Introduction
The rapid expansion of India’s digital marketplace has brought unprecedented convenience to consumers, but it has also cultivated an opportunity for sophisticated forms of digital manipulation. At the forefront of these deceptive practices are “dark patterns”.
Dark patterns are defined as deceptive design practices that leverage user interface (“UI”) or user experience (“UX”) interactions on digital platforms. Their fundamental purpose is to mislead or trick users into performing actions they did not originally intend or desire, thereby subverting or impairing consumer autonomy, decision-making, or choice.
These are carefully crafted to exploit human psychology and cognitive biases, subtly nudging users towards choices that primarily benefit businesses. Such manipulations frequently result in a loss of privacy, unintended purchases, or inadvertent agreement to unfavorable terms and conditions.
The 2023 Guidelines: A Foundational Framework
In response to the growing online techniques to manipulate consumer decision, the Central Consumer Protection Authority (“CCPA”) took a landmark step by notifying Guidelines for Prevention and Regulation of Dark Patterns, 2023[1] (“2023 Guidelines”). This framework represents India’s first direct and comprehensive attempt to define and prohibit dark patterns, establishing a legal foundation for addressing the issue.
The 2023 Guidelines was issued in furtherance to Section 18 of the Consumer Protection Act, 2019 (“CPA”), which empowers CCPA to issue guidelines to prevent unfair trade practices and protect consumer interests. The scope of the 2023 Guidelines is broad, applicable to all platforms systematically offering goods or services in India, as well as to advertisers and sellers.
The core of the guidelines is to prohibit all persons from engaging in any dark pattern practices as mentioned in Annexure I to the 2023 Guidelines.
Annexure I to the 2023 Guidelines enlists 13 types of identified dark patterns:
i. False Urgency: Creating fake scarcity or urgency to push quick purchases.
(For eg: “Only 2 rooms left! 30 others are looking at this right now.”)
ii. Basket Sneaking: Adding extra items/services at checkout without user consent.
(For eg: Automatic addition of travel insurance when booking a flight ticket).
iii. Confirm Sharing: Using fear, shame, or guilt to manipulate users.
(For eg: “I will stay unsecured” when a user declines travel insurance)
iv. Forced Action: Forcing users to take unrelated actions to access their intended purchase.
(For eg: Forcing a user to subscribe to a newsletter before buying a product)
v. Subscription Trap: Making cancellation difficult, hidden, or confusing.
(For eg: Hiding cancellation option and forcing auto-debit sign-ups for “free trials”)
vi. Interface Interference: Manipulating design to highlight or hide information.
(For eg: An “X” button that opens another ad instead of closing it)
vii. Bait and Switch: Advertising one outcome but delivering another.
(For eg: Offering a cheap product, then saying it’s unavailable and pushing a more expensive one)
viii. Drip Pricing: Revealing full cost only at the last step or after confirmation.
(For eg: Flight shown as ₹5,000 at checkout, but ₹5,800 is charged at payment stage.)
ix. Disguised Advertising: Ads presented as genuine content (user reviews, news)
(For eg: Paid promotion masked as a user-generated review)
x. Nagging: Overloading users with repeated requests/interruptions unrelated to purchase.
(For eg: Constant pop-ups asking to “turn on notifications” with no “No” option)
xi. Trick Questions: Deliberate use of confusing or vague language to misguide or misdirect a user from taking desired action or leading consumer to take a specific response or action.
(For eg: A checkbox at checkout saying “Tick this box if you do not want to unsubscribe from promotional emails.)
xii. Saas Billing: Collecting payments from consumers on a recurring basis in a software as a service (SaaS) business model by exploiting positive acquisition loops in recurring subscriptions to get money from users as surreptitiously as possible.
(For eg: A design tool offers a “Free 30-day trial” but requires credit card details upfront. Once the trial ends, the plan auto-renews annually for ₹9,999 without any reminder email. The cancellation option is hidden deep in account settings, making it hard for users to avoid being charged.)
xiii. Rogue Malware: Using a ransomware or scareware to mislead or trick user into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer.
(For eg: While browsing, a user sees a pop-up saying “ALERT! Your PC is infected with a Trojan. Immediate action required. Download Antivirus Pro for ₹2,499 to protect your files.” The user downloads and pays, but instead of removing a virus, the software installs spyware that steals passwords and financial information.)
Enforceability of 2023 Guidelines:
The CCPA is the regulatory body responsible for interpreting and enforcing the 2023 Guidelines. Since the Guidelines themselves do not provide a specific complaint procedure, the CPA will apply. CPA outlines the mechanism for addressing unfair trade practices and misleading advertisements. Accordingly, the punishment stipulated for the offence of false or misleading advertisement under the CPA will be invoked. The infringer will be liable for punishment with imprisonment for a term which may extend to two years and with fine of up to ten lakh rupees. If the offence is repeated subsequently, the infringer will be punished with imprisonment for a term which may extend to five years and with fine which may extend to fifty lakh rupees.
