March 25, 2022 / , ,

Dark patterns and cookie banners: How design influences our consent behavior

Cookie banners, also called “Consent Management Platforms” (CMPs), have taken a place of growing importance in our online experience and are crucial for website operators when collecting consent for the processing of personal data and tracking services. However, although in theory these banners give users an autonomous choice, users are often nudged towards consenting to cookies. In this context, dark patterns take on particular importance (see Soe et al.; Nouwens et al.). Such design practices appear particularly problematic as they tend to influence the users’ decision-making process and their ultimate consent-choice (Utz et al.; Graßl et al.).

An article by Inken Kramme, Anton Kamke and Philip Hausner
With special thanks to Jule Martenson for helping to evaluate the results.

Finding dark patterns within cookie banners

Building on the results of previous studies, our incentive was to further elaborate on the extent and types of dark patterns within cookie banners. Therefore, our colleague Philip Hausner conducted an empirical study at Heidelberg University, specifically tailored to finding them. (See here for a description of the technical method applied). The study was intentionally limited to the cookie banners’ first layer, which means we particularly focused on the button design.

Overall, our analysis evaluated the 4695 most visited German websites in 2018, which were taken from the list „Alexa Top 1 million Websites 2018“. The study took place between July 22nd and 23rd 2021 and it used a method to automatically identify individual button types using features extracted from the source code. The study consisted of three steps: (1) the identification of a cookie banner (or the lack thereof), (2) the extraction of buttons on the banner, i.e. web elements the user can interact with, and (3) the extraction of style information from the banner and its buttons.

At first, the relevant CMPs were identified by using a key word search for text elements within the buttons (some German key words were e.g. “cookie”, “tracking-technologien”, “dsgvo”)[*]. This made it possible to find low-level elements that are potentially part of a cookie banner.  Second, this information was used to detect larger segments of content that could be part of a complete cookie banner.  Finally, we extracted the buttons from the CMPs to later categorize them according to their color and functionality.

The algorithm found cookie banners on 2957 of the 4532 scraped websites. The fact that not all websites use (detectable) CMPs may be due to a variety of reasons. They are often missing on smaller websites either because a) the website does not set any cookies or b) the website operator ignores legal obligations when collecting consent and setting cookies. Additionally, the algorithm did not catch CMPs in every instance for technical reasons, as the keyword list used may have not been exhaustive.

The majority of detected dark patterns were so-called ‘interface interference’ and ‘obstruction patterns’ (see Martini et al. p.52 for a categorization of dark patterns). Interface interference patterns, also referred to as “aesthetic manipulation”, give visual preference to one button over the other. Obstruction patterns hinder the user to find and engage with privacy friendly options in the first place.

In our study, interface interference was tested based on the size and color of the cookie banner, so “equivalent design” in our context means same size and same color. For this purpose, it was sufficient that the colors could both be allocated to the same color group. Looking at the different button groupings, we observed that on most websites the buttons indeed varied in size and color. Regarding the combination “Accept All”[†] and “Reject All”, only 21 out of 330 cookie banners using this composition were designed equally. This gap was even greater between “Accept All” and “Settings”. Out of 1091 cookie banners using this composition, only 11 had an equivalent button design, while 1080 did not. Similar results also apply to the grouping “Accept All” and “Partial Accept” (chart 1).

(chart 1)

In particular, the consent-accepting and the consent-denying options were not equally visible. Most of the times, the “Accept all” button was highlighted in green or blue, while the “reject all” button was mostly white (chart 2). Furthermore, white “reject buttons” often matched the banners’ background color (chart 3). Conversely, the consent-accepting option was typically kept in a contrasting color. The same applies to black backgrounds (see chart 4). In conclusion, the user is psychologically tempted to click on the “Accept all”-button as it seems to be the more dominant and convenient option. Given that these options are usually the more privacy-unfriendly ones, it seems sensible – at least from the website operators’ perspective – to regularly give them visual preference.

(chart 2)

(chart 3)

(chart 4)

We also found manipulative designs that fall under the category of “obstruction” which means that accessing certain options is made more difficult (see above). An example is the button “More options” instead of “Reject”, where the option to decline cookies is covered under one or several layers. Accordingly, it takes the user more time and patience to decline cookies rather than to accept them. This phenomenon, also called “click fatigue”, prevents many users from safeguarding their interests with regards to cookies.

In our study, 2656 of all scraped cookie banners included an “Accept all”- button, whereas only 349 websites implemented a “Reject all”-button. In fact, users often had to click other buttons such as “Settings” (1139), “Privacy Policy” (1722) or “More information” (1080), which did not allow them to reject cookies right away (chart 5). This conclusion is further confirmed by our results regarding the button combinations: We found a disproportionally high use of only “Accept all” (955) or “Accept all & Settings” (837) buttons (chart 6). Consequently, the rejection of cookies is only possible on the second or third layer, while it takes only one click to accept them all (Whether a “reject” option was provided at all at a deeper layer was not part of our scrape).

(chart 5)

(Chart 6)

Contextualizing our results

Previous research has suggested that design patterns do affect consent. Our analysis empirically supports these findings. They add yet another piece of empirical evidence that giving consent is in practice easier for users than refusing consent: through better visibility and less click effort.

With regard to interface interference patterns, users are drawn to choose the more visible and larger button, which usually is the privacy-unfriendly option. Considering that the users’ consent decision is usually made within seconds, such small deviations in design could ultimately be crucial.

Similar thoughts apply to obstruction dark patterns, which hinder the user in clicking one of the possible buttons. In almost all instances, it would have taken more time and patience to reject cookies by clicking through multiple layers rather than just accepting them. Therefore, it may be questioned whether accepting cookies in such cases is a fully deliberate decision, or rather merely taken to avoid further inconvenience.

Dark patterns increasingly catch the legislators’, but also the courts’ attention. The European Court of Justice has already found that pre-checked boxes (another dark pattern) do not lead to valid consent under EU law. Legislative approaches for regulating dark patterns include the California Privacy Rights Act in the United States, but also the current draft of the Digital Services Act within the EU, which could complement the already existing GDPR and ePrivacy-Directive. For these, but also for future legislative initiatives, the legislative bodies are encouraged to consider empirical findings on the prevalence of specific types of dark patterns; especially in the context of cookie banners.

[*] Tracking-technologien = tracking technologies, DSGVO = GDPR (General Data Protection Regulation)

[†] As the experiment was conducted on German websites, the text elements within the buttons were translated.

Published under licence CC BY-NC-ND. 

Authors

  • Inken Kramme

    Inken Kramme studied law at the University Passau. She is currently a research associate at the German Institute for Public Administration in Speyer. She is also a PhD candidate with a special interest in the protection of minors in the digital environment.

    View all posts

  • Anton Kamke

    Anton Kamke is a student assistant at the German Research Institute for Public Administration Speyer. He is currently studying law at the Humboldt University Berlin. He is particularly interested in European and international law and law in the context of digitization.

    View all posts

  • Philip Hausner

    Philip Hausner is a computer scientist with a Master's degree from Heidelberg University and a background in Machine Learning and Natural Language Processing. During his time as a Research Assistant at the Database Systems Research Group at Heidelberg University, he investigated methods to automatically detect so-called Dark Patterns, especially in the context of cookie banners. Currently he is working as a software engineer at Quality Match, improving the quality of data sets for modern machine learning pipelines.

    View all posts

CategoriesBlog-Beiträge

Inken Kramme Written by:, ,

Inken Kramme studied law at the University Passau. She is currently a research associate at the German Institute for Public Administration in Speyer. She is also a PhD candidate with a special interest in the protection of minors in the digital environment.