Introduction
In 2023, two significant regulatory developments reshaped India’s digital legal framework. First was the Digital Personal Data Protection Act, 2023 (DPDPA)1 India’s novel data privacy law enacted on 13-8-2023. The second was the Guidelines for Prevention and Regulation of Dark Patterns, issued on 30-11-20232 under the Consumer Protection Act, 2019 (CP Act)3 by the Central Consumer Protection Authority (CCPA).
Both these laws deal with digital harms but from different perspectives. The DPDPA focuses on providing data protection rights to individuals, while the Dark Pattern Guidelines focus on protecting consumers from being manipulated into unfair commercial choices through deceptive user interface (UI)/user experience (UX) design practices.
At first glance, these laws appear to function in parallel. However, this article explores an important intersection: certain dark patterns may not just be unfair trade practices under consumer law; they may also be privacy violations under the DPDPA. This dual exposure creates serious legal consequences for businesses engaging in such practices.
What are dark patterns?
Dark patterns4 are any deceptive design pattern using UI or UX that misleads or tricks users by subverting their autonomy and manipulating them into taking actions which otherwise they would not have taken. Coined by UX designer Harry Brignull, who registered a website called darkpatterns.org, which he intended to be designed like a library wherein all types of such UX/UI designs are showcased in public interest, hence the name “dark pattern” came into being.
Applicability
The Guidelines on Dark Patterns vide Clause 35 makes it applicable to the following:
(a) platforms systematically offering goods or services in India;
(b) advertisers (any person who designs, produces and publishes advertisements to promote sale of their goods, platforms or services) and;
(c) sellers/service providers who in the course of business, imports, sells, distributes, or markets a product for commercial purposes.
The Guidelines lists thirteen types of dark patterns along with their illustrations, for instance:
(a) “False urgency” is one such dark pattern deployed by mostly e-commerce platforms wherein the user is tricked into making immediate purchase or taking immediate action by showing false popularity of a product or showing limited quantities of the product e.g.: usage of phrases like “limited time deal”, “only 2 rooms left!” and “50 others are looking at this right now, don’t miss the deal”.
(b) Another dark pattern called confirmshaming used by entities like travel booking platforms, use phrases, videos, audio to make the user feel guilt, shame or ridicule in order to make the user purchase additional goods or services. Example, a travel platform nudging a user to buy mentioning the reject option as “I will stay unsecured” or “No, I don’t want to stay alive”.
These dark patterns are used frequently by food delivery apps, news sites, digital lending portals, e-commerce services, etc. Dark patterns are deemed as an unfair trade practice.
The CCPA can order for recall goods, withdraw services or even stop such services in instance it finds that an entity is engaging in dark pattern as per Section 206 of the CP Act, in instance of breach of guidelines. As early as December 20247 CCPA has issued orders to IndiGo and BookMyShow as they were found to be engaging in dark pattern. For instance, BookMyShow was engaging in a dark pattern called “basket sneaking” whereby it was automatically adding Rs 1 as automatic contribution towards “BookASmile”, in the form of a pre-tick without obtaining prior consent of the user.
Also, engaging in dark patterns amounts to an unfair trade practice, and if such deceptive design leads to false or misleading advertisements that harm consumer interest, Section 898 of the CP Act may apply attracting penalties of up to 2 years’ imprisonment and Rs 10 lakhs (approx. USD 12,000) fine, which increase to 5 years and Rs 50 lakhs (approx. USD 60,000) for repeat offences.
The point of intersection with the DPDPA
The DPDPA primarily governs how personal data9 of individuals is collected and processed. It applies to any entity whether a company, association, or government body that determines the purpose and means of processing such data. These entities are known as data fiduciaries. The individuals whose data is processed are called data principals, while third parties that process data on behalf of a data fiduciary such as payment service providers or online marketplaces — are termed data processors. Data processors have no primary liability under the DPDPA; instead, the data fiduciary remains responsible for their actions.
Since the DPDPA applies wherever personal data is processed, it is plausible that a business will be subject to both data fiduciary obligations under the DPDPA and consumer protection obligations under the Dark Pattern Guidelines. For example, an e-commerce platform that processes customers’ personal data such as name, email, phone number and payment related information, is simultaneously acting as a service provider under consumer law and a data fiduciary under the DPDPA. In this setup, the user plays a dual role too, as both a consumer and a data principal.
As explained above, an entity can act as a data fiduciary and, in doing so, be subject to obligations under both laws. The DPDPA imposes two key duties that are particularly at risk of being breached when dark patterns are used meaning the entity could trigger liability under both legal frameworks simultaneously. These two are as follows:
(a) Section 4(1)(a)10 of the DPDPA requires the data fiduciary to obtain consent prior to any processing of personal data. The consent has to be specific, free, informed, unconditional and by providing a notice, accompanying or preceding, in English and other major Indian language.
