Cookie banner dark patterns in Ireland: what the DPC expects in 2026

European data protection authorities no longer treat cookie banner design as a matter of taste. The CNIL fined Google EUR 325 million and Shein EUR 150 million on 3 September 2025 for cookie banner violations. The Belgian DPA fined Mediahuis EUR 25,000 per day per site. In Ireland, the DPC conducted a cookie sweep of 38 controllers in 2020 and found 35 non-compliant. This article maps twelve dark patterns, ranked by supervisory authority consensus, and links them to what the EDPB classifies as prohibited, discouraged or best practice.

For general GDPR website requirements for Irish businesses, see GDPR compliance for Irish businesses.

The EDPB taxonomy: six categories

The European Data Protection Board published Guidelines 03/2022 (version 2.0, 14 February 2023) with a taxonomy of six dark pattern categories. The Cookie Banner Taskforce (report 18 January 2023) applied these specifically to cookie banners.

Overloading means overwhelming the user with information, requests or options to cause decision fatigue. In cookie banners this translates to endless lists of individual cookies that require per-item consent, while "accept all" takes one click.

Skipping means designing the interface so the user bypasses the choice. A banner that automatically disappears after a few seconds and records that as consent falls under this category.

Stirring appeals to emotions or uses visual nudging. The classic green "accept" button next to a small grey "reject" link is the most recognised example.

Hindering makes the privacy-friendly choice harder than the default. Three clicks to reject, one click to accept.

Fickle means inconsistent design: the explanation about cookies says one thing, the actual processing does something else.

Left in the dark withholds information or presents it in a confusing manner. Labelling marketing cookies as "functional" falls under this category.

The twelve patterns, ranked by consensus

Trackers before consent is the most heavily sanctioned pattern. The CNIL fined Yahoo EUR 10 million in 2023 and Google EUR 325 million in 2025 because trackers were already active before the visitor had made a choice.

Pre-ticked checkboxes have been unambiguously prohibited since the Planet49 ruling (CJEU C-673/17). Consent requires an active act. Pre-ticked boxes are not consent.

No reject-all on the first layer is a majority position, not unanimous. The EDPB Cookie Banner Taskforce explicitly notes this as a point of disagreement among authorities. The DPC's 2020 guidance note aligns with the majority view.

Asymmetric button design is unanimously problematic. There is no fixed WCAG threshold in the EDPB text, but colour difference, element type (link vs. button), font size and position are repeatedly used as evidence.

Legitimate interest for advertising and tracking cookies is unanimously prohibited. The Taskforce states in paragraph 3.6 that legitimate interest is not a valid legal basis for placing non-functional cookies.

Ireland: DPC enforcement in 2026

The DPC published its guidance note on cookies and other tracking technologies in April 2020. That same year, the DPC conducted a cookie sweep of 38 controllers across public and private sector websites. Of those 38, 35 were found non-compliant. The sweep examined whether consent mechanisms met the standard set by the ePrivacy Directive as transposed into Irish law through SI 336/2011.

The consent-refresh norm

The DPC's position aligns with the broader European consensus that consent should be refreshed periodically. In practice, a six-month refresh cycle has become the norm among authorities. Banners that re-request consent more frequently than every six months risk falling under the "overloading" category.

An honest note on DPC SME enforcement

The DPC's enforcement record on cookie banners for small and medium enterprises is limited. Most significant DPC actions have been through the one-stop-shop mechanism against large technology companies headquartered in Ireland: Meta, Google, TikTok, Apple. For Irish SMEs, the practical risk of a DPC investigation over a cookie banner is lower than in France or Belgium. That does not make non-compliance safe. It means the enforcement timeline is less predictable. The IAB Europe ruling (Belgian DPA, upheld by CJEU in C-604/22) has implications for any site using the TCF framework, regardless of where the DPA sits.

What the scanner actually tests

The TrustYourWebsite scanner has a feature that directly addresses the most heavily sanctioned pattern: after clicking "reject all", the scanner re-checks network traffic for persistent trackers. Specifically, we detect whether Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag or Criteo continue sending data after a reject action. This matches the core finding in the CNIL Yahoo case (EUR 10 million).

The scanner also detects asymmetric button design (CSS contrast ratio, element type a vs. button, font-weight), the presence of a reject button on the first layer, pre-ticked checkboxes, cookie walls, missing withdrawal mechanisms and the use of legitimate interest for advertising cookies.

All findings are technical signals, not legal verdicts. The scanner can establish that a tracker is active after rejection. The scanner cannot assess whether the legal basis claimed for that tracker is valid.

Prohibited, discouraged or best practice

Prohibited (explicit DPA/court rulings): pre-ticked checkboxes, trackers before consent, persistent trackers after rejection, legitimate interest for marketing cookies, consent by continued browsing, missing withdrawal mechanism.

Majority consensus, not unanimous: reject-all on the first layer. The Taskforce notes this specifically as a point of divergence. Epistemic honesty requires mentioning this.

Case by case: button colour, size and contrast. No fixed WCAG threshold exists in the EDPB text. The parameters are nevertheless repeatedly used as evidence.

Best practice: persistent withdrawal icon (small icon in bottom-left or bottom-right corner always visible), six-month consent refresh, layered transparency.

The direction is clear

Cookie banner enforcement across Europe has crossed a threshold. In Ireland, the 2020 sweep showed 92% non-compliance. The DPC's focus on Big Tech through the one-stop-shop mechanism means Irish SMEs have had less direct pressure, but the legal obligations are identical. The EDPB taxonomy applies to every site serving Irish visitors. The IAB Europe ruling affects every site using TCF. The Google EUR 325 million fine is the price of ignoring the rules at scale. For smaller sites, the cost is reputational before it becomes financial.

---

This article is technical analysis, not legal advice. Consult a solicitor for advice on your specific situation.