Dark UX Patterns: Cookie Banners

What is a dark UX pattern?

A dark user experience (UX) pattern is a pattern in the design of a software interface, which nudges people into taking actions they do not want to take. That action could be buying a product or accepting legal terms in favor of the company offering them.

Basically, dark UX patterns are the digital continuation of using psychological tricks to improve sales.

Due to the European GDPR (General Data Protection Regulation) many websites are forced into displaying a cookie banner, so that users can decide whether they consent into accepting cookies or not. The motivation of the GDPR is to protect users from being tracked and thus improve the users' privacy.

This has resulted in software providers offering solutions, which can be integrated into websites, to show users a cookie banner to accept or reject cookies. As such solutions have become a business in itself, most providers built unnecessary complex solutions which try to nudge users into accepting cookies.

An example of such a dark UX implementation is made by TrustArc, which offers their solution for companies to use:

Dark UX implementation by TrustArc to nudge users into accepting cookies

Which dark UX patterns are used?

Some of the tricks below are used by TrustArc to make rejecting cookies difficult and time intensive, whereas accepting cookies is easy and fast:

  • Make the Accept cookies button visually prominent. This usually means a prominent background color and a larger font. The button is positioned such that it lies within the usual eye flow of users.

  • Move the Reject cookies functionality behind multiple links (preferably with a smaller font size), dialogs and other interface elements to make it as hard as possible to reject cookies. Often a reject all button is missing, but every cookie has to be disabled with a click. If the next cookie needs to be selected first before being able to disable it, the process becomes even more cumbersome for the user.

  • Design the user interface so that it is hard to navigate and understand.

  • Make rejecting cookies a process which takes a lot of time. Storing a user’s preference to reject cookies takes a small request to the server. Some providers such as TrustArc manage to make this a process which could potentially take a couple of minutes to complete. Further nudging the user to accept all cookies.

From a user experience viewpoint, the problem is easy: users do not care about cookies. Interacting with the cookie banner is not a user’s goal. They either want to get information or buy a product or service. From a user perspective, cookie banners are thus to be avoided as they distract from the user’s primary goal.

Let us entertain the assumption, that we do want the user to interact with the cookie banner. Thinking from a user’s perspective, the user wants to:

  • spend as little time as possible with the cookie banner, as it is not a primary goal

  • clearly see their options in the banner (accept all cookies or reject all cookies)

  • understand which cookies are set and for which purpose. This should be done in no more than 1-2 sentences per cookie. Ideally, all cookies are presented in a table with the explanation.

Even in this case, any interaction with a cookie banner disturbs the customer journey, distracts the user from her primary goal and costs energy and willpower, which is later missing for other decisions.

Users visit a website with a certain expectation and often with built up emotions. They are excited about a product, curious about a company and their services, or annoyed because they need product support. It is not a good idea to break that flow and distract the user on their journey. Except you want to make it difficult for a user to contact customer support.

The same is true for other dark UX patterns such as sudden popups for newsletter subscriptions.

According to analysis done by Amazee Metrics only 11% of users click on Accept all cookies. Which means that 89% of the users do not explicitly accept and either reject cookies completely or just want the banner to go away. More interestingly, 76% completely ignore the cookie banner, living with it being there. Potentially, the banner covers important content on the website (e.g. a call-to-action button). This is especially harmful on mobile devices, where cookie banners take up relatively more space on the screen than on a desktop device.

This means that for 89% of the users the user experience of the website has degraded. The trust in your brand is now lower and their will and energy to buy a product or interact with your website is lower. As a company you should thus ask yourself: is it more profitable to annoy your users when they visit your website or do you focus on a superb user experience and make them enjoy their visit to your website? If you are interested what users think about your website, you can still do user tests or questionnaires.

How to improve your customers experience

A couple of pragmatic tips to improve your customers experience:

  • Your customers are excited when they visit your website. Harness that excitement to sell your product or your services!

  • Remove cookie banners and other distractions from your website. Focus on the user’s primary goal. Simplify!

  • Avoid third-party JavaScript which increases the load time of your website and degrades its performance, such as Google Analytics, Google Recaptcha, Facebook Pixel and other social media plugins.

  • Use no-cookie analytics as e.g.

Digital Marketing has become an industry feeding itself. There are many courses, experts and consultants profiting from buzzwords such as Search Engine Optimization (SEO) and Consent Management Platform (CMP). Think about the problem you face and ask yourself whether you need such complex solutions or if a simpler solution suffices.

We often have a bias to solve problems by adding something, as this gives us the feeling of accomplishment. However, many problems are solved by actually removing something.

Can I take something away to solve the problem?

Applied to the topic at hand, that means: try to remove the cookie banner completely, instead of adding more software to solve privacy-invading third-party plugins for your website.

What is a cookie?

A cookie is a small amount of data stored in the user’s browser, which is sent back to the server by the browser on every request to the server.

The web in its nature is stateless. That is, every request made from a browser to a server is independent of other requests. This works fine for most informational websites. However, a lot of web applications require a state, most commonly if they offer a login.

If you login to a web application, your username and password is sent to the server in a request. Any other request you would like to send afterwards is independent of your login request. So you would need to send your username and password with every request to prove that you are a rightful user. You do not want to enter your username and password on every click in the web application.

To circumvent that, cookies can be used. When the server receives a login request and your credentials are valid, the server stores a Session ID and sends that back to the browser. By sending it back, the browser is instructed to set that Session ID as a cookie. With every request, that cookie (i.e. the Session ID) is sent back to the server by the browser, which then knows that the request is authenticated by the previous login.

Of course, that cookie must be kept secret. Because if somebody else knows the Session ID within the cookie, they can impersonate the original user.