This work addresses the growing use of covert dark patterns in cookie consent banners, which undermine user autonomy and violate regulations such as the GDPR and CCPA. The authors propose UMBRA, the first consent management platform (CMP)-agnostic, multimodal detection framework that integrates natural language processing, computer vision heuristics, browser automation for interaction tracing, and real-time cookie state monitoring to systematically identify both established and emerging dark patterns. The study introduces nine novel dark pattern categories (DP11–DP19), encompassing inadequate disclosure, barriers to consent withdrawal, and legal ambiguities. Evaluated across 14,000 websites, UMBRA achieves 99% detection accuracy and uncovers widespread non-compliance, including persistent cookie setting after user rejection, unblocked third-party tracking, and potential XSS/CSRF security vulnerabilities.

To comply with data protection regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), websites widely deploy cookie consent banners to collect users' privacy preferences. In practice, however, these interfaces often embed dark patterns that undermine informed and freely given consent. As regulatory scrutiny increases, such patterns have not disappeared but have evolved into subtler and more legally ambiguous forms, making existing detection approaches outdated. We present UMBRA, a consent management platform (CMP)-agnostic system that detects both previously studied patterns (DP1-DP10) and nine newly evolved patterns (DP11-DP19) targeting information disclosure, consent revocation, and legal ambiguity, including pay-to-opt-out schemes, revocation barriers, and fake opt-outs. UMBRA combines text analysis, visual heuristics, interaction tracing, and cookie-state monitoring to capture multi-step consent flows missed by prior tools. We evaluate UMBRA on a manually annotated ground-truth dataset and achieve 99% detection accuracy. We further conduct a large-scale compliance-oriented measurement across 14,000 websites spanning the EU, the US, and top-ranked global domains. Our results show that evolved dark patterns are pervasive: revocation is often obstructed, cookies are set before consent or despite explicit rejection, and opt-out interfaces often fail to prevent third-party tracking. On sites with revocation barriers, cookies increase by 25% on average, and many use insecure attributes that increase exposure to attacks such as XSS and CSRF. Overall, our findings provide evidence of systematic non-compliance and show how evolving consent manipulation erodes user autonomy while amplifying privacy and security risks.