Ansruta Debnath and Shubham Singh*

The paper provides a critical examination of India’s ‘Guidelines for Prevention and Regulation of Dark Patterns 2023’, highlighting issues of enforceability and contradiction within the framework. It proposes integration with the Digital Personal Data Protection Act, emphasizing the need for a comprehensive approach to address both consumer rights and data privacy concerns. Drawing comparisons with global practices, it suggests incorporating fiduciary obligations, establishing collaborative regulatory bodies, and enhancing enforcement mechanisms. Urging for clarity and uniformity, the author underscores the importance of swift remedies to counter the evolving threat of dark patterns and safeguard consumer autonomy in the digital landscape.

Introduction

India enacted guidelines for regulating and preventing dark patterns titled ‘Guidelines for Prevention and Regulation of Dark Patterns 2023’ (the Dark Patterns Guidelines) on November 30, 2023. However, upon evaluating the practicality and long-term viability of the Dark Patterns Guidelines, concerns arise.

This article will undertake an examination of the Dark Patterns Guidelines by scrutinizing the existing framework and exploring potential outcomes that may arise if there is an amalgamation of it with the Digital Personal Data Protection Act, 2023 (DPDP Act). It will also provide solutions to make the framework more effective.

Understanding The Dark Patterns And Their Guidelines In India

The Dark Patterns Guidelines characterize dark patterns as practices or deceptive design patterns that employ UI/UX (user interface/user experience) interactions on various platforms. These patterns are specifically devised to mislead or deceive users into performing actions contrary to their original intentions or desires. This is achieved by undermining or hindering consumer autonomy, decision-making, or choice, thereby constituting instances of misleading advertisement, unfair trade practices, or violations of consumer rights.

The Department of Consumer Affairs (DoCA) and the Advertising Standards Council of India (ASCI) initially released the Draft Guidelines for Dark Patterns, within which Annexure-I held ten types of dark patterns. The Draft Guidelines explicitly stated that the government reserved the right to add additional dark patterns to Annexure-I as deemed necessary over time.

The finally-notified Guidelines had three added dark patterns, bringing the total to thirteen. The government continued to reserve the right to add additional dark patterns; however, this time, it was explicitly stated that the dark pattern practices and illustrations specified in Annexure-I were only to act as non-binding guidanceand should not be construedas an interpretation of the law. Hence, the list of dark patterns became indicative in nature.

Furthermore, because of its promulgation under the Consumer Protection Act, 2019 (CPA), the Central Consumer Protection Authority (CCPA) remained the sole adjudicating authority in cases of complaints on dark patterns usage.

Issues with the Notified Guidelines

(i) Dilution of Applicability and Contradiction in the Guidelines

Upon the notification of the Guidelines, a significant concern emerges in Annexure-I, where it is explicitly stated that the specified dark pattern practices and illustrations provided therein serve only as guidance. The addition in the Annexure -I was probably made to assuage the concerns of businesses with respect to the added regulatory burden that would have befallen them had the Draft Guidelines been not changed on these aspects. However, this addition essentially ends up diluting the enforceability, creating a contradiction in the Guidelines.

Firstly, according to Guideline No. 7, the interpretation of guidelines by CCPA is deemed final over a dispute or an ambiguity. The non-binding nature of Annexure-I and stating them as guidance thus grants CCPA an added scope to offer new interpretations of the mentioned dark pattern practices creating uncertainty and ambiguity in enforcement procedures. The excessive power of interpretation granted to the CCPA could potentially lead to disharmony and may cause litigation over the interpretation of Dark Patterns by the CCPA.

Secondly, Guideline No. 4 states that there is a blanket prohibition on the usage of dark patterns by platform. Furthermore, Guideline No. 5 states that any person or platform is deemed to be engaging in a dark pattern practice if they participate in any practice outlined in Annexure 1 of the guidelines. This is a contradictory situation being created wherein one part of the Guidelines (i.e., Guideline No. 4 and 5) appears to be a directory while its complementary part (i.e., Annexure-I) is merely illustrative and not binding.

Lastly, the classification of dark pattern practices in Annexure -I as mere guidance, may instill second thoughts in consumers. Even if a customer encounters a dark pattern, the fact that these practices have been labelled as guidance implies a potential fallibility, raising uncertainty about their accuracy and hence, deterring them from instituting a complaint.

(ii) Inadequacy of CCPA

The remedies that the CCPA can provide to an aggrieved consumer against the use of dark patterns appear to be inadequate. The CCPA possesses the authority to initiate investigations or inquiries, either suo moto or in response to complaints, related to unfair trade practices, consumer harm, and misleading advertisements. It holds the power to issue orders for the recall, discontinuation, or reimbursement of the price of goods and services deemed unfair or causing consumer harm.

However, the dark pattern practices are not only employed to encourage consumer spending but can also be used for obtaining consumer consent through psychological and deceptive means, giving rise to overarching privacy concerns. For example, a platform can employ the dark pattern ‘forced action’, wherein a necessary action must be taken to proceed further. This could involve requesting consumer consent for the use of data, such as name, location, and other private information. If the consumer declines, the platform will not proceed.

When technical issues like data privacy and consent become factors in dark patterns for the exploitation of consumers, the CCPA, CPA, and Consumer Protection (E-Commerce) Rules, 2020 may not be the suitable authorities and laws to cover these aspects. In light of the same, the Data Protection Board (DPB) might be a more suitable authority to handle these matters. This is because Section 19(3) of the DPDP Act mandates its composition to include members with specialized knowledge or practical experience in data governance and consumer welfare.

It might be argued that the CCPA, as per Section 19 of the Consumer Protection Act, 2019, has the power to transfer cases to an appropriate regulator if the situation warrants it. Therefore, cases of dark patterns that violate data privacy, and require the technical experience of the DPB, could be referred to it by the CCPA. However, this will be a cumbersome procedure for a consumer i.e., the Data Principal.

