Introduction

Dark Patterns can be referred to as the deceptive web or UI designs or patterns commonly used in web based or mobile based platforms, intended to manipulate, or trick the decision of a consumer by deceiving them to do something that is determinantal to his interest and something that the consumer otherwise would not do, compromising consumer’s autonomy, decision-making power, and his privacy. Some of the widely used dark patterns include subscription trap, false urgency, and click and bait.

Although the term ‘Dark Pattern’ is a relatively new concept in the e-commerce domain, the issues persisting to its use in general online user interface have been long pressing. The concerned authorities in various jurisdictions including India have been trying to combat the issue pertaining to these deceptive practices by introducing new norms under the consumer protection laws, and data protection rules and regulations to maintain consumer’s autonomy and transparency in online transactions.

Dark Patterns in foreign jurisdictions:

Some of the jurisdictions which have recognised the deceptive practice of dark patterns include:

United States:

In the United States, some of the consumer legislations provide for certain provisions that relate to curbing the practice of dark patterns. The Restore Online Shoppers’ Confidence Act (‘ROSCA’) prohibits sellers of negative option subscriptions, i.e., a provision under which the customer's silence or failure to take an affirmative action to reject a product or services or to cancel the subscription is interpreted by the seller as acceptance of the offer.’[1] Further, the States of California followed by Colorado have banned the use of dark patterns or deceptive website designs by companies that trick users into selling their information or giving away their personal data.

Europe:

Similarly, the European Data Protection Board which oversees the implementation of the general data protection laws in the EU, published a Draft Guidelines 3/2022 on dark patterns in social media platform interfaces. The Guidelines aim to provide guidance and practical recommendations to developers and users to identify and forestall dark patterns that violate the General Data Protection Regulation (‘GDPR’).

United Kingdom:

The UK Competition and Markets Authority and Information Commissioner's Office jointly published a paper to lay out clarifications regarding online design practices (‘online choice architecture’) that are likely to influence consumer decisions, for product and user experience (UX) designers.

Singapore:

Currently, the Code of Advertising Practice in Singapore, formulated by the Advertising Standards Authority, relies on voluntary compliance from businesses. The UK-Singapore Digital Economy Agreement signed in June 2022 could prompt changes to the Consumer Protection (Fair Trading) Act, 2003. This amendment proposes to include specific provisions against black-and-white designs, referring to deceptive strategies aimed at misleading consumers.

Indian perspective

The Advertising Council of India (‘ASCI’) is a self-regulatory organization for the advertising industry to protect the interest of consumers against false and misleading advertisements. In November 2022, the ASCI released a discussion paper highlighting various kinds of dark patterns being used by digital platforms to manipulate consumer’s choices and patterns. Subsequently, in June 2023 the ASCI issued guidelines on Deceptive Design Patterns in India (‘ASCI Guidelines’) to further the objective of the ASCI Code to ensure honesty from the advertiser and prevent the advertisers from taking advantage of vulnerable customers by any omission, exaggeration, implication, or ambiguity in the advertisements. The ASCI Guidelines were issued to combat the Dark Pattern in digital advertisement. The ASCI Guidelines talks about Drip Pricing, Bait and Switch, False Urgency, and Disguised Ads.

Recently, on 30 November 2023 the Central Consumer Protection Authority (‘CCPA’), a regulatory body under the Consumer Protection Act, 2019 notified the Guidelines for Preventions and Regulations of Dark Patterns, 2023 (‘Guidelines’). The Guidelines aim to protect the interest of the consumers focusing on this digital era.

The Guidelines will be applicable to all platforms systematically offering goods and services in India that includes any platform of foreign jurisdiction offering products and services in India, advertisers, and sellers in India. It further has classified dark patterns in the category of misleading advertisement as well as unfair trade practices and therefore attracting the provisions of the Consumer Protection Act, 2019. The Guidelines have specified thirteen dark patterns which have been listed below:

1. False Urgency: Creating a false sense of urgency in the minds of the consumers to mislead them into making immediate purchase or taking actions which may lead to purchase of the items. This is done by showing false popularity of the products or deceiving the consumers by falsely portraying limited availability of the products.
   
