FTC Cracks Down on Dark Patterns: Cookie Banner Red Flags to Fix Now

The Wake-Up Call: FTC's February 2026 Action

It happened on a Tuesday. Without warning, the Federal Trade Commission announced a landmark enforcement action against one of America's largest retailers, alleging that its cookie consent interfaces constituted deceptive practices under Section 5 of the FTC Act. The retailer? A household name. The violation? Systemic manipulation of user consent through dark patterns.

This isn't hypothetical. This is February 2026, and the FTC has made clear: the era of manipulative cookie banners is over.

If you manage a website that collects any form of user data — and let's be honest, that's every website — the enforcement action should serve as a stark reminder. The consent mechanisms you've likely been using for years? They may now be illegal.

What the FTC Actually Found

While the specifics of the February 2026 action remain under seal, FTC guidance and previous enforcement actions paint a clear picture of what regulators consider problematic. The commission has consistently targeted interfaces that:

• Use visual design to steer users toward accepting cookies while making rejection difficult
• Employ pre-checked boxes or ambiguous language that obscures what users are agreeing to
• Create unnecessary friction for users who want to decline tracking
• Mislead consumers about the consequences of their choices

In recent years, the FTC has explicitly stated that dark patterns in consent interfaces violate consumer protection laws. The February 2026 action appears to be the next logical step: actual penalties against a major violator, not just warning letters.

The Dark Patterns You Need to Fix

Based on FTC enforcement and privacy regulations worldwide, here are the specific patterns that could land you in regulatory trouble.

Visual Asymmetry

"Accept All" jumps out in bold, bright colors while "Reject All" blends into the background — smaller, grey, or tucked away. This is a classic dark pattern that regulators actively target.

Pre-Checked Consent Boxes

Under GDPR Article 4(11), consent requires a "clear affirmative action." Anything already checked violates this requirement. CCPA similarly requires users to opt in, not opt out.

Required Scrolling or Extra Clicks

Forcing users to manage preferences through multiple layers — clicking "Customize," then expanding categories, then unchecking boxes — while accepting takes one click. This friction is a design choice to discourage rejection.

Ambiguous or Misleading Wording

Phrases like "Okay, I agree" or "Continue" without clear context about what users accept. GDPR Article 7 requires consent to be "presented in an intelligible and easily accessible form, using clear and plain language."

Deceptive Default Settings

Assuming consent by default and requiring users to opt out, rather than requiring opt-in. GDPR Article 6 makes clear that consent must be freely given, which means defaults that favor the business rather than the user are problematic.

The Regulatory Framework You Need to Know

Understanding what makes consent legally valid is essential for any organization handling user data.

GDPR (European Union) — Articles 4(11), 6, 7

Consent must be "freely given, specific, informed and unambiguous" through a clear affirmative action. Pre-ticked boxes, silence, and inactivity do not constitute valid consent. Article 7(3) explicitly states that users must be able to withdraw consent as easily as they gave it.

CCPA/CPRA (California) — Sections 1798.100, 1798.120, 1798.135

California's approach differs slightly — it requires opt-in for sensitive data but allows opt-out for non-sensitive personal information. However, the law explicitly prohibits dark patterns that "subvert or impair user choice." The California Privacy Rights Act (CPRA) strengthened these provisions significantly.

PIPEDA (Canada) — Principles 3.3, 3.5, 3.7

Canada's privacy law requires meaningful consent, which cannot be obtained through deceptive or misleading practices. Consent must be about the specific purposes for collection, use, and disclosure.

FTC Act (United States) — Section 5

The FTC prohibits deceptive and unfair practices. They've made clear that manipulative consent interfaces can violate both standards. The February 2026 enforcement action appears designed to test this interpretation with real penalties.

Practical Fixes for Your Consent Management

Now for what actually matters: fixing your consent interfaces. Here's what you need to do.

1. Give Equal Visual Weight to Both Choices

"Accept All" and "Reject All" should be equally prominent. Same size buttons, similar colors, comparable placement. The user's choice to reject tracking deserves the same visual standing as acceptance.

2. Use Clear, Specific Language

Replace ambiguous phrases like "Okay" or "Continue" with explicit language: "Accept All Cookies" and "Reject Non-Essential Cookies." Clearly explain what each category of cookies does.

3. Offer Equal Access to Preferences

It's fine to offer a "Manage Preferences" option, but "Reject All" must be available on the first screen. Equal prominence means the user doesn't need an extra click just to say no.

4. Don't Punish Users for Saying No

Some sites make rejecting cookies result in a degraded experience — fewer features, reduced functionality. This may constitute coercive dark patterns. If there are genuine functional differences, disclose them transparently rather than using them as leverage.

5. Honor User Choices Consistently

Once a user makes a choice, respect it. Don't re-prompt them after they've declined, and certainly don't make it easier to accept later by hiding the decline option. GDPR Article 7(3) explicitly requires withdrawal to be "as easy as to give consent."

6. Document Your Compliance

Keep records of what consent you collected, when, and what you told users. This matters for demonstrating compliance if a regulator comes calling.

7. Test Across Devices and Interfaces

What works on desktop might fail on mobile. Review your consent experience across all platforms where users encounter it.

Key Takeaways

The February 2026 FTC action signals a new era of enforcement against dark patterns in consent interfaces. The message is clear: regulators are no longer just talking about this issue — they're taking action.

Valid consent means users make genuine choices without manipulation. That's the core principle across GDPR, CCPA, PIPEDA, and FTC guidance. Your cookie banner should make it just as easy to say no as to say yes.

If you haven't reviewed your consent interfaces recently, now is the time. The cost of getting this wrong isn't just potential fines — it's the erosion of user trust that comes from manipulative design. And increasingly, it's legal liability.

The good news? Fixing these issues isn't complicated. It just requires designing consent experiences that respect users as much as you want them to trust you. That's not just compliance best practice — it's good business.