The Global Perspective

The European Data Protection Board (EDPB), established under the General Data Protection Regulation (GDPR) which is the European Union’s overarching legislation on information privacy, plays a very active role in regulating the use of dark patterns. It came up with “Guidelines on Dark Patterns in Social Media Platform Interfaces” in 2022 to offer practical recommendations on assessing dark patterns in social media platforms. These guidelines identified more than fifteen dark patterns but also recognized the non-exhaustive nature of the list.

Concerning statutory sanction, the EU recently enacted the Digital Services Act (DSA) which explicitly forbids the use of dark patterns. Further, the 2021 Guidance to the Unfair Commercial Practices Directive (UCPD) states that the UCPD provisions could be used to challenge the use of dark patterns. Finally, while the GDPR does not explicitly recognize dark patterns, its provisions have been increasingly used for providing holistic protection and remedies to consumers against the use of dark patterns. For example, the Italian Data Protection Authority released a resolution declaring that the utilization of dark patterns would constitute a violation of the GDPR.

In the United States (US) as well, there are no individual laws or guidelines on dark patterns. Here again, data privacy laws come to the rescue. The California Consumer Privacy Rights Act, 2020 defines dark patterns and explicitly recognizes through Section 14 that consent obtained via agreements facilitated by dark patterns is not valid consent. A similar definition exists in the Colorado Privacy Act. Further, the Federal Trade Commission published a detailed report in September 2022 examining a multitude of practices that the agency considers to be dark patterns.

Thus, while India’s act of releasing a separate set of guidelines solely dedicated to dark patterns is commendable as it gives clarity, however, it falls behind in failing to appreciate the necessity of the combination of dark patterns, data privacy and consumer welfare. India must take pointers from the EU and the US by recognizing the data privacy elements of dark patterns and taking into consideration the provisions of the DPDP Act while framing the dark pattern guidelines.

Finding Solutions- Need for an inclusive approach

Firstly, the Dark Patterns Guidelines should incorporate elements from the DPDP Act, specifically, terms such as “Data Fiduciary”. This inclusion is essential for addressing the consent and data privacy aspects related to dark patterns and their resultant obligations. Alternatively, the term “fiduciary” may be integrated into the Dark Pattern Guidelines, similar to its incorporation in the DPDP. As per Justice B.N. Srikrishna Committee Report, putting fiduciary duty on businesses, makes them legally accountable for duties of care, loyalty, good faith, confidentiality, and more, particularly when serving the best interests of consumers. Hence, the term “fiduciary” would extend beyond data-collecting dark patterns to include deceptive psychological pressures, such as nagging and false urgency, which do not always involve the collection of data per se. Considering the broad responsibilities of a fiduciary, consumers will be further safeguarded from various deceptive online practices, not strictly categorized as dark patterns.

The obligations arising out of fiduciaries gain even more prominence because of the dynamic nature of the online environment. While the government is required to notify new dark patterns, in instances where the government fails to act, businesses will then be obliged to act fairly and responsibly. This entails refraining from employing any new dark pattern practices in the market, even those not explicitly mentioned in Annexure-I, and if such practice is done, it can lead to prosecution against the business due to a breach of fiduciary duty

Secondly, in light of the interlinking of consumer and privacy concerns, there is a potential option of establishing a board comprising elements and members from both the DPB and CCPA. Alternatively, the CCPA could have a dedicated wing/panel for concerns arising out of exploitation of dark patterns, composed of individuals with ties with the DPB. This approach would prove advantageous as it addresses not only data privacy violations and consumer infringements related to dark patterns but also extends to any non-dark pattern activity involving data privacy and consumer rights violations.

Thirdly, Annexure-I should possess the binding authority to not render the Guidelines toothless and ensure uniformity. This will take care of the apparent contradiction within the Guidelines as indicated above.

Lastly, there should be reasonable penalties for the practice of dark patterns. The penalty amount should not be insufficient leading to a situation where businesses do not take the penalties seriously. However, penalties cannot be the only remedy. Robust enforcement mechanisms must be in place that can ensure that the damage done by dark patterns is attempted to be reversed as justice must not only be done but seen to be done. Moreover, the entire adjudication process, from the filing of complaints to the ultimate decision, along with the imposition of penalty and corrective measures must be done in an expedited manner. The dynamic and evolving nature of dark patterns is such that they might cause damage in a very short span of time. The discussions on framing better guidelines are a moot point if quick remedies are not available to the consumer to rectify their exploitation. Hence, this is a major roadblock that the authorities must address.

Conclusion

On the face of it, the Dark Patterns Guidelines seemed like the right step in that direction. However, the caveat to Annexure I, which indicates the list’s illustrative capacity, runs contrary to the overarching theme in the Guidelines which state that anyone engaging in the activities under Annexure I shall be considered to be indulging in dark patterns. This not only creates the unnecessary risk of contradictory interpretations but also diminishes the Guideline’s enforceability. Dark patterns have seen rampant usage and consumers have been gradually losing their decisional autonomy and succumbing to this plague. A robust and well-grounded system is thus required to keep commercial entities in their place so that they can provide their services and not impose them on the consumers.

While the understanding of dark patterns and their consequent regulation is still in its nascent stages worldwide, the burden of preventing dark patterns has mostly been shouldered by data protection authorities, along with consumer protection boards. This is primarily due to the fact that the use of dark patterns almost always involves the exploitation of individual privacy. This is a lesson to be learned from foreign jurisdictions while India comes up with innovative solutions for regulating dark patterns.

*Ansruta Debnath and Shubham Singh are third year law students at National Law University, Odisha