Regulation of Dark Patterns in Digital Commerce: MeitY, CCPA, and the Interface Between IT Law and Consumer Protection

Introduction

The architecture of digital commerce is not neutral. Every element of an online shopping experience, from the colour of a “buy now” button to the prominence of a subscription cancellation link to the pre-selected options in a checkout form, reflects deliberate design choices by the platform. Some of these choices are legitimate attempts to create a pleasant user experience. Others are deliberate manipulations designed to extract actions from users that those users would not choose if presented with clear, unobstructed information and equal-prominence alternatives. These manipulative design practices, collectively termed “dark patterns,” have become the subject of sustained regulatory attention globally and, increasingly, in India.

The term was coined by UX researcher Harry Brignull in 2010, who created a taxonomy of interface manipulations and a “hall of shame” cataloguing their use on commercial websites. What began as a UX community concern has evolved into a legal and regulatory issue of the first order, with the Federal Trade Commission, the EU’s Digital Services Act, and now the Central Consumer Protection Authority of India (CCPA) all issuing authoritative regulatory frameworks.

India’s regulatory engagement with dark patterns spans at least two regulatory frameworks and potentially three: the Consumer Protection Act, 2019 and the CCPA, the Digital Personal Data Protection Act, 2023, and the Ministry of Electronics and Information Technology’s consultations on e-commerce regulation. Understanding how these frameworks interact, where they create redundancy, and where they leave regulatory gaps is essential for digital commerce practitioners and consumer advocates alike.

Legal Framework

The Consumer Protection Act, 2019 (CPA) provides the foundational statutory basis for challenging dark patterns in India. Section 2(47) defines “unfair trade practice” broadly, including the making of false or misleading representations about goods or services, deceptive advertising, and any method of unfair trade practice. Section 2(28) defines “misleading advertisement” to include any advertisement which misleads the consumer regarding the nature, characteristics, quantity, or quality of any goods or services. These provisions, while not enacted with dark patterns specifically in mind, are broad enough to encompass many common dark pattern forms.

The CCPA, established under Section 10 of the CPA, issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023, effective 30 November 2023. The Guidelines define “dark pattern” as any practice or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users into doing something they did not intend or want to do. The Guidelines identify 13 specific dark patterns that are prohibited: false urgency, basket sneaking, confirm shaming, forced action, subscription traps, interface interference, bait and switch, drip pricing, disguised advertisement, nagging, trick questions, safelocking, and rogue malwares.

Each of these categories covers a distinct manipulative technique. False urgency involves creating artificial scarcity or time pressure (“Only 2 left at this price!”) when no genuine scarcity or deadline exists. Basket sneaking is the addition of items to a shopping cart without the user’s explicit consent, typically using pre-checked add-on options. Confirm shaming exploits social psychology by framing the “decline” option for a subscription or upsell in self-deprecating terms (“No thanks, I prefer to pay more”). Drip pricing involves revealing unavoidable additional charges only at the final checkout stage, after the user has invested significant time in the purchase process. Interface interference manipulates visual design elements to guide users towards choices that benefit the platform, such as making the “accept all cookies” button prominently coloured while the “reject all” option is in small grey text.

The DPDP Act 2023 adds a separate layer of prohibition relevant to dark patterns in the consent context. Section 6(4) specifies that consent shall not be obtained through deceptive or coercive means. Section 6(5) prohibits the use of consent to impose conditions on individuals that are not necessary for the provision of services. These provisions directly address one of the most common dark pattern applications in the digital context: the use of confusing or manipulative consent interfaces to extract agreement to data collection that users would decline if presented with a clear choice.

MeitY has engaged in separate consultations on e-commerce and online gaming regulation, including consideration of dark patterns specific to gaming (loot boxes, pay-to-win mechanics, artificial progression barriers designed to drive in-app purchases) and e-commerce (subscription auto-renewal, hotel booking fees disclosed only at checkout).

Judicial Developments

Dedicated judicial precedent on dark patterns under Indian law is limited because the CCPA Guidelines are relatively new, and enforcement proceedings take time to reach courts on appeal. However, the broader consumer protection jurisprudence provides relevant analytical tools.

