Listen to this post
Dark Pattern Guidelines: Illuminating Or Illusory?  

The Central Consumer Protection Authority (“CCPA”) notified Guidelines for Prevention and Regulation of Dark Patterns, 2023 (“Guidelines”), under Section 18 of the Consumer Protection Act 2019 (“COPRA”), on November 30, 2023.

While there is a clear need to regulate deceptive online behaviours in what will be the world’s fastest growing digital economy, the Guidelines’ approach, including how they define dark patterns and their use of “illustrative” specific dark patterns, is potentially problematic. In this blog, we examine some of these concerns. 

COVERAGE AND CONTRADICTIONS

In essence, the Guidelines seek to prevent platforms, which “systematically offer” goods or services, from engaging in any “dark pattern practices”.[1]

The Guidelines define ‘dark patterns’ as “practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights.”[2]

While the subversion of autonomy is globally recognised as the basis for restricting dark patterns[3], including under the European Union’s Digital Services Act[4] (“DSA”) and California’s California Privacy Rights Act[5], the Guidelines include an additional definitional requirement for dark patterns, also amounting to misleading advertisement, unfair trade practices, or violation of consumer rights.

The source for this can be traced back to the source of the underlying rulemaking power. While platforms are regulated more widely by the Ministry of Electronics and Information Technology, the use of rulemaking powers under COPRA to issue the Guidelines signifies that the  Guidelines will operate to prevent “unfair trade practices and protect consumers’ interest”.[6] Even so, rather than simply including this dual requirement, a better “design” choice here may have been to conclude definitively that any practice that is intended to mislead users, automatically qualifies as an unfair trade practice.

While the above may be somewhat understandable, there are several other concerning aspects of the guidelines.

For one, the sheer brevity of the guidelines (the operative part is less than five sentences in length) raises a question on whether a new standalone regulation was justified here, or whether the same effect could have been achieved by way of amendments to existing guidelines on e-commerce[7] and advertising[8], which are referred to extensively in the Guidelines.

The main body of the Guidelines is also somewhat contradictory. For instance:

  • While the Guidelines have been sought to be extended to[9] advertisers and sellers, the operative restrictions in the Guidelines refer to all “persons (including platforms)”; and
  • Similarly, while text has been added to Annexure 1 to say illustrations are merely indicative[10], Guideline 5 continues to state that any person engaging in the activities specified in Annexure I will be considered to be engaging in ‘dark patterns’.

The above contradictions run the risk of being the source of contrary interpretation, self-censorship and dispute. This makes the assertion in the Guidelines that the decision of the CCPA “shall be final” [11] even more interesting, particularly in view of the judicial challenges that are likely here. 

ILLUSTRATIVE AND SPECIFIC

The prescription of specified dark patterns in the Guidelines, which makes up for the bulk of the content, while helpful in providing guidance may be problematic where treated as definitive.

While there has been an attempt (in the lead-in to Annexure 1) to keep this list illustrative (perhaps in response to the comments received), in essence, where something is called out as “specified” dark pattern, any action that falls within these definitions will likely be scrutinised heavily, and at the very least, be open to frequent litigation, especially read with Guideline 5, which takes away from the ‘illustrative’ intent of Annexure 1.

Further, while some entries in this list are clear and helpful, there are several problems ranging from redundancy and overlap, to overbroad restrictions and business judgement, all of which may lead to unintended consequences on an emerging digital ecosystem.

For instance:

  • The Guidelines seek to restrict ‘rogue malware’ as dark pattern. The drafting of this illustration is wordy, redundant and conflates malware attacks with misleading advertising and redirection. It is indicative that this sort of action, which do not take place often in the course of a sale of product or service, is best left regulated under the Information Technology Act, 2000.[12]
  • ‘SaaS billing’ is confusingly defined to require “exploiting positive acquisition loops in recurring subscriptions to get money from users as surreptitiously as possible”, such as, use of “shady credit card authorization practices” to deceive consumers. This kind of imprecise drafting is unnecessary given the clear regulations around subscription billing by the Reserve Bank of India and various card payment systems.
  • Similarly, the definition of ‘nagging’ requires that users be “disrupted and annoyed” by practices that can range from requirements to download applications or provide phone numbers, none of which may meet the core requirement of alleged pattern, i.e. disruption of the transaction being carried out by a consumer.
  • While the definition of a ‘disguised advertisement’ cross refers to a well-established definition[13], the value of creating a separate restriction, to govern a practice that is already clearly covered by a specific regulation seems dubious, particularly given that the Advertising Standards Council of India has proposed much clearer and purpose specific guidelines on advertising[14]
  • Several common business practices also appear to be inadvertently covered within some definitions. For instance, requiring users to provide payment details or authorisation for auto debits for availing a free subscription is classified as a ‘subscription trap’. Practically, several free trials require ‘penny drop’ confirmations of users’ payment mechanisms, to ensure that potential subscribers have the valid means to pay.

