The Netherlands Becomes a Dark-Pattern Laboratory
The Netherlands has quietly assembled one of Europe's most active dark-pattern enforcement ecosystems — not through a single dramatic ruling but through three overlapping tracks running simultaneously: the Authority for Consumers and Markets (ACM) pursuing manipulative UX in gaming, the Autoriteit Persoonsgegevens (AP) sweeping cookie banners for deceptive consent flows, and Dutch courts interpreting the Digital Services Act's Article 25 in ways that reach algorithmic design itself. The combined output signals something more consequential than any single fine: a jurisdictional template that regulators across the EU are watching closely.
ACM's 2026 Agenda: Gaming First
In its 2026 digital economy focus areas, ACM explicitly placed dark patterns at the top of its consumer enforcement agenda, with particular attention on the gaming industry. The authority describes dark patterns as "techniques that steer users in such a way that they end up making different choices than they would have made if they had been informed properly" — deliberately broad language that sweeps in everything from pre-selected subscription upgrades to urgency-faking countdown timers.
That framing is not hypothetical. In May 2024, ACM imposed a €1,125,000 fine on Epic Games over two categories of dark patterns in Fortnite: aggressive advertising language ("Get it now," "Buy now") targeting children and misleading countdown timers that implied item scarcity even when items remained available after the timer expired. The specificity of ACM's enforcement is notable — it required Epic to remove countdown timers globally for Dutch under-18 players and to ensure items were displayed with availability windows of at least 48 hours. Epic achieved full compliance by July 22, 2024.
The emphasis on children's wellbeing is not incidental. ACM frames gaming dark patterns as a welfare issue, not merely a consumer-law technicality. That framing gives the regulator both political cover and legal leverage: consumer protection law, GDPR's special provisions for children's data, and DSA Article 25 all converge on the same design choices.
The AP's Cookie Campaign: Scale Over Spectacle
While ACM targets specific companies, the Dutch Data Protection Authority is pursuing a more systemic strategy. In April 2025, the AP dispatched warning letters to 50 organizations — webshops, media companies, and insurers — identifying a consistent pattern of deceptive cookie consent mechanisms: pre-ticked consent boxes, missing or buried "reject all" buttons, deceptive color contrasts that visually de-emphasize refusal options, and consent collected before users had any chance to respond.
This was not a one-off exercise. The AP announced plans to contact 500 organizations annually, reaching approximately 10,000 in total over the monitoring programme's lifecycle. Organizations that fail to comply within three months face formal investigation and GDPR fines of up to €20 million or 4% of global turnover. The scale matters: this is an attempt to normalize compliance across an entire sector, not to make an example of one offender.
"We're not looking for a headline fine. We're looking for a clean internet."
The cookie banner campaign reflects a genuine regulatory insight — that dark patterns in consent flows are not edge-case violations but a near-universal practice. By framing them as design problems susceptible to systematic correction rather than bad-faith fraud requiring case-by-case prosecution, the AP is attempting to change the incentive structure across the market.
The Amsterdam Meta Ruling: DSA Article 25 Gets Teeth
The most legally significant Dutch development is the October 2025 ruling from the Amsterdam District Court that Meta's default algorithmic feed constitutes a prohibited dark pattern under DSA Article 25. The court found that Meta's non-persistent user settings — automatically reverting to an algorithmic timeline when users closed the app or switched devices — undermined users' ability to exercise genuine choice. The Amsterdam Court of Appeals upheld the core finding in December 2025, giving Meta until December 31, 2025 to implement compliant controls, with €100,000-per-day penalties and a €5 million cap taking effect from January 1, 2026.
The ruling is important beyond the specific facts because it establishes that dark patterns can inhere in system architecture — not just in interface design choices like button colors or text framing. If a product's back-end routinely reverses user choices, that's a dark pattern even if no individual screen looks manipulative. This is a substantially broader reading of Article 25 than most compliance teams had planned for.
The Proportionality Question
The strongest case for this enforcement wave is clear: asymmetric information in digital design causes real harm, disproportionately affecting children and less digitally literate users. Countdown timers that lie, cookie banners designed to exhaust users into consenting, and algorithms that silently undo user preferences are not minor UX choices — they distort markets and erode autonomy at scale. The Netherlands is right to take them seriously.
But the enforcement architecture carries risks. Three separate regulators applying three overlapping legal frameworks — Dutch civil code, GDPR, and DSA — to broadly similar conduct creates compliance complexity that large platforms can absorb and small Dutch developers cannot. The ACM's maximum penalty of €900,000 or 10% of turnover is existential for a small-to-medium app studio in a way that it simply isn't for Epic Games or Meta. Regulation that raises fixed compliance costs without calibrating to firm size tends to consolidate markets toward incumbents.
The Digital Fairness Act Horizon
The European Commission is expected to table the Digital Fairness Act in Q4 2026, which would extend dark pattern prohibitions beyond Very Large Online Platforms to all digital B2C services. The ACM, in its formal consultation response, has advocated not only for broader coverage but for a conceptual expansion: dark pattern rules should reach systemic design choices — recommendation architectures, default settings, algorithmic curation — not merely interface-level manipulations.
That framing, if adopted by the Commission, would represent a significant escalation in regulatory scope. It would bring subscription flow design, pricing display algorithms, and attention-retention mechanics under the same legal umbrella that currently governs a cookie banner's button color. The Netherlands, through its regulators' positions and its courts' DSA interpretations, is effectively drafting a model for what European digital fairness law could become.
The open question is whether the forthcoming legislation will carry meaningful proportionality safeguards — graduated enforcement, safe harbors for good-faith design iteration, clear standards that let developers know in advance when they've crossed a line. Without those, the Netherlands' admirable enforcement energy risks becoming a template for ambiguity at scale.