Dark patterns are deceptive design choices deliberately engineered to manipulate consumers into decisions they would not otherwise make. The popup that obscures the "no thanks" option in smaller font, the cancellation flow that drags a user through five screens, the pre-ticked insurance box on a flight booking, and the countdown timer that creates false urgency are all familiar examples. These are not design accidents. They are calculated interventions in consumer decision-making, exploiting cognitive biases to extract consent, purchases, and data that users would not freely give if presented with a neutral interface. In India, the legal response to dark patterns has been gradual, fragmented, and, so far, toothless.
The Central Consumer Protection Authority (CCPA) issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023, identifying thirteen categories of prohibited dark patterns including false urgency, confirm-shaming, basket sneaking, drip pricing, and bait-and-switch. These guidelines, issued under the Consumer Protection Act, 2019, apply to all platforms offering goods or services in India. Violations attract penalties of up to ₹10 lakhs for misleading advertisements. In June 2025, the CCPA issued a further advisory requiring e-commerce platforms to conduct self-audits within three months. Self-audits are precisely what they sound like, companies reviewing their own practices with no independent verification, no binding compliance timeline, and no penalty structure that would concentrate the minds of platforms generating hundreds of crores in revenue from the very practices being audited.
The enforcement gap is structural. The Consumer Protection Act, 2019 grants the CCPA significant powers on paper: it can direct platforms to discontinue or modify unfair trade practices, initiate proceedings, and refer matters for prosecution. But the CCPA remains severely understaffed relative to the scale of the digital economy it is charged with supervising. It has not, as of writing, published any penalty orders specifically targeting dark pattern violations by major platforms. The contrast with the European Union's enforcement under the Digital Services Act (DSA), which in 2024 produced substantial regulatory action against manipulative design under Article 25, is instructive.
The more powerful legal instrument remains underused. The Digital Personal Data Protection Act, 2023 (DPDP Act) creates a foundational obligation for Data Fiduciaries to obtain free, specific, informed, and unambiguous consent before processing personal data. Dark patterns, by definition, vitiate consent because they manufacture the appearance of agreement by manipulating the cognitive process through which consent is formed. A pre-ticked consent checkbox, a buried opt-out link, or a consent interface designed to exhaust rather than inform the user is not a lawful basis for data processing under the DPDP Act. Penalties for breach of consent obligations under Section 33 and Schedule 1 can reach ₹250 crores, an order of magnitude more severe than the CCPA's powers. Yet the Data Protection Board of India has not yet been operationally constituted, and no enforcement action under the DPDP Act has been initiated.
The legal argument for DPDP-based enforcement against dark patterns has significant merit. Dark patterns that manipulate consent fall squarely within the definition of unlawful processing under the Act. The Act's requirement that consent be "free" necessarily implies the absence of manipulative design in the consent interface, a reading supported by the explanatory notes to the Act and consistent with the EU's interpretation of freely given consent under GDPR Article 7. Regulators and courts should adopt this reading explicitly, rather than confining DPDP enforcement to after-the-fact data breaches while ignoring front-end manipulation.
What India needs is coordinated enforcement across the CCPA and the Data Protection Board, a platform-facing audit obligation with independent verification, and meaningful penalty orders that send market signals. The Guidelines on Dark Patterns are a credible regulatory framework, but they have been issued into an enforcement vacuum. Platforms operating in India are making calculated decisions that the probability of penalty, discounted by the weakness of enforcement, is lower than the revenue generated by manipulative design. That calculus will not change until regulators demonstrate the institutional will and legal capacity to impose consequences. The DPDP Act provides both the legal authority and the financial deterrence. Using it against dark patterns is not a creative reinterpretation of the statute. It is a direct application of its most fundamental principle: that consent must be real.