Introduction
On November 30, 2023, the Central Consumer Protection Authority (“CCPA”) notified the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (“Guidelines”), which aim to safeguard the rights of consumers on e-commerce platforms, websites and applications by prohibiting the use of dark patterns. These dark pattern Guidelines come close in the footsteps of the Guidelines for Online Deceptive Patterns in Advertising, issued by the Advertising Standards Council of India in June, 2023.
Dark patterns are defined under the Guidelines as any practices or deceptive design patterns, using user interface or user experience interactions, that are designed to mislead or trick users into doing something they did not intend to do.
One of the core principles of consumer protection is the right to make informed choices. By definition, dark patterns constitute dishonest and unethical techniques that undermine this core principle. Therefore, an individual or platform that indulges in one or more of the dark pattern practices enumerated under Annexure 1 of the Guidelines, would be in contravention of the dark pattern Guidelines and run the risk of being penalised under Section 21 of the Consumer Protection Act, 2019.
List of dark pattern practices
The list of thirteen practices/advertising techniques that are considered dark pattern practices and consequently prohibited under the Guidelines include:
| False urgency: includes falsely implying that a particular good or service is scarce or in high demand, with the intention of pressurising a user into making an immediate purchase. This would not apply to a genuine sale or discount that is being offered for a limited period or on limited stocks. | Basket sneaking: the inclusion of additional items such as products, services or charitable donations for additional cost at the time of check-out, without the consent of the user. |
| Confirm shaming: creating a sense of fear, shame or guilt in the mind of the user to push them to make a purchase. If a user opting-out of donating to a charity is forced to click on the phrase “I do not care about those in need”, it would constitute confirm shaming. | Forced action: forcing a user to purchase an additional product or service, pay a higher price than first advertised or share personal information in order to make a purchase. |
| Subscription trap: making the process to cancel a subscription complex and lengthy and or forcing a user to grant auto-debit authorisation to use a free subscription is considered a subscription trap. | Interface interference: using any design element that obscures relevant information with the intention to misdirect a user. For example, the option to close a pop-up window is barely visible to the user. |
| Bait and switch: deceptive practice of displaying a particular service or product but when a user attempts to purchase such a service or product, the seller says that it is no longer available, and offers a more expensive alternative. | Drip pricing: includes a range of deceptive pricing techniques wherein the users are not informed of the actual prices of the products or services until after they confirm a purchase. |
| Disguised advertisement: disguising advertisements as other types of content such as user-generated content or news articles, with the intention to trick customers into clicking on them. | Nagging: any practice of constantly disrupting the user experience through pop-up windows and other similar interruptions, with the intention of annoying the user into making a purchase. |
| Trick question: deliberate use of ambiguous and confusing language to misdirect a user into taking an unintended action. | SaaS billing: any software as a service (SaaS) billing technique which involves collecting payments from customers in a secretive manner. For instance, failure to notify the user when a free trial is converted to a paid subscription. |
| Rogue malware: using ransomware or scareware to trick users into installing malware removal tools onto their systems that are in fact malware themselves. This is common on websites offering pirated audio-visual content or software. | *Note on rogue malware: Such malware attacks are likely to attract penal consequences under the provisions of the Indian Penal Code, 1860 and the Information Technology Act, 2000. |
Data protection implications of the dark pattern Guidelines
Among the dark patterns identified by the guidelines, many would be parallelly regulated under the recently passed data protection law in India –Digital Personal Data Protection Act, 2023 (“DPDPA”).
To be valid, consent under the DPDP Act 2023 must be free, specific, informed, unconditional, unambiguous with a clear affirmative action, limited to a specified purpose, and capable of being withdrawn at any time, with the ease of withdrawal being comparable to the easy of giving consent. Consequently, when relying on consent for processing personal data, the use of the following dark patterns leads to the risk of non-compliance with the Indian data protection law.
Confirm shaming: In the context of data protection, confirm shaming could take the form of a website using the phrases “I do not want great discounts”, “No thanks, I hate sales” or “I am not feeling lucky”, when a user does not agree to the processing of their personal data for marketing purposes. Since consent given pursuant to such requests would likely not qualify as ‘free’, such dark patterns would fall within the purview of the DPDPA.
Forced action: According to the illustration provided by the Guidelines, forcing a user to subscribe to a newsletter in order to purchase a product would amount to a forced action. If the provision of a service is bundled with consent to the processing of personal data that is not necessary for the provision of the service, such consent would not be ‘unconditional’. In the given illustration, since subscription to a newsletter involves processing of personal data, such as an email address, physical address or mobile number, the ‘forced action’ dark pattern would also be subject to the DPDPA.