The above are more than mere drafting concerns as the lack of specificity will hamper effective enforcement and compliance and overburden the routine appeal mechanism – to high courts from the decisions of CCPA.

While there is a clear need to prevent and regulate dark patterns, a balanced, specific and business-friendly approach is crucial to avoid unintended consequences, such as hampering legitimate content, market practices and technological innovation, in a rapidly changing digital ecosystem.


[1] Section 3, Guidelines.

[2] Section 2(e), Guidelines.

[3] For example, DSA restricts practices that materially distort or impair, the ability of recipients of the service to make autonomous and informed decisions or choices. Similarly, CPRA that provides agreement obtained through use of dark patterns does not constitute consent, defines dark patterns as user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

[4] Digital Services Act, 2022, Directive 2000/31/EC, accessible here.

[5] California Privacy Rights Act, 2020, Proposition 24, accessible here.

[6] See Section 18, COPRA.

[7] Consumer Protection (e-Commerce) Guidelines, 2018.

[8] Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022.

[9] Section 3, Guidelines

[10] Lead in of Annexure I, Guidelines sates: “The dark pattern practices and illustrations specified below provide only guidance and shall not be construed as an interpretation of law or as a binding opinion or decision as different facts or conditions may entail different interpretations.”

[11] Section 7, Guidelines.

[12] Section 66 read with Section 43 of the Information Technology Act, 2000.

[13] The expression “disguised advertisement” shall include misleading advertisement as defined in Section 2(28) of COPRA and the Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022.

[14] See note 10 above.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Arun Prabhu Arun Prabhu

Partner (Head- Technology & Telecommunications) at the Bengaluru office of Cyril Amarchand Mangaldas. Arun is part of the Technology, Media and Telecommunications (TMT) group and has special expertise in advising clients in the electronics, information technology enabled services, outsourcing and information technology sectors.

Partner (Head- Technology & Telecommunications) at the Bengaluru office of Cyril Amarchand Mangaldas. Arun is part of the Technology, Media and Telecommunications (TMT) group and has special expertise in advising clients in the electronics, information technology enabled services, outsourcing and information technology sectors. He was also a member of the Government of India’s working group on the legal enablement of information and communication technology systems. Arun was described as a “very effective and highly knowledgeable” lawyer by Chambers and Partners in 2011. He can be reached at arun.prabhu@cyrilshroff.com

Photo of Anirban Mohapatra Anirban Mohapatra

Partner in the General Corporate Practice at the Bengaluru office of Cyril Amarchand Mangaldas, and is part of the Technology, Media and Telecommunications practice of the Firm.

Anirban regularly advises clients across diverse sectors including healthcare, manufacturing, banking, information technology, automobile, financial services…

Partner in the General Corporate Practice at the Bengaluru office of Cyril Amarchand Mangaldas, and is part of the Technology, Media and Telecommunications practice of the Firm.

Anirban regularly advises clients across diverse sectors including healthcare, manufacturing, banking, information technology, automobile, financial services media and broadcasting on transactional as well as advisory matters. Anirban supports transactions by handling the entire documentation process for large scale technology transactions and advice on emerging trends in the data protection and privacy space. Anirban works with the business teams of clients closely to ideate and evolve legal documentation, policies and best practices based on commercial requirements of clients and interactions with regulators such as the Telecom Regulatory Authority of India (“TRAI”).

He graduated from West Bengal National University of Juridical Sciences, and first joined the firm in 2012. He can be reached at anirban.mohapatra@cyrilshroff.com.

Photo of Mansi Jain Mansi Jain

Associate in the Technology Media Telecommunications at the Bangalore office of Cyril Amarchand Mangaldas. Mansi can be reached at jain.mansi@cyrilshroff.com