   Illustration - Hurry Up!! Only 2 left in stock, 100 others are looking at this product.
2. Basket Sneaking: Inclusion of additional items (except for complimentary items), such as services, charity, or donation, at the time of checkout or the payment page without expressed consent of the consumer leading to an increase in the total amount payable by the consumer for the selected product or service.
   
   >Illustration – Addition of travel insurance while purchasing a travel ticket.
3. Confirm shaming: Using phrase, audio, video to instil a sense of fear or shame, or ridicule or guilt in the mind of the consumer compelling them to do act in way that will lead to purchase or subscribe a product or service or continuing the subscription of a service.
   
   Illustration – Using the phrase like ‘I will stay unsecured’ on a platform for booking travel tickets when a user does not purchase insurance.
4. Forced action: Pushing a user to buy additional goods or subscriptions to unrelated services or to share their personal information when purchasing a product or subscribing a product or service.
   
   Illustration – Forcing a user to subscribe to a newsletter in order to purchase a product or service.
5. Subscription trap: The process of intentionally making the cancellation of a subscription a cumbersome process for the user, hiding the option for cancellation of subscription, forcing a user to provide payment details for auto deduction of payment for availing a free subscription or making the instructions related to cancelation of a subscription confusing, ambiguous latent, and cumbersome.
   
   Illustration – Entertainment applications forcing a user to opt for auto debit options in order to avail free subscription for a month.
6. Interface interference: Tactics used in designing elements to mislead a user from taking a desired action by manipulating the interface in ways that highlight certain information that is favourable to the platform and obscure other relevant information relative to the other information.
   
   Illustration – An ‘X’ icon on the top-right corner of a pop-up screen leading to opening up of another advertisement rather than closing it.
7. Bait and switch: Advertising a particular outcome based on the action of the user but deceptively serving an alternate outcome. In simple words, it occurs when an advertisement presents a certain option to attract potential customers but is subsequently replaced by a different option.
   
   Illustration - A seller offering a product at a cheap price which leads the customer to place an order of the same, leading to the product being unavailable and the seller presenting a similar option, which may be more expensive.
8. Drip Pricing: Practice of concealing certain elements of price and not revealing them upfront, revealing the price post confirmation of the purchase, offering a product or service for free and concealing the involvement of in-app purchases or preventing a user from availing a service which is already paid for unless something additional is purchased.
   
   Illustration - A consumer ordering food for price X on a platform but subsequently being charged a higher price Y due to it coming from a distance of 10 km away.
9. Disguised advertisement: Advertisements that are designed to look like other types of content, such as user-generated content or news articles, that blend in with the rest of the interface and trick customers into clicking on them. Disguised advertisement includes misleading advertisement as defined under the Consumer Protection Act, 2019, which includes falsely described products, giving false or misleading guarantee or information about the quality or quantity of the products, expressed or implied misrepresentation that would amount to unfair trade practices or deliberately concealing important information.
   
   Illustration – Advertising a facial cream claiming to change the skin tone of a person from dark to fair.
10. Nagging: Annoying the users with unauthorized and repeated interactions in the form of requests, information, options, or interruptions in their usage of a platform to effectuate a transaction for the sale of goods or services.
    
    Illustration – Website asking a user to download their app again and again.
11. Trick question: Deliberating using ambiguous or vague language like double negative, confusing wording, or similar trick to deceive the consumer into taking a specific action or abstain them from taking a desired action.
    
    Illustration – The asking of ‘Do you opt out of receiving updates of our collection and discounts forever?’ when giving the user an option to opt and using phrases like ‘Yes, I would like to receive updates’ and ‘Not Now’ instead of a simple Yes.
12. SaaS billing: Process of generating and collecting payments on a recurring basis from consumers by exploiting positive acquisition loops in recurring subscriptions to get money from users.
    
