CCPA steps in to curb Dark Patterns

With the expanding e-commerce market, online platforms are using innovative techniques to attract and influence consumers. This has also given rise to practices which nudge consumers to share sensitive information or make choices that often are neither intended by them nor are in their best interests. User experience designer and consultant Harry Brignull, in the year 2010, coined the term dark pattern to describe such techniques and practices.

In India, the term dark pattern got its first recognition in the guidelines issued by Advertising Standards Council of India (ASCI) in June 2023. In order to control and regulate the practice of dark patterns, various other steps have been taken including creating awareness, which are as follows:

a. The Insurance Regulatory and Development Authority of India (IRDAI) vide its circular dated September 27, 2019 prohibited travel portals from automatically adding and selling insurance using pre-checked boxes, which is an example of a dark pattern.

b. On June 15, 2023, ASCI released its guidelines to address the issue of deceptive design patterns in online advertising. These guidelines came into effect from September 1, 2023.

c. The Consumer Protection (E-Commerce) Rules, 2020 and Consumer Protection (Direct Selling) Rules, 2021 set out duties of e-commerce entities and direct sellers, respectively, towards consumers. The former mandates that consent of a consumer can only be recorded through an explicit and affirmative action, and no entity can record consent automatically, including in the form of pre-ticked checkboxes. Meanwhile, the latter holds an entity accountable for any misleading, deceptive or unfair trade practices in direct selling.

d. The newly enacted Digital Personal Data Protection Act, 2023 requires companies to imbibe privacy by design while collecting user data and ensure to seek informed consent for data processing activities, which in effect, mitigates the risk of deceptive design technique in websites.

e. On November 24, 2023, Deputy Governor of Reserve Bank of India highlighted the growing mis-selling of digital loans by using dark patterns.

Now, the Central Consumer Protection Authority (CCPA), in exercise of its powers under Section 18 of the Consumer Protection Act, 2019 (Act) has notified guidelines for prevention and regulation of dark patterns (Guidelines). This has widened the coverage of prohibition on dark patterns from insurance and advertising realm to an all-pervasive e-commerce economy. This article analyses the guidelines and its impact.

• This is the first time that a regulator in India has defined the term dark pattern [Clause 2(e) as of the Guidelines]. Dark patterns have been defined as “any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights."

• CCPA has specified thirteen practices as dark pattern. There are illustrations also provided to better explain such practices. The list is not exhaustive and CCPA may from time to time add to this list any such practice it considers to be dark pattern. The thirteen practices identified at present are as follows:

  1. False Urgency – Seller(s) pressurizes consumers into making purchases by creating a false sense of popularity or urgency. For instance, claiming that the product selected by the consumer is the last one in stock.

  2. Basket Sneaking – Addition of products/services without the user’s consent. For instance, automatic addition of travel insurance while purchasing a flight ticket. However, addition of free samples/provision of complimentary services/addition of necessary fees (such as delivery charges/wrapping charges/additional taxes by government/any other charges disclosed at the time of purchase) would not be considered as basket sneaking.

  3. Confirm Shaming – Ridiculing/criticizing customers for not acting in a certain way. For instance, using phrases such as “I will stay unsecured” when the user refuses to add insurance while purchasing a flight ticket.

  4. Forced Action – Forcing a consumer to purchase an additional product/subscribe or sign up for an unrelated service/share personal information in order to buy/avail the product/service initially intended to be availed by the consumer.

  5. Subscription Trap – Forcing the consumer to share payment details for auto-debits while availing a free subscription or ensuring that he is not able to easily cancel its subscription by making the process unnecessarily complicated/providing complicated instructions/hiding the cancel button.

  6. Interface Interference – Hiding the portion of information which may be relevant to the user and highlighting only specific information. For instance, designing a light colored ‘no’ button while displaying a pop-up message asking the consumer if they wish to make a purchase or changing the meaning of key symbols to mean the opposite.

  7. Bait and Switch – Deceiving the consumer by advertising a particular kind of product based on the consumer’s action, but, delivering some other product, often more expensive. For instance, falsely showing a product as ‘available’ luring the consumer to add it to the shopping cart. However, when the same is done, it is revealed that the product is out of stock and instead a more expensive product is now available.

