CCPA issues Guidelines for Prevention and Regulation of Dark Patterns, 2023

Please click here to download the Prism as PDF.

The Central Consumer Protection Authority (“CCPA”), in exercise of its powers under Section 18 of the Consumer Protection Act, 2019 (“CPA”) notified the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (“Guidelines”) on November 30, 2023. The Guidelines were notified after conducting stakeholder consultation and seeking comments from public on the earlier released draft Guidelines.

In the prevailing digital age, where online commerce is an integral part of our daily lives, consumers and users fall prey to nefarious practices such as use of dark patterns by businesses that raise long term concerns related to data privacy and consumer autonomy. The Guidelines intend to prohibit the use of dark patterns in designing User Interface (“UI”) and User Experience (“UX”) that manipulate users. Further, the Guidelines urge entities to retain users and drive sales using ethical and consumer-centric approaches.

Concept of dark patterns

The Guidelines define “dark patterns” to mean manipulative practices or deceptive design patterns in UI or UX on any platform that subvert or impair user autonomy, influence decision making, and work to the detriment of users. While it had been a prevailing cause of concern for the Department of Consumer Affairs and the Advertising Standards Council of India, the Guidelines have, for the first time, defined the term “dark patterns” and set out specific dark patterns in an indicative list that will be updated by the CCPA from to time.

Applicability

The Guidelines apply to sellers, advertisers, and all platforms that systematically offer goods and services in India. If such entities are already regulated for dark patterns under any other law, the Guidelines may be read as supplementary provision and not in derogation of such other laws.

Further, the Guidelines will have extra-territorial application to all foreign entities and platforms that are offering goods or services in the Indian markets.

Interplay with law on data protection

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) requires all entities and online platforms to obtain free, specific, informed, unconditional, and unambiguous consent from individuals prior to the processing of their personal data. Additionally, the consent may be withdrawn at any time and the act of withdrawing consent should be made as easy as act of giving consent by an individual. The Guidelines, coupled with the DPDP Act, attempt to ensure that users are not forced or manipulated into sharing personal data by obtaining consent by deceit and balance can be struck between accessing user data for personalisation and user privacy. For example, the Guidelines restricts entities from using design tactics which force a user to provide personal data unrelated to the intended purchase. Therefore, the Guidelines aim to prohibit dark patterns which may also contravene the consent requirements under DPDP Act.

The specified dark patterns

Annexure 1 of the Guidelines specifies thirteen dark pattern practices and provides illustrations for guidance. The Guidelines also state that such practices may not be construed as an interpretation of law or a binding decision and that the determination of whether a practice or design qualifies as a dark pattern depends on the specific facts or circumstances of each individual case.

Meaning of specified dark pattern	Illustration
1. False urgency: means using tactics that create a false sense of urgency or scarcity to convince a user to make an immediate purchase or an action which may lead to a sale.	Hotel-booking platforms presenting false data on high demand such as, “Only 2 rooms left! 30 others are looking at this right now”.
2. Basket sneaking: means including additional items or costs such as additional products or donations, at the time of check out without the consent of the user. However, additional complimentary items and necessary fees disclosed at the time of purchase may not constitute basket sneaking.	Automatic addition of paid ancillary services to the cart when user is purchasing a product.
3. Confirm shaming: means using design tactics that create a sense of fear, shame, ridicule, or guilt in user’s mind so that the user purchases a product or continues a subscription of service.	A flight-booking platform using phrase “I will stay unsecured” when a user wishes to not buy travel insurance.
4. Forced action: means practices that force a user to buy additional products or sign up for an unrelated service or share personal information in order to purchase the intended product.	Requiring a user to share personal information linked with Aadhar or credit card when such information is not necessary for the intended purchase.
5. Subscription trap: means a process wherein the platforms make cancellation of a paid subscription impossible or a cumbersome task for users.	Forcing a user, availing a free subscription, to provide payment details for auto debits.
6. Interface interference: means a design element that manipulates the user interface in a way that it highlights specific information and obscures other relevant details in order to misdirect a user from taking a desired action.	Designing a light-coloured “No” option for a notification asking for a purchase.
7. Bait and switch: means the practice of advertising an outcome based on the user’s action but deceptively serving an alternate outcome.	Offering a quality product at a cheap price but when it is moved to cart, the user is informed that the product is “out of stock” but instead a higher-priced product is available.
8. Drip pricing: means the practice of not revealing the full price of a product but secretively revealing different cost elements through the UX or at different stages of making a purchase. However, price fluctuations due to third party sellers or other factors may not constitute drip pricing.	Advertising an application as free, and not disclosing that continued use requires in-app purchase.
9. Disguised advertisement: means the practice of portraying or masking advertisements as different kinds of content such as user-generated content and blending such advertisements with the rest of the UI in order to trick users into interacting with them. Further, it is the seller or advertiser’s responsibility to appropriate disclosures for advertisement-related content.	Putting embedded advertisements in the normal UI along with the rest of the content on the platform.
10. Nagging: means the practice of overloading users with requests, information, options, or interruptions to effectuate a transaction and make commercial gains.	Websites asking users to download their mobile application, repeatedly.
11. Trick question: means using confusing or vague language such as using double negative and similar tricks to misguide the user from taking desired action or leading user to a different response or action.	While giving a choice to opt on receiving updates, using phrases like “Yes, I would like to receive” and “Not now”, instead of a simple “Yes”.
12. SaaS billing: means a process of generating payments from user on a recurring basis in a software as a service business model by exploiting positive acquisition loops to surreptitiously get money from users.	Not giving any notification to the user when free trial is converted to paid.
13. Rogue malwares: involves using a ransomware or scareware to mislead or trick user that there is a virus or vulnerability in their computer in order to convince them to pay for a fake antivirus that in fact installs malwares on their computer.	When a pirating website/app promises the user free audio or video content, but actually leads to an imbedded malware when the link is accessed.

The Guidelines are expected to have a significant impact on the advertising and marketing strategies utilized by online platforms, including online marketplaces. Such platforms may need to evaluate their UI and invest in alternative methods to promote their products and services that bolster transparency and protect consumers’ interest. The implementation of Guidelines will also lead to rebuilding and strengthening of trust between the online platform and its users.

This Prism has been prepared by: