When the Abyss Looks Back: Unveiling Evolving Dark Patterns in Cookie Consent Banners

To comply with data protection regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), websites widely deploy cookie consent banners to collect users' privacy preferences. In practice, however, these interfaces often embed dark patterns that undermine informed and freely given consent. As regulatory scrutiny increases, such patterns have not disappeared but have evolved into subtler and more legally ambiguous forms, making existing detection approaches outdated. We present UMBRA, a consent management platform (CMP)-agnostic system that detects both previously studied patterns (DP1-DP10) and nine newly evolved patterns (DP11-DP19) targeting information disclosure, consent revocation, and legal ambiguity, including pay-to-opt-out schemes, revocation barriers, and fake opt-outs. UMBRA combines text analysis, visual heuristics, interaction tracing, and cookie-state monitoring to capture multi-step consent flows missed by prior tools. We evaluate UMBRA on a manually annotated ground-truth dataset and achieve 99% detection accuracy. We further conduct a large-scale compliance-oriented measurement across 14,000 websites spanning the EU, the US, and top-ranked global domains. Our results show that evolved dark patterns are pervasive: revocation is often obstructed, cookies are set before consent or despite explicit rejection, and opt-out interfaces often fail to prevent third-party tracking. On sites with revocation barriers, cookies increase by 25% on average, and many use insecure attributes that increase exposure to attacks such as XSS and CSRF. Overall, our findings provide evidence of systematic non-compliance and show how evolving consent manipulation erodes user autonomy while amplifying privacy and security risks.