Your cookie banner looks fine. It has an "Accept All" button and a "Reject All" button. You're good, right?
Maybe not. The CPRA's updated dark pattern rules (section 7004) now requiresymmetry—and the California AG is actively enforcing it.
What's Changed in 2026
The original CCPA allowed companies to nudge users toward accepting cookies. The 2026 updates tightened the rules significantly:
- Equal prominence required: The "Reject All" button must be as visually prominent as "Accept All"
- Equal effort required: Users shouldn't have to click more times to reject than to accept
- No pre-selecting categories: Marketing/analytics categories can't be pre-checked
- No interfering with choices: Can't make rejecting cookies harder than accepting them
Common Dark Patterns We're Seeing
1. The Two-Click Problem
"Accept All" is one click. But "Reject All" requires opening a preferences modal first, then finding the reject button, then confirming.
Violation: Unequal effort required to make a choice.
2. The Visual Imbalance
"Accept All" is a bright, bold button. "Reject All" is a grey, subtle link that barely stands out.
Violation: Reject option not equally prominent.
3. The Intermediate Step
Clicking "Accept" immediately closes the banner. Clicking "Reject" opens a full preferences center with 6 categories, each with multiple sub-options.
Violation: Burdensome process for rejecting vs. accepting.
4. The Pre-Selected Trap
The preferences modal has all categories pre-checked for "marketing" and "sharing"—users must manually uncheck each one to reject.
Violation: Pre-selection of non-essential categories.
5. The "Close" Means Accept
Clicking the X, pressing Escape, or clicking outside the modal counts as accepting all cookies.
Violation: Ambiguous user action treated as consent.
Who's Being Targeted
Based on recent enforcement actions, the AG is focusing on:
- E-commerce sites: High traffic, lots of tracking
- Companies with California customers: Even if headquartered elsewhere
- Well-known brands: Public enforcement cases make better examples
How to Check Your Banner
Ask yourself these questions:
- Can I reject all cookies in the same number of clicks as accepting?
- Is the "Reject" button equally visible to "Accept"?
- Are any categories pre-checked?
- Does closing the banner without clicking anything count as consent?
If you answered "no" to the first two or "yes" to the last two, you have a problem.
The Fix
Most CMPs now support symmetric designs. But you have to configure it correctly:
- Enable "Reject All" as a primary button (not just in preferences)
- Remove pre-checked categories
- Make reject visually equal to accept
- Test with a fresh browser—don't rely on the CMP's preview mode