You click on a headline and a banner takes over the screen. There is a big colored button that says ACCEPT. Somewhere else, smaller, in a paler color, there is a REJECT. Or there isn’t, because REJECT lives behind a link that says “Manage preferences”, which opens a list of three hundred ad partners with checkboxes you have to flip off one at a time.
That is a dark pattern. It is the design of a cookie banner that pushes you toward accepting tracking by making rejection slow, confusing, or invisible. The point of this post is to describe how it works, what the European regulators are saying, and what a banner looks like when the site actually wants to give you a choice.
The most common pattern
Open ten European newspaper sites and you will see the same banner shape almost every time.
The accept button is large, colored, in the center of the box. The reject option is a thin gray link, sometimes labeled “Continue without accepting” or “Manage preferences”. The visual hierarchy tells your eye where to click before you have read anything. That is intentional.
Sometimes there is no reject button on the first screen. You have to click “Manage preferences”, scroll past a wall of text, find a tab called “Legitimate interest” with every category pre-checked, uncheck them one by one, then scroll to the bottom and click “Save”. Three or four clicks to say no, one click to say yes.
This is what the European Data Protection Board (EDPB) calls asymmetric consent. The Spanish data protection authority (AEPD) has been clear in guidance: rejecting must be as easy as accepting, a principle we break down in our AEPD cookie banner best practices guide. One button next to the other, same size, same prominence. Most major newspapers are not doing this.
Pay or OK
A newer pattern is “Pay or OK”. The banner gives you two choices: accept tracking cookies for free, or pay a monthly subscription (often around 5 EUR) for an ad-free, tracking-free version.
The publisher’s argument is that personalized advertising pays for journalism, and people who do not want ads can pay for the alternative. On paper that sounds fair. In practice, regulators are pushing back. The EDPB issued an opinion in 2024 saying that for large online platforms, a binary “pay or OK” with only those two options is generally not valid consent under the GDPR. Consent has to be freely given, and a forced choice between paying money and giving up your data does not meet that bar.
Some national authorities, including the AEPD, have started ruling on specific cases. The direction of travel is that “pay or OK” has to include a real third option: a free version with non-personalized ads, for example. A binary “pay or be tracked” wall is on increasingly thin ground.
What the TCF actually is
You will see TCF mentioned in banners. TCF stands for the Transparency and Consent Framework. It is a technical standard built by IAB Europe, the trade body for the digital advertising industry.
What it does, in plain words, is this. When you click a button on a banner, your choice has to travel to hundreds of advertising networks that might load on the page. The TCF defines a string of text (the Consent String) that encodes your choices in a standard format, so every ad partner reads it the same way. Without a common format, every ad network would need its own integration. The TCF is the shared language.
Being a standard does not make every implementation legal. In 2022, the Belgian Data Protection Authority ruled that the version of the TCF in use at the time violated the GDPR, and IAB Europe has been adjusting the framework since. The standard exists. Whether a particular banner using it complies with the law depends on how it is configured: button equality, granular choices, default states, the use of “legitimate interest” as a basis for tracking, and other decisions.
The “legitimate interest” thing
If you click into a TCF banner’s preference panel, you usually see two tabs: Consent and Legitimate Interest. The Consent tab respects your choice. The Legitimate Interest tab often has every category pre-toggled on, even after you reject everything in the Consent tab.
The publisher’s reasoning is that some processing, like measuring audience size, can rely on legitimate interest as a legal basis under the GDPR rather than consent. The problem is when behavioral profiling and ad personalization sneak in under that label. Measuring audience is one thing. Building a profile of you across hundreds of sites for targeted advertising is not what legitimate interest was designed for, and regulators are saying so.
If you reject everything under Consent and the page still loads tracking scripts because Legitimate Interest is on by default, your rejection has not done what you thought it did. That is the part that shows up in regulatory rulings.
What a clean banner looks like
If you run a content site and want a banner that will not get you in trouble, the shape is simple.
- ACCEPT and REJECT buttons of equal size, equal color weight, side by side, on the first screen.
- No pre-checked categories anywhere. Every box starts off.
- Granular options (analytics, personalization, advertising, etc.) on the same screen as the main accept and reject, not buried two clicks deep.
- Plain language. “We use cookies to measure traffic and serve ads” beats two paragraphs of legalese.
- A reject that actually rejects, including under any “legitimate interest” tab.
This is not a high bar. It is what the GDPR has asked for from the start. The reason most newspapers do not do it is that, given a fair choice, most users reject. The whole dark pattern industry exists because the unfair choice produces better numbers.
If you run a content site, just don’t be one of these
The temptation, if you have ad revenue, is to look at what the big newspapers do and copy it. There are two reasons not to.
The first is legal. The smaller you are, the less the regulator wants to fight you, but fines do happen, and they are usually larger than what the dark pattern earned you. The AEPD has published guidance. The text is short and reads well. Following it is cheaper than not following it.
The second is product. A newspaper has a captive reader: the article they want is only there. A blog, a SaaS landing page, a documentation site does not. If a visitor hits an aggressive banner and bounces, they are gone. We have seen B2B sites that tried to copy newspaper banners take noticeable hits in bounce rate, including in audits we have run with SEO Expert. The cost in conversion outweighs any extra tracking benefit.
A clean banner, or no banner at all (if you use cookieless analytics), is a better business decision for most sites that are not in the ad-tech business.
The cookieless route
If your only reason for showing a banner is loading Google Analytics, there is a simpler answer: switch to analytics that do not use cookies. Tools like Plausible and Fathom, or server-side log analysis, give you page views, referrers, and traffic patterns without setting any identifier in the user’s browser. Under most readings of the GDPR, they do not require a banner.
You lose some features (cross-device user tracking, very detailed funnels) and gain others (ad-blockers do not hide your data, the page loads faster, no banner). For a content site or a SaaS marketing page, the trade is usually worth it.
Where this is going
There are two things converging. European regulators are tightening the rules on dark patterns and on “pay or OK” with concrete rulings, not just guidance. Browsers are starting to support Global Privacy Control, a header that says “do not track me”, and sites are increasingly required to respect it automatically.
The combination means that in a few years, a newspaper that loads tracking against a user who clicked reject, or that runs a heavily asymmetric banner, will be in clear violation of both law and a signal the browser sent on every request. The “everyone does it” defense will age badly.
For everyone else, the practical advice has not changed in five years: ask honestly, take the answer, do not pre-check anything, and consider whether you need any of this in the first place.