Skip to main navigation menu Skip to main content Skip to site footer


Vol. 3 No. 1 (2021)

Dark and Bright Patterns in Cookie Consent Requests

August 12, 2020


Dark patterns are (evil) design nudges that steer people’s behaviour through persuasive interface design. Increasingly found in cookie consent requests, they possibly undermine principles of EU privacy law. In two preregistered online experiments we investigated the effects of three common design nudges (default, aesthetic manipulation, obstruction) on users’ consent decisions and their perception of control over their personal data in these situations. In the first experiment (N = 228) we explored the effects of design nudges towards the privacy-unfriendly option (dark patterns). The experiment revealed that most participants agreed to all consent requests regardless of dark design nudges. Unexpectedly, despite generally low levels of perceived control, obstructing the privacy-friendly option led to more rather than less perceived control. In the second experiment (N = 255) we reversed the direction of the design nudges towards the privacy-friendly option, which we title “bright patterns”. This time the obstruction and default nudges swayed people effectively towards the privacy-friendly option, while the result regarding perceived control stayed the same compared to Experiment 1. Overall, our findings suggest that many current implementations of cookie consent requests do not enable meaningful choices by internet users, and are thus not in line with the intention of the EU policymakers. We also explore how policymakers could address the problem.


  1. Acquisti, A., Sleeper, M., Wang, Y., Wilson, S., Adjerid, I., Balebako, R., … Schaub, F. (2017). Nudges for privacy and security. ACM Computing Surveys, 50(3), 1–41.
  2. Albar, F. M., & Jetter, A. J. (2009). Heuristics in decision making. In PICMET ’09 - 2009 Portland International Conference on Management of Engineering & Technology (pp. 578–584). IEEE.
  3. An, N. Z. (2019). Multi-step modals for Bootstrap. Retrieved from
  4. Archer, M. S. (2013). Rational choice theory. Routledge.
  5. Auguie, B. (2017). GridExtra: Miscellaneous functions for "grid" graphics. Retrieved from
  6. Aust, F., & Barth, M. (2020). papaja: Create APA manuscripts with R Markdown. Retrieved from
  7. Awad, N. F., & Krishnan, M. S. (2006). The personalization privacy paradox: An empirical evaluation of information transparency and the willingness to be profiled online for personalization. MIS Quarterly, 1328.
  8. Barr, D. J., Levy, R., Scheepers, C., & Tily, H. J. (2013). Random effects structure for confirmatory hypothesis testing: Keep it maximal. Journal of Memory and Language, 68(3), 255–278.
  9. BEUC. (2020). The long and winding road. Two years of the GDPR: A cross-border data protection enforcement case from a consumer perspective. Retrieved from
  10. Böhme, R., & Köpsell, S. (2010). Trained to accept?: A field experiment on consent dialogs. In Proceedings of the 28th international conference on Human factors in computing systems - CHI ’10 (p. 2403). Atlanta, Georgia, USA: ACM Press.
  11. Bösch, C., Erb, B., Kargl, F., Kopp, H., & Pfattheicher, S. (2016). Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies, 2016(4), 237–254.
  12. Brignull, H. (n.d.). Dark patterns. Retrieved from
  13. Brooke, B. (2011). Browser back button detection. Retrieved from
  14. Browne, W. J., & Draper, D. (2006). A comparison of Bayesian and likelihood-based methods for fitting multilevel models. Bayesian Analysis, 1(3), 473–514.
  15. Bryan, M. L., & Jenkins, S. P. (2016). Multilevel modelling of country effects: A cautionary tale. European Sociological Review, 32(1), 3–22.
  16. Bürkner, P.-C. (2017). brms: An R package for Bayesian multilevel models using Stan. Journal of Statistical Software, 80(1), 1–28.
  17. Bürkner, P.-C. (2018). Advanced Bayesian multilevel modeling with the R package brms. The R Journal, 10(1), 395–411.
  18. Carpenter, B., Gelman, A., Hoffman, M., Lee, D., Goodrich, B., Betancourt, M., … Riddell, A. (2017). Stan: A probabilistic programming language. Journal of Statistical Software, Articles, 76(1), 1–32.
  19. Choi, H., Park, J., & Jung, Y. (2018). The role of privacy fatigue in online privacy behavior. Computers in Human Behavior, 81, 42–51.
  20. Colorbib. (2019). 28 best free news website templates 2019. Colorlib. Retrieved from