  8. Drip Pricing – Deceiving the consumer by not disclosing the exact price of the product at the time of purchase. For instance, disclosing the actual price of the product at the time of checkout/advertising a product or service as free without disclosing that its continuation of use would require an in-app purchase or preventing a user from availing a service for which payment has been made unless something additional is purchased. However, where there is a price fluctuation because of third-party sellers or due to facts beyond control, no liability can be imposed on marketplace e-commerce entity. For instance, price fluctuations while booking a flight ticket.

  9. Disguised Advertisement – Practice of masking advertisements as other type of content such as user generated content or new articles or false advertisements to blend in the interface and deceive consumers into clicking on them. The expression ‘disguised advertisement’, as defined in Section 2(28) of the Act, includes misleading advertisement. This practice shall also be governed by Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022. The responsibility of disclosing the fact that the content is an advertisement lies on the seller/advertiser.

  10. Nagging – Disrupting/annoying a consumer through repeated interaction/requests for effectuating a transaction and make commercial gains, unless specifically permitted by the consumer. For instance, frequent requests to turn on notification/location or to accept cookies.

  11. Trick Question – Misguiding the consumer to choose a specific response/take a specific action instead of the desired one by use of confusing or vague language. For instance, instead of simply asking whether the consumer would like to receive updates with an option of clicking yes/no, the question could be whether the consumer wishes to opt out of receiving updates forever with an option of “Yes. I would like to receive updates.” and “No. Not now.”

  12. SAAS Billing – Process of collecting payments from consumers on a recurring basis (in a software as a service business model) without their consent or knowledge. For instance, not notifying as to when the free trial is converted into a paid subscription or auto-renewing monthly subscriptions without informing the consumer.

  13. Rogue Malwares – Secretly installing malware on the computer of the user. For instance, misleading the consumer that they have malware in their computer, thereby, prompting them to install/pay for a fake malware tool which actually installs malware to the system. Other examples include redirecting consumers to access content through links which are embedded with malware.

• These guidelines shall apply to all online platforms offering goods or services, advertisers and sellers in India.

• Any person indulging in any of the abovementioned specified practices shall be considered to be engaged in dark pattern.

• The guidelines grant final authority to CCPA with respect to its interpretation.

The specified practices are stated to be a guidance and not an interpretation of law or a binding opinion or decision. However, from a conjoint reading of Clause 5 along with Clauses 2(e) and 2(i) of the guidelines, whenever a person indulges in any of the specified practices, it will be considered to have been engaged in the practice of dark pattern. That said, it would be interesting to see how the regulator will take action under these guidelines.

Under the Act, adjudication of any instances of unfair trade practice, misleading advertisements and/or violations of consumer rights start with the regulator conducting a preliminary inquiry upon show-cause notice and thereafter, arriving at a prima facie case that a violation has occurred. On the basis of such prima facie finding, an investigation is undertaken by the Director General or District Collector. However, a bare reading of Clause 5 of the guidelines indicates that if a practice qualifies within the contours of Annexure-1, it will be “considered” as a dark pattern. This creates an ambiguity to the extent of whether the word “considered” will be interpreted as a presumption of dark pattern which is designed to mislead or trick users, thereby casting an onus on such person to defend it or it will be only upon due investigation (as envisaged under Section 19 of the Act), that a finding on dark pattern would be arrived. Nonetheless, such nuances will be clear only as and when CCPA initiates review of such practices.

Having stated the above, these guidelines are a step forward in preventing the use of deceptive practices which undermine the autonomy of consumers. This also is an alarm bell for e-commerce entities to review their consumer interface and reinforce informed consent at every stage of its use. A recent study done by LocalCircles amongst the users who use travel apps/site showed that they have frequently or sometimes experienced the following dark patterns:

It would be interesting to see how the regulator deciphers between practices which are more in the nature of persuasive marketing strategies as opposed to dark patterns.

About the authors: Karun Mehta is Partner, Yugam Taneja is Principal Associate and Kaarunya Lakshmi is Associate at Khaitan & Co. The views expressed are personal.