limited, it’s still not correct. A resounding 'No thank you, I don’t want extra cookies' should be easy and as attractive as the alternative.

4. Where are the analytical cookies?

Ah, here they are: the much-discussed analytical cookies. There’s no doubt about it: these cookies are optional. They belong in a separate category and should be set to opt-out by default. Sneaky marketers sometimes hide them in the category of necessary cookies. That’s a sly way of working. Shame. Triple shame. Also good to know: you should be able to click on each category to read exactly which cookies are involved. Otherwise, you still don’t know what you’re accepting, right?

5. How easy is it to review your choice?

You clicked 'accept all'. The large button was so beautiful, you didn’t immediately see an alternative, all categories were already checked: in short, you were more than a little nudged into agreeing. And so you did. But then you realize you don’t actually want to be tracked. By clicking 'cookie' or 'cookie policy' in the footer of the page, the cookie banner should reopen with the preferences you entered. Now you can easily correct your preferences. You don’t see this often yet, although it’s already well arranged on some major e-commerce sites.

How many of the five techniques have crept into your banner? Often, there’s no ill intent involved; you don’t review your cookie banner twice a year, do you? But that doesn’t diminish the rights of the people involved. Tracking is possible with explicit consent based on correct categories and accurate information. This way, you show respect for your visitors.

Digitalization comes with responsibilities. You must be worthy of your stakeholders’ trust. This trust - we call it Digital Trust - is a cornerstone of our vision. Compliance is an indispensable ingredient of it. Up for a coffee and a chat about GDPR, cookies, privacy, data, compliance, and digital trust? I’m looking forward to it.

By Yves Braeckman

As Head of Compliance I work on finding a balace between performing online interactions and respect for privacy in the broadest sense. The goal is to gain stakeholders’ confidence while creating durable digital solutions. Already today - but even more so in the years to come - compliance forms a cornerstone for any online activity.