- Action taken by CCPA under 2023 Guidelines:
CCPA had in furtherance to the 2023 Guidelines, suo-moto taken cognizance against inter-alia Indigo and Bookmyshow for use of dark patterns[2]:
- Action against BookMyShow:
BookMyShow was issued a notice by the CCPA on allegations of engaging in the dark pattern of “Basket Sneaking”, as it was automatically adding ₹1 per ticket towards its charity initiative “BookASmile” through a pre-ticked option, thereby charging users without their explicit consent; following the intervention, BookMyShow rectified the practice by providing users with a clear choice to voluntarily contribute.
- Action against Indigo:
The CCPA, by order dated June 19, 2024, found that IndiGo had engaged in dark patterns such as ‘Opaque Seat Assignment Processes’, by obscuring the option to skip paid seat selection and nudging users towards paid preferential seats, and ‘Confirm Shaming’, by displaying manipulative messages like “No, I will take risk” when users opted out of add-on services.
The CCPA directed IndiGo to introduce clear communication in its web check-in process, ensuring passengers are informed that seat selection is optional. In compliance, IndiGo revised its user interface, explicitly stating “You can skip preferred seat selection and complete your booking”, thereby eliminating the malafide practices.
The June 2025 Advisory
It was becoming evident that the 2023 Guidelines alone were insufficient to curb the pervasive use of dark patterns. Further, despite notices been issued to certain entities, instances of dark patterns continued to exist among e-commerce entities.
In response to widespread and ongoing non-compliance, CCPA, in June 2025, issued an Advisory in terms of CPA directing E-commerce Platforms to conduct Self-Audit to detect Dark Patterns on their platforms to create a fair, ethical, and consumer-centric digital ecosystem[3] (June 2025 Advisory). While this move was in furtherance to the 2023 Guidelines, the advisory itself is laced with legal ambiguity and introduces a new set of challenges, raising questions about whether it is an effective remedy.
The June 2025 Advisory, lays out two primary directives for e-commerce platforms:
1. Mandatory Self-Audit: All e-commerce platforms are directed to conduct a self-audit to identify dark patterns within three-months from the date of the advisory.
2. Voluntary Self-Declaration: Based on the results of the audit, platforms are encouraged to issue a self-declaration of compliance. The advisory suggests this voluntary act will help build consumer trust and foster a fair digital ecosystem.
The Perils of Self-Policing: A Critique of the Self-Audit Mechanism
The central focus of the June 2025 advisory i.e. the mandate for e-commerce platforms to conduct a self-audit, is conceptually appealing but practically difficult. A credible regulatory self-audit program requires well-defined standards. Globally, effective self-audits are typically anchored in:
• A comprehensive, standardized audit checklist
• Objective metrics to measure compliance
• Robust documentation and record-keeping requirements
• Independent verification or regulatory review of audit outcomes
The advisory directs platforms to conduct self-audits but provides no further guidance. It does not prescribe any specific audit methodology, no standardized format for reporting findings. This lack of procedural rigor transforms a compliance tool, with substantial potential into a vague directive, leaving the scope, depth, and quality of the audit entirely to the discretion of the platform being audited.
The self-audit mechanism, as designed, creates a significant moral dilemma. It fails to align the commercial incentives of platforms with the public interest goal of eliminating deceptive practices. For example, Platform I invests significant time and resources to conduct a rigorous, honest self-audit. It redesigns its interfaces to be more transparent, a process that is costly and may lead to a short-term fluctuation in revenue. Platform II, in contrast, performs a cursory, name-sake audit makes no substantive changes to its profitable but deceptive interfaces, and also issues a public self-declaration stating compliance. From the perspective of the regulator and the public who have no access to the underlying audit reports, both platforms appear equally compliant. The system unfairly punishes the diligent firm and rewards the one engaged in superficial compliance.
Conclusion:
The regulatory recognition of dark patterns marks a pivotal step in safeguarding consumer autonomy in India’s digital marketplace. The 2023 Guidelines provided the first foundational framework, and subsequent enforcement actions against BookMyShow and IndiGo signaled that the CCPA was prepared to act against manipulative design practices. The June 2025 Advisory, by mandating self-audits, reflects an acknowledgment that more proactive measures are necessary. Yet, by placing primary reliance on voluntary self-policing without prescribing a methodology, mandating transparency, or instituting independent verification, the advisory risks reducing compliance to a box-ticking exercise.
Notably, the Government’s decision to constitute a Joint Working Group (JWG), to identify and eliminate dark patterns across e-commerce platforms is a welcome development[4]. A JWG, by bringing together regulators, industry stakeholders, and consumer representatives, has the potential to foster a more collaborative and enforceable approach that transcends the limitations of self-audits.
Ultimately, while the regulation of dark patterns is both timely and necessary, the present reliance on self-audits remains superficial and insufficient. Genuine reform requires not only strong prohibitory guidelines but also enforceable mechanisms standardized audit protocols, independent oversight, and meaningful penalties that align commercial incentives with consumer welfare.
[1]https://consumeraffairs.gov.in/sites/default/files/fileuploads/latestnews/Draft%20Guidelines%20for%20Prevention%20and%20Regulation%20of%20Dark%20Patterns%202023.pdf
[2] https://www.pib.gov.in/PressReleseDetailm.aspx?PRID=2086980
[3]https://consumeraffairs.gov.in/sites/default/files/fileuploads/latestnews/CCPA%20Advisory%20dated%2005.06.2025.pdf
[4] https://www.pib.gov.in/PressReleasePage.aspx?PRID=2134765