India's CCPA targets dark patterns in e-commerce for fair design

All e-commerce platforms are expected to conduct a self-audit within three months of its issuance to assess whether their interfaces contain any elements that may qualify as dark patterns.

By Harsh Walia 

It is quite commonplace to receive emails citing ‘special offers’ which insist users to take a certain action within the next few minutes, while such offer remains mysteriously available weeks later. Even a simple task like cancelling an online subscription turns into an elaborate hunt for the cancel button. These are just a few everyday examples of dark patterns — deceptive design tricks embedded in digital platforms to nudge users into decisions that they might not otherwise make.

In today’s digital landscape, dark patterns are increasingly used to exploit user vulnerabilities, such as by compelling them to share excessive personal information, purchase unnecessary services, or agree to terms that compromise their privacy. To address the growing concerns, on 5 June 2025, the Central Consumer Protection Authority (CCPA) issued an advisory urging all e-commerce platforms (as defined under the Consumer Protection E-Commerce Rules 2020) to conduct internal self-audits to identify and eliminate dark patterns in their consumer interfaces. This advisory follows a series of regulatory developments over the last two years, indicating a growing policy focus on fair digital design, informed consent, and ethical user engagement.

The advisory is grounded in Section 18(1) of the Consumer Protection Act 2019 (CPA), which empowers the CCPA to take measures to prevent unfair trade practices. Additionally, it builds upon the Guidelines for Prevention and Regulation of Dark Patterns 2023 (2023 Guidelines) which categorised and prohibited thirteen types of dark patterns. These include practices such as subscription traps, confirm shaming, forced action, and misdirection—all of which were interpreted to interfere with a consumer’s ability to make informed and free decisions on digital platforms.

This advisory appears to have been prompted by continued use of dark patterns across e-commerce platforms, despite the 2023 Guidelines. The CCPA also noted that in certain cases, notices have already been issued to platforms allegedly engaging in such practices. Accordingly, the advisory seeks to strengthen compliance through pre-emptive measures and responsible platform behaviour.

As per the advisory, all e-commerce platforms are expected to conduct a self-audit within three months of its issuance to assess whether their interfaces contain any elements that may qualify as dark patterns. Platforms are further encouraged to issue self-declarations confirming the absence of such practices, based on the outcome of their internal review. The advisory also reiterates compliance with the E-Commerce Rules, which requires that consumer consent must be obtained through explicit and affirmative action excluding methods such as pre-ticked checkboxes or implied consent mechanisms.

The advisory signals CCPA’s intent to monitor dark patterns usage on platform designs and consent practices more closely, with the possibility that such usage of dark patterns may be construed as an unfair trade practice under the CPA. While all types of design manipulations may not constitute an unfair trade practice, such determination can only be made after a careful and case-to-case examination.

In parallel, the advisory intersects with India’s data protection regime under the Digital Personal Data Protection 2023 (DPDP Act), which requires that consent must be informed and freely given for it to qualify as the legal basis for personal data processing. The DPDP Act outlines the conditions under which consent will be considered valid. If consent is obtained through design mechanisms that obscure, nudge, or confuse their choices, there is a legal possibility that such consent may be rendered invalid, particularly if it fails to meet the standard of being free, specific, informed and unambiguous, especially in light of the reiteration by the CCPA. This introduces a dual compliance consideration both under consumer protection and data protection law. Accordingly, all types of disguised consent seeking mechanisms, false pressure tactics, and mechanisms that may curtail data protection rights should be carefully reviewed.

Globally, regulators have also taken a similar view. The EU General Data Protection Regulation (GDPR) and various enforcement actions by the European Data Protection Board (EDPB) have highlighted that user interfaces which deploy dark patterns may compromise the validity of explicit consent. In the United States, the Federal Trade Commission (FTC) has pursued enforcement and levied fines on companies that had deployed dark patterns in subscriptions and advertising flows, treating such practices as deceptive and unfair under the FTC Act. These global developments suggest that India’s regulatory approach is consistent with international standards, particularly in recognising the interface layer as a key site of platform accountability and user rights.

From a legal and business standpoint, the implications of the CCPA advisory are clear. Platform design is no longer purely a product function; it is an increasingly regulated space. E-commerce platforms may benefit from proactively reviewing their interface architecture to avoid regulatory scrutiny. This includes examining consent mechanisms, cancellation paths, promotional messaging, checkout flows and data collection pop-ups. Importantly, legal and compliance teams should work closely with design and product stakeholders to develop internal review frameworks for identifying and phasing out dark patterns.

In cases where platforms are compliant, issuing voluntary declarations may help demonstrate good faith and build trust with regulators and consumers. For global digital businesses, there is also merit in harmonising UX design across jurisdictions to align with privacy-by-design and fairness-by-design principles that are gaining traction internationally.

Importantly, not all design patterns are inherently violative of the law. It is therefore crucial to conduct a case-by-case analysis to determine its legality and implications on the rights of users, including their ability to provide consent in the manner stipulated under law. By conducting a nuanced and detailed assessment of each dark pattern, considering both legal and business considerations, it is possible to strategize solutions for companies to deploy user-friendly interfaces that are not violative of law. While the CCPA advisory does not impose a legal penalty at this stage, it sets a regulatory expectation that consumer interfaces must be transparent, fair and respectful of user autonomy. Platforms that align early with these expectations will be better positioned to manage compliance risks and maintain reputational credibility in a progressively ‘rights-aware’ digital economy.

- With inputs from Sanjuktha A Yermal, Senior Associate and Vanshika Lal, Associate.

(Harsh Walia, Partner at Khaitan & Co.)

Views are personal, and do not represent the stand of this publication.