Subscription trap: This dark pattern is relevant with respect to the withdrawal of consent, where consent given for certain processing activities can be understood as the subscription in question. In many instances, such consent may actually involve a subscription to newsletters or other marketing messages. The process for withdrawal of consent should be equally simple as the process for provision of consent. If the withdrawal of consent is unnecessarily complex, latent, confusing or ambiguous, this dark pattern would be regulated under the DPDPA as well.
Interface interference: In the context of a consent request, if the option to decline consent is obscured while the option to accept is highlighted, this would constitute interface interference, and would be in clear violation of the requirement of ‘free’ consent.
Disguised advertisement: This dark pattern may rely on analytics and algorithms to place surreptitious advertisements, and may process a user’s activity with respect to the disguised advertisements themselves, leading to data protection concerns.
Nagging: If users are repeatedly asked to consent to unrelated processing of their personal data, disrupting their intended activity, consent collected pursuant to such nagging would not be designated as ‘free’. The DPDPA would thus govern certain iterations of nagging.
Trick question: Using trick questions to misdirect users into consenting to the processing of their personal data would affect the validity of the consent under the data protection law in India.
Rogue malwares: This dark pattern may be used to obtain consent for processing a customer’s personal data by way of their purchase of the anti-malware tool or software.
International regulation of dark patterns
Various jurisdictions globally are cracking down on the use of dark patterns, and generally interpret the term in a consistent manner.
In the European Union, the European Data Protection Board has released guidelines on dark patterns in social media platform interfaces, while the Digital Services Act, which will be generally implemented in February 2024, explicitly prohibits dark patterns. Additionally, the proposed Artificial Intelligence Act bans the use of dark patterns within artificial intelligence systems, while the Data Act proposed in 2022 seeks to prohibit the use dark patterns in digital interfaces as well. In January 2023, the European Commission and Consumer Protection Cooperation Network released the results of a sweep of retail websites to check for the use of dark patterns, finding that nearly 40% of online shopping websites rely on dark patterns. National authorities contacted the traders concerned to rectify their practices.
In the United States, the Federal Trade Commission released a report on dark patterns. Various states’ privacy regulations, such as California’s and Colorado’s, prohibit the use of dark patterns to obtain users’ consent.
The Australian Competition and Consumer Commission has also defined dark patterns, and is examining the use of dark patterns in its five-year inquiry on digital platform services.
Other key takeaways
Wide powers of interpretation: From a bare perusal of the Guidelines, there appears to be a large number of terms and definitions that are vague and wide in scope. With the final interpretation of the dark pattern Guidelines being left to the discretion of the CCPA, the ascertainment of dark patterns such as confirm shaming or nagging would be dependent entirely on the CCPA’s interpretation of concepts such as ‘guilt’, ‘annoyance’, or ‘shady credit card authorization practices’.
Applicability to foreign platforms: In line with other consumer protection measures in India, such as the Consumer Protection (E-Commerce) Rules, 2020, these Guidelines will apply to foreign entities offering products or services in India. This is evident form the wording of Paragraph 3(i) which states that the Guidelines shall apply to all platforms, systematically offering goods or services in India.
Penalties: Unfortunately, the Guidelines are silent on the consequences of adopting dark pattern practices. We expect that the CCPA will penalise offending platforms under Section 21 of the Act, which grants the CCPA the power to call for the discontinuation or modification of any advertisement prejudicial to consumer interests and to impose a penalty that may extend to INR 10,00,000 (Rupees Ten Lakh). The CCPA also has the power to prohibit a seller or advertiser from making any endorsement whatsoever, for a period that may stretch up to one year.
The CCPA is an active regulator that does not hesitate to take suo moto cognizance of matters affecting consumer interests. Even in the absence of any ill intent to undermine consumer interest, platforms engaging in the use of dark patterns may come under the scanner of the CCPA. It is therefore recommended that all online platforms and websites perform a detailed review of their online marketing strategies, to scan for the presence of identified dark patterns as well as any other manipulative or deceptive UI practices. Businesses should focus on developing ethical designs that centre user experience and genuine engagement, instead of those that devise shortcuts to reach targets through manipulation. This approach can also offer businesses more useful analytics, that reflect users’ true interests. Developers and UI designers should be accordingly advised to ensure that they create simple, clear user journeys.
Conclusion
The Guidelines are a welcome step towards a more robust consumer protection framework in India. While the requirements may pose challenges, prioritising transparency and user control will ultimately help businesses bolster customer trust and comply with data privacy laws in India. With wide discretion bestowed upon the CCPA, it remains to be seen how the regulator balances consumer interest against the right of sellers to adopt creative advertising practices.