    Illustration: Silent recurring transactions whereby the user’s account is debited without being notified or simply stated auto-renewing monthly subscriptions without telling users.
13. Rogue Malwares: Using ransomware or screen-ware to mislead users into believing that they have a virus in their software and aim to convince them to pay for a fake malware removal on their computer that actually installs a malware on their computer.
    
    Illustration: Consumers downloading song from a pirated platform but keep getting pop-up of advertisement on them which are imbedded with malware.

Interface with the DPDPA

At the heart of many dark patterns outlined above lies the element of ‘consent’ to meet various requirements (including data protection law), which is obtained by using various patterns to induce, persuade, influence consent of users when undertaking various e-commerce operations. For example, in case of false urgencies, confirm sharing or forced action, users are incentivized through various means and methods to either purchase additional products, advance purchase plans or provide additional information. It is for this reason that the ambit and relevance of ‘consent’ under the recently-enacted Digital Personal Data Protection Act, 2023 (‘DPDPA’) remains important.

Recognizing new frontiers of consent in data protection to deal with issues such as deception and consent fatigue, the DPDPA calls for a standard of consent that is free, specific, informed, unconditional and unambiguous with clear and affirmative actions indicating such consent. While the particulars of what may constitute valid consent may further be elucidated through rule-making, free and informed consent remains central. The European Data Protection Board (or erstwhile Article 29 WP), time and again, issued guidance on free and informed consent and emphasized on real exercise of choice.

Such real exercise of choice must be without deception, intimidation, coercion or significant negative consequences for failure to provide consent in accordance with the specified terms. To this end, mechanisms which request consent on a take-it-or-leave-it basis are also looked upon and examined carefully. In recognition of the above, the DPDPA recognizes and implements certain guardrails around such consent:

The DPDPA requires Fiduciaries (entities determining means and purposes) to prove valid notice was provided and consent was provided by the individual in accordance with the requirements therein i.e., in a free and informed manner. Therefore, Fiduciaries may be called upon to demonstrate validity of notice and consent and must therefore, also store such records in a retrievable / auditable form.

It also limits the processing of personal data to the extent required for a particular purpose. Such limitation would continue to apply regardless of whether a user has provided consent for collection of personal data beyond such purpose.

For example, while a user who downloads a telemedicine application may provide consent for making available telemedicine services and accessing contact list, such consent shall be valid only to the extent that processing is undertaken for providing telemedicine services, and not for the latter.

Conclusion

The framework introduced by the CCPA will have an acute impact on the sellers, advertisers and platforms from both India and outside using deceptive user interface designs to induce consumers in buying products or availing services or subscription which they never intended to purchase or avail.

The market players will have to ensure that they are in compliance with the Guidelines and accordingly instruct the software developers to design the user interface to ensure it restricts usage of any dark pattern and also revisit their existing user interface to remove any design which adversely affects consumer autonomy.

The impact of such dark patterns is also likely to vitiate consent and allied requirements which may be relevant in processing of personal data, with the advent of the DPDPA. The DPDPA deals with such issues by not only providing specificity of consent (thereby avoiding broad-based consent), but also limiting collection and such consent to purpose of collection.

Failure to comply will lead to a penalty under the Consumer Protection Act, 2019 for violation of Guidelines notified by CCPA, of up to INR 10 lakh (One million) for an initial offense and up to INR 50 lakh (Five million) for subsequent violations. Additionally, they can be prohibited from endorsing any product or service for up to one year for the first offense and up to three years for repeated violations, apart from potential consequences under data protection laws.

Although these Guidelines are a right step towards ensuring that the consumers in India make informed decisions when purchasing goods or service through an online platform however, implementation of these guidelines will still be a challenge as the platforms or advertisers may take the advantage of ambiguous explanations for some of the dark patterns listed in the Guidelines.

[The authors are Principal Associate, Senior Associate and Associate, respectively, in the Corporate and M&A, and TMT practices of Lakshmikumaran & Sridharan Attorneys at Hyderabad]

1. [1] S. 310.2 of the Federal Trade Commission’s Telemarketing Sales Rule