8 dark patterns cookies pe care CNIL le amendează în 2026 (și cum să le detectezi)

ℹ️ Articol disponibil în engleză. O versiune română completă va fi publicată în curând.

The CNIL (Commission Nationale de l'Informatique et des Libertés) — France's data protection authority — has fined over €530 million for cookie banner dark patterns between January 2025 and January 2026. Most recent: Free Mobile €27M and Free SAS €15M (Jan 2026) for hidden Reject buttons and unequal button parity.

If your EU site collects analytics or marketing cookies, you need to know exactly what CNIL is looking for. Here are the 8 patterns being actively enforced, in order of fine frequency.

1. Pre-consent tracker firing (€150M Shein, Sept 2025)

The most expensive pattern. Detection: any non-essential cookie set BEFORE the user clicks Accept. Open DevTools → Application → Cookies before any banner interaction. If you see _ga, _fbp, _gid, or similar tracker cookies — you have a problem. Essential session cookies (PHPSESSID, JSESSIONID, CSRF tokens) are allowed.

2. "Reject All" missing on first layer (€27M Free Mobile, Jan 2026)

CNIL's hardest stance: the Reject button must appear on the FIRST layer of the banner, with the same visibility as Accept. Hidden behind "Manage preferences" link = violation.

3. Button parity mismatch (€15M Free SAS, Jan 2026)

Accept (big, colored, prominent) vs Reject (small, grey, low-contrast) = dark pattern. CNIL recommends visual equivalence: identical width, height, background color, font weight. AuditOPE's runtime detector compares both buttons' computed CSS properties and emits a parity score 0–100 (threshold 70).

4. Pre-checked consent checkboxes

Banners with category checkboxes (Analytics, Marketing) already ticked = opt-out by default. GDPR Art.7 requires explicit opt-in (unchecked default). Simple but frequently violated.

5. Cookie wall (no content visible without consent)

When the banner covers 60%+ of the viewport with no scroll-behind possibility, EDPB guidelines treat this as forced consent. Implement banner as non-blocking overlay allowing content visibility.

6. "Legitimate interest" abuse

Banner text mentioning "legitimate interest" as legal basis for marketing/analytics cookies is wrong. EDPB explicit: legitimate interest does NOT apply to tracking cookies — explicit consent required. Replace with proper consent UI.

7. Manage-only flow (extra friction)

Banner shows "Accept All" and "Manage Cookies" — but Manage opens a long form with buried Reject. Forces extra clicks to refuse. CNIL counts this as effective consent coercion.

8. No CMP detected + trackers present (silent non-compliance)

The simplest violation: trackers loaded, no banner shown at all. AuditOPE detects this immediately — any site with _ga or _fbp cookies and no OneTrust/Cookiebot/Didomi/other CMP signature = HIGH severity finding.

How AuditOPE detects all 8 in one scan

Our Playwright phase renders the banner in real Chromium, then runs JavaScript to extract: 14 CMP signatures, all action buttons with computed styles, pre-checked checkbox count, banner viewport coverage, legitimate-interest text scan. The cookie_audit phase scores 0–100 with severity-mapped findings and CNIL fine references in each.

Run a free audit at auditope.com/audit-form to see your site's score. EU-hosted, no card required.