Consent UX Patterns
Good and bad consent UI patterns — and what regulators look for.
Good Consent UX Patterns
Clear, equal-weight choices
Accept and Reject buttons should be visually equivalent — same size, similar prominence. A large green "Accept All" button alongside a small grey "More options" link does not represent a free choice.
Category-level controls
Allow users to accept/reject by purpose category:
- Strictly Necessary (cannot be disabled)
- Analytics
- Marketing
- Ad personalisation
This is increasingly expected by regulators and avoids the "all or nothing" challenge.
Concise, plain-language explanations
Each category should explain in plain language what it does and who receives the data. Avoid legal boilerplate — use one sentence that a non-technical user can understand.
Accessible preference centre
The preference centre should be:
- Accessible from every page (typically in the footer or via a persistent cookie icon)
- Re-openable without clearing cookies
- Usable with keyboard navigation
Consent without paywalling
Users should be able to access your free content (if applicable) without accepting non-essential cookies. Paywalling access behind cookie acceptance is increasingly challenged in the EU.
Bad Consent UX Patterns
Hidden or hard-to-find reject option
Placing "Reject" in a small font inside a "Manage preferences" link while "Accept All" is a large prominent button is a well-documented dark pattern. ICO and CNIL have issued guidance and enforcement actions on this.
Pre-ticked marketing categories
Any marketing, advertising, or retargeting category must default to OFF. Users must actively opt in to advertising tracking.
"By continuing you agree" banners
Implying consent through continued use of a website does not meet the standard of freely given, unambiguous consent. This pattern should not be used for non-essential cookies.
Consent buried in T&Cs
Cookie consent embedded as a checkbox within terms of service acceptance does not meet GDPR's requirement for granular, specific consent.
No withdrawal mechanism
If a user cannot withdraw their consent as easily as they gave it, the consent mechanism is non-compliant.
Regulator Guidance References
- ICO (UK): Guidance on cookies and similar technologies
- EDPB (EU): Guidelines 05/2020 on consent under GDPR
- CNIL (France): Published dark patterns guidance with specific UI examples of non-compliant banners
This page provides general design guidance only. It does not constitute legal advice. Validate your consent implementation with qualified legal counsel.
Not sure if your consent banner design is compliant?
We can review your consent implementation against current ICO/EDPB guidance.