(b) Section 8(4)11 of the DPDPA mandates the data fiduciary to implement technical and organisational measures in order to ensure effective observance of the Act. This will mean that implementing digital solutions to combat dark patterns can be interpreted to include implementing technical standards to prevent dark pattern. Or undertaking a website assessment to clear out dark patterns.
How are dark patterns a privacy concern?
These obligations under Sections 4 and 8 of the DPDPA become particularly significant when we consider how certain dark patterns operate. By their very design, some patterns harm the user in two ways: first, by manipulating them into choices they would not have otherwise made; and second, by compelling the collection or processing of personal data in ways that breach data protection requirements. In such cases, the entity is not only exploiting the individual but is also failing to meet its legal duties under the DPDPA thereby creating exposure under both the CP Act and the DPDPA. The following specified dark patterns under the CCPA’s guidelines are —
(a) Forced action: This dark pattern forces the user to share personal data in order to buy or subscribe to the product or service originally intended by the user. It can work in ways like forcing a user to share his contacts or social networks in order to access products or services purchased or intended to be purchased by the user. Or forcing a user to share personal information linked with Aadhaar or credit card, even when such details are not necessary for making the intended purchase. Another facet of this dark pattern is that it also makes it difficult for the consumer to understand and alter their privacy settings, thereby encouraging them to give more personal information than they mean to while making the intended purchase.
(b) Subscription trap: This dark pattern among other things can force a user to provide payment details or authorisation for auto debits for availing a free subscription. It is quite common in case of over-the-top (OTT) platforms wherein to access the free user subscription, the users necessarily need to provide payment details and sometimes other unnecessary details such as phone number in order for the user to avail the free subscription.
(c) Nagging: This dark pattern is a practice due to which a user is disrupted and annoyed by repeated and persistent interactions in the form of requests, information, options or interruptions. One way how this dark pattern impacts privacy is that certain platforms may ask the users to give their phone numbers and other personal details for supposedly security purposes.
Now, when we analyse the nature of these dark patterns we can see that not only are they characterised as dark pattern in the guidelines, the way how they can play out can also be deemed to be breach of obligations of the DPDPA. This is because essentially these dark patterns may be violating principles of data minimisation and purposeful processing by the way how they operate.
Conclusion
Dark patterns have long been deployed as a strategy to make profits by nudging, coercing, or misleading users into taking actions they might not otherwise take. Whether it is forcing users to share unnecessary personal data, tricking them into subscriptions, or creating a false sense of urgency, these design practices are meant to serve the commercial interests of the business. However, with the advent of the DPDPA, the cost of using such tactics may now far outweigh any marginal profits they generate.
Under the DPDPA, the stakes are now significantly higher. The Data Protection Board of India has the authority to impose financial penalties of up to Rs 50 crores12 (approx. USD 5 million) for not obtaining purposeful consent or for disregarding technical and organisational measures. This transforms dark patterns from being a questionable UX strategy into a high-risk legal liability. One manipulative design choice can now cost a business far more than it could ever gain in money.
*Senior Manager, Legal and Regulatory Affairs, K&S Digiprotect Services Pvt Ltd. Author can be reached at: aman@knsdigiprotect.com.
1. Digital Personal Data Protection Act, 2023.
2. Guidelines for Prevention and Regulation of Dark Patterns, 2023.
3. Consumer Protection Act, 2019.
4. Dark patterns are defined under Guidelines for Prevention and Regulation of Dark Patterns, 2023, Cl. 2(1)(e) as:
2. Definitions.— (1)(e) “dark patterns” shall mean any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision-making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights.
5. Guidelines for Prevention and Regulation of Dark Patterns, 2023, Cl. 3 contain the application of the guidelines.
6. Consumer Protection Act, 2019, S. 20.
7. The article which reported the fact that CCPA had fined BookMyShow and IndiGo in furtherance of its powers under the guidelines. The news article is available here, Press Release, Department of Consumer Affair’s to Launch “Jago Grahak Jago App”, “Jagriti App” and “Jagriti Dashboard” on 24-12-2024 on National Consumer Day 2024 to Protect Consumers from the Dark Patterns, Press Information Bureau (pib.gov.in, 22-12-2024).
8. Consumer Protection Act, 2019, S. 89, read as:
89. Punishment for false or misleading advertisement.— Any manufacturer or service provider who causes a false or misleading advertisement to be made which is prejudicial to the interest of consumers shall be punished with imprisonment for a term which may extend to two years and with fine which may extend to ten lakh rupees; and for every subsequent offence, be punished with imprisonment for a term which may extend to five years and with fine which may extend to fifty lakh rupees.
9. Digital Personal Data Protection Act, 2023, S. 2(t) defines “personal data” as:
2. Definitions.— (t) “personal data” means any data about an individual who is identifiable by or in relation to such data.
10. Digital Personal Data Protection Act, 2023, S. 4(1)(a).
11. Digital Personal Data Protection Act, 2023, S. 8(4).
12. Digital Personal Data Protection Act, 2023, S. 33(1), Sch. 1, Pt. 7. This provision is applicable to breach of any provision under this Act or the Rules thereunder.
