This study investigates the prevalence and geographical variation of “aesthetic manipulation”—visual design tactics in GDPR-compliant cookie banners that nudge users toward data-sharing consent. Method: We propose the first automated visual compliance assessment framework based on saliency-aware object detection, integrated with cross-national IP spoofing to evaluate 2,579 cookie banners across jurisdictions. Contribution/Results: Among websites fully compliant with GDPR’s textual requirements, 38% exhibit aesthetic manipulation—11 percentage points higher than prior estimates; EU-based sites are 48.3% more likely to employ such manipulation than non-EU sites; 13.9% dynamically adapt banner design based on user geolocation. We further identify novel manipulation patterns—including strategic button positioning—providing both methodological innovation for privacy interface auditing and empirical evidence to inform regulatory oversight and design standards.

The main goal of this paper is to study how often cookie banners that comply with the General Data Protection Regulation (GDPR) contain aesthetic manipulation, a design tactic to draw users' attention to the button that permits personal data sharing. As a byproduct of this goal, we also evaluate how frequently the banners comply with GDPR and the recommendations of national data protection authorities regarding banner designs. We visited 2,579 websites and identified the type of cookie banner implemented. Although 45% of the relevant websites have fully compliant banners, we found aesthetic manipulation on 38% of the compliant banners. Unlike prior studies of aesthetic manipulation, we use a computer vision model for salient object detection to measure how salient (i.e., attention-drawing) each banner element is. This enables the discovery of new types of aesthetic manipulation (e.g., button placement), and leads us to conclude that aesthetic manipulation is more common than previously reported (38% vs 27% of banners). To study the effects of user and/or website location on cookie banner design, we include websites within the European Union (EU), where privacy regulation enforcement is more stringent, and websites outside the EU. We visited websites from IP addresses in the EU and from IP addresses in the United States (US). We find that 13.9% of EU websites change their banner design when the user is from the US, and EU websites are roughly 48.3% more likely to use aesthetic manipulation than non-EU websites, highlighting their innovative responses to privacy regulation.