Dark Patterns in Cookie Consent Banners: What DPDPA Compliance Really Requires in 2026

Most businesses treat their cookie banner as a formality — a small pop-up that appears once and gets out of the way. But under India's Digital Personal Data Protection Act (DPDPA), the cookie banner is often the very first interaction a user has with your consent process, and increasingly it is the first thing regulators look at when assessing whether your consent practices are genuine.

Around the world, regulators are converging on the same conclusion: a cookie banner that nudges, pressures, or confuses users into accepting tracking is not consent at all. These manipulative designs are known as 'dark patterns', and in 2026 they are no longer a grey area — they are an active enforcement priority for India's Data Protection Board, the EU's data protection authorities, and the California Privacy Protection Agency alike.

This guide explains what dark patterns look like in cookie banners, why they fall foul of DPDPA's consent standard specifically, and how to redesign your banner so it is both compliant and genuinely user-friendly.

A dark pattern is any design choice that steers a user toward an outcome they would not pick if the options were presented fairly. In a cookie banner, that almost always means making 'Accept All' effortless while making 'Reject' or 'Manage Preferences' slow, confusing, or hard to find.

• A large, brightly coloured 'Accept All' button next to a faint, grey 'Reject' link — or no reject option at all on the first screen
• Non-essential cookie categories (analytics, marketing, personalisation) switched ON by default, leaving the user to opt out of each one individually
• 'Manage Preferences' buried behind a second or third click, while 'Accept All' is a single tap
• Confusing double-negative language such as 'I do not wish to opt out' instead of a plain 'Reject'
• Cookie walls that block access to the site entirely unless the user accepts all cookies — even when the content itself does not need tracking
• Banners that reappear on every page until the user accepts, wearing down their resistance over time

None of this is hypothetical. It is the default configuration of many cookie consent tools still running on Indian websites today — often inherited from templates built for an earlier, less scrutinised era of cookie compliance.

The DPDPA does not use the term 'dark pattern' anywhere in its text — but it does not need to. The Act defines valid consent as free, specific, informed, unconditional, and unambiguous, and every dark pattern listed above fails at least one of these tests.

• FREE: A cookie wall that blocks site access until the user accepts everything removes the user's real choice — consent given under that pressure is not free
• INFORMED: Vague labels like 'Improve your experience' for marketing cookies do not tell the user what is actually being collected or why
• UNCONDITIONAL: Bundling analytics and advertising cookies into one 'Accept All' toggle, with no way to consent to one without the other, attaches a condition to consent
• UNAMBIGUOUS: Pre-ticked boxes and double-negative language do not amount to a 'clear affirmative action' — a pre-selected default is explicitly not valid consent

This matters because the Data Protection Board's first question during any inquiry is unlikely to be about your backend data flows — it will be about what the user actually saw and clicked on your website. A non-compliant cookie banner is the most visible, most easily evidenced compliance failure a regulator can point to.

The same pattern is playing out globally. The EU's data protection authorities have already taken enforcement action against major platforms specifically over cookie banner design, and California's privacy regulator treats an asymmetric accept/reject experience as a dark pattern violation in its own right. India's DPDP Rules are being shaped with this global scrutiny in mind — businesses that fix this now will not be scrambling later.

In practice, most Indian businesses are not deliberately trying to deceive users — they are running default configurations from cookie tools that were never built with DPDPA in mind. The most common issues we encounter during audits are:

• No 'Reject All' button on the first layer of the banner — only 'Accept All' and 'Settings'
• Cookie categories pre-toggled to 'on', leaving the user to find and disable each one individually
• Banners that do not record or store any proof of what the user actually chose — so even a compliant-looking banner produces no audit trail
• Banners available only in English, excluding the majority of Indian users who would prefer a regional language — which also undermines the 'informed' requirement
• No accessible way to withdraw consent later; the banner only ever appears once, on the first visit

Each of these is fixable without a full redesign — but each one, left as-is, is a documented gap that a Data Protection Board inquiry would flag immediately.

Before rebuilding anything, run a 15-minute audit of your current banner. Open your website in an incognito window, walk through it as a first-time visitor, and ask:

• Is there a 'Reject All' or 'Reject Non-Essential' option on the very first screen, with the same visual weight as 'Accept All'?
• Are any non-essential cookie categories switched on by default?
• How many clicks does it take to reject everything, versus accept everything? They should be equal.
• Is the language plain and specific, or does it use vague terms like 'personalisation' without explaining what data is collected?
• Does the banner block access to the page entirely if the user does not accept?
• Is there a timestamped record of what each user chose, or does the banner simply disappear after one click?
• Can a user change their mind later, and is that option as easy to find as the original banner?

If you answered 'no' to more than one or two of these, your cookie banner is very likely operating as a dark pattern — regardless of intent. For the full picture beyond cookies, see our DPDPA compliance checklist.

Once you know where the gaps are, fixing them comes down to three principles.

• Symmetry — give Reject equal weight: 'Accept All' and 'Reject All' should be presented as equally sized, equally prominent buttons on the same screen. If 'Manage Preferences' exists, it should be a genuine third option, not a substitute for a visible reject button
• Plain language, in the languages your users actually speak: replace vague category names with one-line, specific descriptions of what is collected and why. DPDPA's expectation that notices be given in a language the user understands applies to cookie banners too — an English-only banner for a largely non-English-speaking user base cannot be called 'informed' consent
• Proof — every choice becomes a consent artefact: whatever a user clicks, whether accept, reject, or a specific category toggle, should be captured as a timestamped, tamper-evident record. That is the difference between 'we have a cookie banner' and 'we can prove what every user consented to, and when'

These three principles map directly onto how DataDefend's cookie consent banner works out of the box: equally weighted Accept, Reject, and Manage options, granular categories (Essential, Functional, Analytics, Marketing) with non-essential categories off by default, support for 22 Indian languages, and every interaction stored as a MeitY-aligned consent artefact with a real-time consent check API.

Fixing your banner once is not the end of the work. Regulatory guidance on what counts as a dark pattern keeps evolving, and so do the cookie tools, ad scripts, and third-party trackers your website pulls in — any of which can quietly re-introduce a non-compliant category or script without anyone noticing.

• Re-run the audit above at least every six months, or whenever you change your cookie consent tool, ad stack, or analytics setup
• Check that newly added third-party scripts are mapped to the correct cookie category and do not fire before consent is given
• Review accept and reject rates after any banner redesign — a sudden jump in 'Accept All' often signals that symmetry has been lost again
• Keep a record of each version of your banner and notice text, so you can show what users saw at any point in time

Dark patterns are rarely the result of one bad decision — they accumulate gradually, as banners get tweaked for conversion without anyone checking the compliance impact. Building this audit into a recurring six-monthly review is the easiest way to keep your cookie banner both user-respecting and DPDPA-compliant.

DataDefend's cookie consent platform is pre-configured to avoid these patterns by default — symmetric accept/reject, granular categories off by default, 22-language support, and a free tier of 10,000 cookie consents per month with zero storage charges and no annual licence fee. If your current banner fails the audit above, switching is usually a copy-paste integration away.