The Supreme Court in Hindustan Unilever Ltd. v. Reckitt Benckiser India Ltd. (2016) and related comparative advertising cases established that deceptive commercial communications violate consumer protection norms and can be restrained. The analogy to dark patterns is not exact (those cases involved advertising claims rather than interface design) but the underlying principle that commercial actors may not deceive consumers through their communications applies equally to interface design.

The Competition Commission of India’s investigation into e-commerce platforms has touched on dark pattern-adjacent practices. The CCI’s market study on e-commerce (2020) noted concerns about preferential listing of platforms’ own products, price parity clauses, and information asymmetries, some of which overlap with dark pattern concerns. The CCI’s proceedings against Amazon and Flipkart for preferential treatment of select sellers (investigations ongoing as of 2024) include elements of interface manipulation: the prominence given to certain sellers in search results constitutes a form of interface interference that disadvantages competitors without user awareness.

The Consumer Disputes Redressal mechanisms at the district, state, and national level have adjudicated numerous cases involving subscription traps and billing disputes. Consumer forums have consistently held that pre-checked subscription boxes and the non-disclosure of auto-renewal terms at the point of subscription constitute deficiency in service. These decisions, while not uniformly citating dark patterns by name, apply principles consistent with the CCPA Guidelines.

Contemporary Issues and Analysis

The CCPA Guidelines’ application to specific Indian digital commerce platforms reveals the pervasiveness of the practices they seek to regulate. Swiggy and Zomato, India’s dominant food delivery platforms, have been observed employing interface interference techniques that make the “delivery by restaurant” option (which carries no platform fee) visually less prominent than the “Swiggy delivery” option. Flipkart and Amazon India have been noted for drip pricing in electronics categories, where shipping charges, EMI fees, and installation costs are disclosed only at the final checkout stage. OTT platforms including Netflix India and Amazon Prime Video have used subscription trap mechanics involving opaque cancellation pathways and auto-renewal terms that are buried in terms of service rather than prominently displayed at subscription.

The specificity of the CCPA Guidelines in identifying 13 named dark pattern categories is both a strength and a weakness. The strength is that it provides clear prohibitions that can be applied without extensive interpretive work. The weakness is that dark pattern design evolves rapidly, and a statutory list will always lag behind innovation in manipulative interface design. A principles-based standard (such as a general prohibition on interface designs that manipulate user decision-making) supplemented by an indicative list of examples would be more durable than an exhaustive taxonomy.

The interaction between the CCPA dark pattern prohibition and the DPDP Act’s consent requirement creates a potentially powerful combined framework for consent management. A data fiduciary that uses interface interference to make “accept all” more prominent than “reject all” in a cookie consent banner violates both the DPDP Act’s requirement that consent be free and unambiguous and the CCPA’s prohibition on interface interference. Cross-regulatory enforcement coordination between the Data Protection Board and the CCPA would be necessary to realise the full potential of this combined prohibition.

Online gaming presents a particularly acute dark pattern concern. Games designed around progression systems, virtual currencies, and loot boxes embed manipulative structures at their architectural level: the game mechanics themselves constitute the dark pattern, not merely the interface through which additional purchases are offered. Children are particularly vulnerable to these mechanics, which exploit developing impulse control and the social dynamics of peer comparison. India’s gaming regulation landscape is fragmented, with MeitY’s consultations on online gaming and the nascent Online Gaming Self-Regulatory Organisations operating without a comprehensive statutory framework that would enable systematic dark pattern enforcement.

Comparative and International Perspective

The EU’s Digital Services Act, applicable to Very Large Online Platforms from February 2024, expressly prohibits dark patterns. Article 25 prohibits platforms from “designing, organising or operating their online interfaces in a way that deceives or manipulates their recipients or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions.” The prohibition is stated at the level of principle, with supplementary guidelines providing more specific examples. The DSA’s application to VLOPs means that major platforms operating in India (Meta, Google, Amazon) face DSA-compliant interface standards in the EU and must determine how to manage the divergence between their EU and India interfaces.