  21. Dijksterhuis, A., Bos, M. W., Nordgren, L. F., & van Baaren, R. B. (2006). On making the right choice: The deliberation-without-attention effect. Science, 311(5763), 1005–1007.
  22. Eddelbuettel, D., & Balamuta, J. J. (2017). Extending extitR with extitC++: A Brief Introduction to extitRcpp. PeerJ Preprints, 5, e3188v1.
  23. Eddelbuettel, D., & François, R. (2011). Rcpp: Seamless R and C++ integration. Journal of Statistical Software, 40(8), 1–18.
  24. ePrivacy Directive. (2009). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications), last amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ L 337 11). Retrieved from
  25. European Commission. (2017). Proposal for a regulation of the European Parliament and of the Council, concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (No. COM/2017/010 final - 2017/03 (COD)). Retrieved from
  26. European Data Protection Board. (2020). Guidelines 4/2019 on Article 25 data protection by design and by default version 2.0, adopted on 20 October 2020. Retrieved from
  27. European Parliament. (2017). Draft European Parliament Legislative Resolution on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (No. COM(2017)0010 C8-0009/2017 2017/0003(COD)). Retrieved from
  28. Fansher, M., Chivukula, S. S., & Gray, C. M. (2018). #Darkpatterns. In R. Mandryk, M. Hancock, M. Perry, & A. Cox (Eds.), Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18 (pp. 1–6). New York, New York, USA: ACM Press.
  29. Ferrari, S., & Cribari-Neto, F. (2004). Beta regression for modelling rates and proportions. Journal of Applied Statistics, 31(7), 799–815.
  30. Forbrukerrådet. (2018). Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy. Retrieved from
  31. GDPR. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal L, 119, 1–88. Retrieved from
  32. Gray, C. M., Kou, Y., Battles, B., Hoggatt, J., & Toombs, A. L. (2018). The dark (patterns) side of UX design. In R. Mandryk, M. Hancock, M. Perry, & A. Cox (Eds.), Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18 (pp. 1–14). New York, New York, USA: ACM Press.
  33. Grosjean, P., & Ibanez, F. (2018). Pastecs: Package for analysis of space-time ecological series. Retrieved from
  34. Gürses, S. (2014). Attitudes towards “Spiny CACTOS”. Retrieved from
  35. Hertwig, R. (2017). When to consider boosting: Some rules for policy-makers. Behavioural Public Policy, 1(02), 143–161.
  36. Hertwig, R., & Grüne-Yanoff, T. (2017). Nudging and boosting: Steering or empowering good decisions. Perspectives on Psychological Science : A Journal of the Association for Psychological Science, 12(6), 973–986.
  37. Kahneman, D. (2011). Thinking, fast and slow (1st ed). New York: Farrar, Straus and Giroux.
  38. Kay, M. (2020). tidybayes: Tidy data and geoms for Bayesian models.
  39. Kowarik, A., & Templ, M. (2016). Imputation with the R package VIM. Journal of Statistical Software, 74(7), 1–16.
  40. Lai, Y.-L., & Hui, K.-L. (2006). Internet opt-in and opt-out: Investigating the roles of frames, defaults and privacy concerns. In Proceedings of the 2006 ACM SIGMIS CPR conference on computer personnel research Forty four years of computer personnel research: Achievements, challenges & the future - SIGMIS CPR ’06 (p. 253). Claremont, California, USA: ACM Press.
  41. Laufer, R. S., & Wolfe, M. (1977). Privacy as a concept and a social issue: A multidimensional developmental theory. Journal of Social Issues, 33(3), 22–42.
  42. Legislative Train Schedule. (2020). Proposal for a regulation on privacy and electronic communications. Retrieved from
  43. Lord, D., Mönnich, A., Ronacher, A., & Unterwaditzer, M. (2010). Flask (a Python microframework). Retrieved from
  44. Luguri, J., & Strahilevitz, L. (2019). Shining a light on dark patterns. SSRN Electronic Journal.
  45. Machuletz, D., & Böhme, R. (2019). Multiple purposes, multiple problems: A user study of consent dialogs after GDPR. arXiv:1908.10048 [Cs]. Retrieved from
  46. MacKenzie, I. S. (1992). Fitts’ Law as a research and design tool in Human-Computer Interaction. HumanComputer Interaction, 7(1), 91–139.
  47. Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15(4), 336–355.
  48. Morey, R. D., Hoekstra, R., Rouder, J. N., Lee, M. D., & Wagenmakers, E.-J. (2016). The fallacy of placing confidence in confidence intervals. Psychonomic Bulletin & Review, 23(1), 103–123.
