The Honest Internet · Episode 1 · see the banner itself

The dark patterns in the Honest Cookie Banner, annotated

The banner is a joke, but nothing in it is invented. Every trick it plays on you is a real deceptive-design pattern, used daily by real consent banners on real websites. This page names each one. This is the sincere part of the site: everything below is literally true.

Why does rejecting cookies take 5 clicks?

Because that is the exact asymmetry European regulators have fined companies for. In early 2022, France's data-protection regulator, the CNIL, fined Google €150 million and Facebook €60 million for making cookie rejection significantly harder than acceptance — on Google's sites, accepting took one click while refusing took about five. The banner reproduces that ratio deliberately: one click to accept, five to reject, and the footnote tells you so while it's happening.

The patterns, one by one

Obstruction / visual interferenceThe buried reject button

The Accept button is large, colored, and raised. The reject control is a small gray underlined text fragment that doesn't look like a button at all. Making the unwanted choice prominent and the protective choice nearly invisible is the most common consent dark pattern in the wild.

PreselectionThe pre-ticked toggles

All three data-sharing "purposes" arrive switched on, and the switches don't respond to clicks. Under the GDPR, consent must be a clear affirmative act — the Court of Justice of the EU ruled in Planet49 (2019) that pre-ticked boxes cannot constitute valid consent. Banners still ship them.

Consent bypass"Legitimate Interest"

The third toggle isn't a parody term — "legitimate interest" is a real legal basis in the GDPR that many ad-tech vendors invoke to process data without asking for consent at all. In consent pop-ups it typically hides behind a second tab that most people never open. The banner's only edit is saying that part out loud.

Nagging / confirmshaming"Are you sure?"

Asking you to re-confirm a rejection — while offering a fresh Accept button at every step — wears people down. Each extra step loses a percentage of rejectors. That's not a side effect; it's the mechanism.

MisdirectionThe exit survey with a pre-selected answer

The fake survey's third option, "I accept all cookies," arrives pre-selected — a rejection flow engineered so that inattentive clicking converts into consent.

Forced waitingThe spinner

"Processing your objection…" runs on a timer. There is nothing to process; the delay exists to make rejecting feel expensive. The banner admits this on screen — "This delay serves no technical purpose. It usually works." — which is the only difference between it and the real thing.

Trick wordingThe double-negative checkbox

"I do not wish to opt out of not rejecting non-essential cookies" — pre-checked and uncheckable. Nested negations in consent language make it genuinely hard to know what you're agreeing to, which is the point of writing them that way.

How the receipt works

The numbers at the bottom of the episode aren't a promise — they're measured in your browser as you read. document.cookie is counted for cookies, and the Performance API's resource entries are counted for loaded trackers. The page loads no fonts, no analytics, and no third-party resources of any kind, so both numbers read zero. Even the favicon is a data: URI, because otherwise the browser's automatic /favicon.ico request would make the resource count read 1. The site can't lie about tracking without catching itself in the act.

Is any of this illegal?

The patterns above sit on a spectrum from "unlawful and already fined" (reject buttons that are materially harder than accept; pre-ticked consent boxes) to "legal but corrosive" (confirmshaming, trick wording). Enforcement is uneven across the EU and largely absent elsewhere. The banner isn't legal advice — it's a demonstration of what the fines were for, one click at a time.

Part of The Honest Internet — websites that tell the truth about what websites do. No real consent-management vendor is named or imitated; ConsentTheater™ is fictional. Made by @mikael_janek.