The Federal Trade Commission in the United States issued a report on dark patterns in September 2022 finding their widespread use across e-commerce, subscription services, and cookie consent interfaces. The FTC has brought enforcement actions under Section 5 of the FTC Act (prohibiting unfair or deceptive acts or practices) against platforms using dark patterns, including a major settlement with Amazon in 2023 regarding its Prime subscription cancellation practices. The California Privacy Rights Act includes specific provisions on automated decision-making and consent interfaces that prohibit certain dark pattern techniques in the context of privacy rights.

The UK’s Competition and Markets Authority published guidance on online choice architecture in 2022, drawing on behavioural economics research to define the boundary between legitimate persuasion and manipulation in digital interfaces. The CMA’s approach is notable for its integration of behavioural economics into the legal standard, recognising that consumers do not make decisions as the rational agent model assumes, and that interface design exploiting predictable cognitive biases constitutes manipulation regardless of whether any individual statement is technically false.

Practical and Policy Implications

For digital commerce platforms operating in India, compliance with the CCPA Guidelines requires a systematic audit of all consumer-facing interfaces against the 13 prohibited dark pattern categories. This is a non-trivial exercise for platforms with thousands of interface states across multiple product categories, localised experiences, and A/B tested design variants. The challenge is compounded by the fact that dark patterns are sometimes the output of algorithmic optimisation rather than deliberate design choices: if a platform’s interface design is A/B tested against conversion metrics, the testing process itself may select for manipulative patterns because manipulative interfaces convert better.

Subscription businesses, OTT platforms, SaaS providers, and membership e-commerce companies face particular exposure to CCPA enforcement on subscription trap grounds. Compliance requires clear disclosure of recurring charge amounts, frequencies, and cancellation procedures at the point of subscription, a simple and accessible cancellation pathway, and affirmative confirmation of auto-renewal before each charge in cases of annual subscriptions.

For consumers and consumer advocates, the CCPA Guidelines create an accessible basis for complaints. The National Consumer Helpline and the CCPA’s complaint portal are the appropriate channels for reporting dark pattern violations. Consumer organisations could play an important advocacy role by systematically auditing major platforms and reporting violations, as has been done by groups like Which? in the UK and the Norwegian Consumer Council in Norway.

Suggestions and Reforms

The CCPA Guidelines should be elevated to statutory rules with explicit penalty provisions that are proportionate to the scale of the violation. Currently, the Guidelines derive their force from the CCPA’s general enforcement powers under the CPA, but the lack of specific penalties for specific dark pattern violations creates enforcement uncertainty.

A principles-based overarching prohibition should be added to the Consumer Protection Act, prohibiting interface designs that use cognitive bias, information asymmetry, or visual manipulation to impair users’ ability to make free and informed decisions. The 13 named categories should be treated as illustrative rather than exhaustive.

The CCPA and the Data Protection Board should develop a joint enforcement framework for dark patterns in consent interfaces. A unified regulatory window for consumer complaints involving both dark pattern and consent violations would simplify the enforcement landscape and ensure consistent standards.

MeitY should complete its consultations on online gaming dark patterns and issue sector-specific guidelines addressing loot boxes, virtual currency mechanics, and pay-to-win progression systems, with particular attention to the exposure of minors.

Conclusion

Dark patterns represent a significant frontier of consumer harm in digital commerce, and India’s regulatory response through the CCPA Guidelines of 2023 is a meaningful step forward. The framework is not yet complete: it lacks statutory specificity on penalties, does not cover all relevant sectors with equal clarity, and operates in parallel with the DPDP Act’s consent provisions without adequate cross-regulatory coordination.

The deeper challenge is that dark pattern regulation targets a dynamic phenomenon: design practices evolve continuously, shaped by algorithmic optimisation and competitive imitation. Static regulatory lists cannot keep pace without a principles-based foundation. India should build the regulatory framework around behavioural principles grounded in how consumers actually make decisions, rather than taxonomies of current manipulative techniques, ensuring that the law remains effective as the design landscape evolves.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these