cookie-consent-ab-audit

Auditing Cookie Consent A/B Testing

Overview

A/B testing consent banners is a common practice to optimize consent rates. However, when these experiments manipulate users into consenting through design asymmetry, deceptive patterns, or unequal ease of acceptance versus rejection, they violate GDPR Article 7 and ePrivacy Directive Article 5(3). The CNIL has been the most active enforcer, issuing a EUR 150 million fine to Google (January 2022) and a EUR 60 million fine to Meta (January 2022) specifically for consent banner design violations.

Regulatory Framework for Consent Banner Design

Equal Prominence Requirement

CNIL Deliberation No. 2020-091 (September 17, 2020) and EDPB Guidelines 05/2020 establish:

1. Equal Visual Weight: The "Accept" and "Reject" options must have the same visual prominence — same size, same color treatment, same font, same position hierarchy.
2. Equal Interaction Cost: Rejecting cookies must require the same number of clicks/steps as accepting.
3. No Pre-Selection: No purposes or vendors may be pre-selected.
4. No Cookie Walls: Access to content must not be conditioned on cookie acceptance.
5. Neutral Language: Neither option should use encouraging or discouraging language asymmetrically.

Key Enforcement Actions

Authority	Target	Fine	Date	Key Finding
CNIL	Google LLC	EUR 150,000,000	January 6, 2022	google.fr: accepting cookies required 1 click; rejecting required multiple clicks through secondary menu
CNIL	Meta Platforms Ireland	EUR 60,000,000	January 6, 2022	facebook.com: "Accept Cookies" button prominently displayed; "Refuse" buried in secondary layer
CNIL	Microsoft Ireland	EUR 60,000,000	December 22, 2022	bing.com: "Accept" button displayed without equally visible "Refuse"
CNIL	TikTok	EUR 5,000,000	December 29, 2022	tiktok.com: rejecting cookies more complex than accepting; insufficient information
Italian Garante	Clearview AI	EUR 20,000,000	March 9, 2022	No valid consent mechanism for biometric data processing

Dark Pattern Detection Methodology

Category 1: Visual Asymmetry

What to check:

• Accept button: color, size, font weight, border, shadow, position
• Reject button: color, size, font weight, border, shadow, position
• Are they visually equal? A bright green "Accept All" next to a grey text-link "Manage Preferences" fails this test.

Measurement:

• Button area (width x height in pixels)
• Color contrast ratio against background (WCAG calculation)
• Font size and weight
• Visual hierarchy position (above vs below the fold, left vs right)

Category 2: Interaction Asymmetry

What to check:

• Clicks to accept all: typically 1 (click "Accept All")
• Clicks to reject all: should be 1 (click "Reject All") — NOT 2+ (click "Manage" then toggle then "Save")
• Is a "Reject All" button present on the first layer?

CNIL standard: A "Refuse All" button must be available on the same layer and with the same prominence as the "Accept All" button.

Category 3: Language Manipulation

What to check:

• Accept text: neutral or encouraging? ("Accept and continue enjoying our site")
• Reject text: neutral or discouraging? ("I don't want a personalized experience")
• Is the reject option framed as losing something?

Examples of non-compliant language:

• Accept: "Accept and enjoy personalized content" / Reject: "Continue with limited experience" — FAIL
• Accept: "OK, I agree" / Reject: "Reject all cookies" — PASS (both neutral)

Category 4: Timing and Delay Manipulation

What to check:

• Does the accept button appear before the reject button?
• Is there a loading delay on the reject path?
• Does dismissing the banner (X button) default to accepting?

Category 5: Repeated Prompting (Nagging)

What to check:

• After rejecting, does the banner reappear on the next page?
• How frequently is reconsent requested?
• CNIL recommends no more than every 6 months.

A/B Test Compliance Boundaries

What can be legitimately tested:

Permitted Tests	Prohibited Tests
Banner position (top vs bottom)	Accept button larger than reject button
Color scheme (both buttons same treatment)	Accept button more prominent than reject
Text wording (both options equally neutral)	Additional clicks required to reject
Layout arrangement (if equal prominence maintained)	Pre-selecting consent purposes in one variant
Icon usage (same for both options)	Cookie wall in any variant
Animation/transition style	Accept-only first layer with reject buried
Privacy information presentation format	Discouraging language for reject option

Audit Procedure

Step 1: Capture All A/B Variants

For each active consent banner experiment:

• Screenshot all variants across desktop and mobile
• Record the HTML/CSS for accept and reject elements
• Document the user flow for accepting and rejecting in each variant
• Note the traffic split (what percentage of users see each variant)

Step 2: Apply Dark Pattern Assessment

For each variant, score against the 5 categories:

Category	Weight	Score (0-10)	Notes
Visual Asymmetry	25%	0 = equal, 10 = extreme asymmetry
Interaction Asymmetry	30%	0 = equal clicks, 10 = many more clicks to reject
Language Manipulation	20%	0 = neutral, 10 = strongly manipulative
Timing/Delay	15%	0 = no delays, 10 = significant delays on reject
Repeated Prompting	10%	0 = respects choice, 10 = constant nagging

Overall Risk Score: Weighted sum. Score above 3.0 requires remediation. Score above 5.0 requires immediate removal.

Step 3: Compare Consent Rates Across Variants

If a variant achieves significantly higher consent rates through design asymmetry rather than improved information, this is evidence of manipulation:

• Baseline comparison: Compare consent rates between fully symmetric designs
• Red flag threshold: If a variant achieves >20% higher consent rate AND has asymmetric design elements, flag for review
• Statistical significance: Use standard A/B testing statistical methods (chi-squared or Bayesian) but apply the regulatory lens — statistical significance of manipulation is evidence of violation

Step 4: Document and Report

Generate audit report with:

• Screenshots of all variants
• Dark pattern scores per variant
• Consent rate analysis
• Recommendations for non-compliant variants
• Remediation timeline

Key Regulatory References

• GDPR Article 7 — Conditions for consent (equal ease, freely given)
• ePrivacy Directive Article 5(3) — Consent for cookies and similar technologies
• CNIL Deliberation No. 2020-091 — Cookie and tracker guidelines
• CNIL Deliberation No. 2022-013 — Google fine (EUR 150M)
• CNIL Deliberation No. 2022-014 — Meta fine (EUR 60M)
• EDPB Guidelines 05/2020 — Consent under Regulation 2016/679
• EDPB Guidelines 3/2022 — Dark patterns in social media platform interfaces
• FTC Report on Dark Patterns (September 2022) — US perspective on manipulative design