  49. Mullen, L. A., Benoit, K., Keyes, O., Selivanov, D., & Arnold, J. (2018). Fast, consistent tokenization of natural language text. Journal of Open Source Software, 3(23), 655.
  50. Müller, K. (2017). Here: A simpler way to find your files. Retrieved from
  51. Nouwens, M., Liccardi, I., Veale, M., Karger, D., & Kagal, L. (2020). Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence. arXiv:2001.02479 [Cs].
  52. R Core Team. (2020). R: A language and environment for statistical computing. Vienna, Austria: R Foundation for Statistical Computing. Retrieved from
  53. Revelle, W. (2019). Psych: Procedures for psychological, psychometric, and personality research. Evanston, Illinois: Northwestern University. Retrieved from
  54. Schubert, C. (2015). On the ethics of public nudging: Autonomy and agency. SSRN Electronic Journal.
  55. Simon, H. A. (1957). Models of man, social and rational: Mathematical essays on rational human behavior in a social setting. New York, NY, USA: Wiley.
  56. Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review. MIS Quarterly, 35(4), 989–1015.
  57. Stauffer, R., Mayr, G. J., Dabernig, M., & Zeileis, A. (2009). Somewhere over the rainbow: How to make effective use of colors in meteorological visualizations. Bulletin of the American Meteorological Society, 96(2), 203–216.
  58. Sunstein, C. R. (2016a). People prefer system 2 nudges (kind of). SSRN Electronic Journal.
  59. Sunstein, C. R. (2016b). The ethics of influence: Government in the age of behavioral science. Cambridge University Press.
  60. Terpstra, A., Schouten, A. P., Rooij, A. de, & Leenes, R. E. (2019). Improving privacy choice through design: How designing for reflection could support privacy self-management. First Monday, 24(7).
  61. Thaler, R. H. (2018). Nudge, not sludge. Science, 361(6401), 431–431.
  62. Thaler, R. H., & Sunstein, C. R. (2009). Nudge: Improving decisions about health, wealth, and happiness (Rev. and expanded ed). New York: Penguin Books.
  63. Utz, C., Degeling, M., Fahl, S., Schaub, F., & Holz, T. (2019). (Un)Informed consent: Studying GDPR consent notices in the field. In ACM SIGSAC Conference on Computer and CommunicationsSecurity (CCS ’19) (p. 18). London, United Kingdom. Retrieved from
  64. Wakefield, A., & Fleming, J. (2009). The Sage dictionary of policing. Los Angeles; London: SAGE. Retrieved from
  65. Wickham, H. (2011). The split-apply-combine strategy for data analysis. Journal of Statistical Software, 40(1), 1–29. Retrieved from
  66. Wickham, H. (2016). Ggplot2: Elegant graphics for data analysis. Springer-Verlag New York. Retrieved from
  67. Wickham, H. (2019). Stringr: Simple, consistent wrappers for common string operations. Retrieved from
  68. Wickham, H., François, R., Henry, L., & Müller, K. (2020). Dplyr: A grammar of data manipulation. Retrieved from
  69. Wickham, H., & Henry, L. (2020). Tidyr: Tidy messy data. Retrieved from
  70. Willis, L. E. (2014). Why not privacy by default. Berkeley Technology Law Journal, 29, 61. Retrieved from
  71. Xie, Y. (2015). Dynamic documents with R and knitr (2nd ed.). Boca Raton, Florida: Chapman; Hall/CRC. Retrieved from
  72. Xie, Y., Allaire, J. J., & Grolemund, G. (2018). R markdown: The definitive guide. Boca Raton, Florida: Chapman; Hall/CRC. Retrieved from
  73. Xu, H. (2007). The effects of self-construal and perceived control on privacy concerns. ICIS 2007 Proceedings, 1–14.
  74. Zeileis, A., Hornik, K., & Murrell, P. (2009). Escaping RGBland: Selecting colors for statistical graphics. Computational Statistics & Data Analysis, 53(9), 3259–3270.
  75. Zhu, H. (2019). KableExtra: Construct complex table with ’kable’ and pipe syntax. Retrieved from
  76. Zuiderveen Borgesius, F. (2015). Behavioural sciences and the regulation of privacy on the internet. OxfordHart. Retrieved from
  77. Zuiderveen Borgesius, F. (2015a). Improving privacy protection in the area of behavioural targeting. Kluwer Law International. Retrieved from
  78. Zuiderveen Borgesius, F., Hoboken, J. van, Fahy, R., Irion, K., Rozendaal, M., (2017). An assessment of the Commission’s proposal on privacy and electronic communications: Study. European Parliament, Committee on Civil Liberties Retrieved from
  79. Zuiderveen Borgesius, F., Kruikemeier, S., Boerman, S. C., & Helberger, N. (2017a). Tracking walls, take-it-or-leave-it choices, the GDPR, and the ePrivacy Regulation. European Data Protection Law Review, 3.