WHAT ARE 'DARK PATTERNS'?
Dark patterns are tools that are employed by advertisers and commercial entities to influence user behaviour and decisions. Dark patterns can show up in the most mundane of tasks, such as while browsing the internet for any research, undertaking simple transactions of bill payments, placing an order on an e-commerce website, booking travel tickets online or even simply browsing through one's social media feed. Notifications or interface elements which create urgency such as "You are missing out on low prices" or tend to shame, "I want to pay extra", or enable persistent pop-up boxes which do not take no for an answer or even countdown timers for the end of an offer, are all very typical examples of 'dark patterns'.
WHY ARE THESE PATTERNS REFERRED TO AS 'DARK' PATTERNS?
The dark side of dark patterns truly lies in its obscurity, which makes it a very potent influential tool. The nature of this commonly used cognitive bias is exactly how it sounds; these online design patterns and business practices often present themselves in one's day-to-day online activities as routine notifications or advertisements or simply as a part of the user interface ("UI") or functionality of any online platform.
If 'personalized' or 'customized' design and pattern of UI, notifications, or targeted advertisements nudge users towards making a decision which is beneficial to their interests, one may make an argument that such patterns are positive for the users - after all, it is institutional economics 101 that consumers don't often make rational choices1 and information asymmetry leads to market inefficiencies.2 However, if such patterns are adopted for the purpose of subverting or impairing the users' autonomy and forces them to make choices out of misinformation or misleads the users, which may not necessarily be in their interest, the same patterns have a net-negative effect on them. Accordingly, these common yet obscure patterns and business practices which have the tendency of limiting the choice or autonomy of users or psychologically impairing the users are categorized as 'dark patterns'.
WHAT ARE THE DARK PATTERN GUIDELINES RECENTLY INTRODUCED IN INDIA AND WHAT DOES IT PRESCRIBE?
In view of the unprecedented growth and adoption of dark pattern practices on Indian digital platforms, the Central Consumer Protection Authority ("CCPA") set up under the Consumer Protection Act, 20193 ("Consumer Protection Act"), has introduced the 'Guidelines for Prevention and Regulation of Dark Patterns, 2023'4 ("Dark Pattern Guidelines") which are intended to safeguard all users5 and are applicable to all advertisers,6 sellers7 as well as platforms8 that systemically offer goods and services in India.
The Dark Pattern Guidelines define the term "dark patterns" to mean "any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights"9 and specifically recognises and prohibits certain categories of Dark Patterns which are prevalent in India'.10 These include 'False Urgency', 'Basket Sneaking', 'Confirm Shaming', 'Forced Action', 'Subscription trap', 'Interface Interference', 'Bait and Switch', 'Drip Pricing', 'Disguised Advertisement', 'Nagging', 'Trick Question', 'SaaS Billing' and 'Rogue Malwares' ("Prohibited Practices").11
The Dark Pattern Guidelines proscribe any person or platform from engaging in Dark Pattern practices which have been specifically identified as Prohibited Practices.12
HOW DO THE DARK PATTERN GUIDELINES INTERFACE WITH THE EXISTING SCHEME OF REGULATIONS IN INDIA?
In India, the Consumer Protection Act is the overarching legislation which protects the interest of consumers.13 The Consumer Protection Act focuses on, inter alia, protecting consumers from 'unfair trade practices'14 and 'restrictive trade practices',15 allocation of product liability (where applicable)16 and redressal of consumer grievances.17 For this purpose CCPA has issued multiple rules and guidelines for regulating such different facets including e-commerce and misleading advertisements.
Despite the consumer protection framework in India being quite elaborate and robust, dark pattern practices have continued to persist, and grow over the years, hence creating a need for a separate and specific legislation. While the Dark Pattern Guidelines have attempted to integrate itself with the existing consumer protection laws in India, it still leaves room for interpretation and argument of its true impact and enforceability. The Dark Pattern Guidelines place an overwhelming reliance on the intention to mislead or deceive a user,18 which is a non-measurable and subjective metric. Further, interestingly, while the Dark Pattern Guidelines appear to extend its protection to not just 'consumers' but to 'users' in general (which may be the need of the hour), a closer look at these guidelines, especially the definition of 'dark patterns' which links deceptive design practices to inter alia violation of consumer interests, reveal that they are in fact only intended to and effectively only protect 'consumers', possibly due to the restrictions stemming from the principal legislation itself.19 It is also important to note that given the huge gamut of activities and actions that can be perceived to be dark patterns in today's digital age, the Dark Pattern Guidelines' correlation of design practices to only those leading to misleading advertisements, unfair trade practices or consumer rights violation may be inadequate in the larger scheme of things.
The Dark Pattern Guidelines inexplicably does not empower the CCPA to take actions for any contravention of the Dark Pattern Guidelines in accordance with the Consumer Protection Act- which is a deviation from the position under the initial draft which was made available for stakeholder comments.20 Even though the Consumer Protection Act confers a wide power on the CCPA to undertake certain actions for protection of consumer rights,21 the rules and guidelines issued thereunder typically have specific penal provisions empowering CCPA to take actions against any contravention of rules or guidelines. Such penal provisions are included due to the absence of any residual power granted to the CCPA under the Consumer Protection Act to act in cases of such contraventions. The elimination of this specific provision from the final draft of the Dark Pattern Guidelines can be interpreted as lack of statutory consequences for non-compliance with these guidelines, thereby effectively disempowering the CCPA.
While now in place, to ensure genuine implementation and success of the Dark Pattern Guidelines and effectively curb prevalence of dark patterns in the market (and beyond the traditional consumer), it may also be important for the government to address how the issue of Dark Patterns can be counterproductive to the scheme of the Information Technology Act, 2000 ("IT Act"), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code), 2021 ("Intermediary Rules") as well as the recent Digital Personal Data Protection Act, 2023 ("DPDPA").
For this purpose, inter-ministerial collaboration and work may be required to make an actual impact analysis on the regulation of dark patterns. In the world of dark patterns, a few crucial links between co-existing legislations to address the current gaps are still missing, such as (i) curbing the usage of dark patterns including inter alia nagging, confirm shaming, trick questions, interface interference and forced actions given that they could potentially undermine the consent requirements prescribed under the DPDPA; or (ii) preventing the usage of rogue malwares,22 as captured in the Dark Pattern Guidelines, from causing any offences related to computer resources23 as contemplated under the IT Act such as disrupting or damaging computer networks, tampering with computer sourced documents, etc24; or (iii) ensuring protection of rights and obligations of intermediaries under the IT Act and under the Intermediary Rules in the context of dark patterns such as disguised advertisements, interface interference, forced actions etc.
Accordingly, given the inter-relation between these legislations, it is imperative to link and correlate the Dark Pattern Guidelines to the DPDPA, IT Act and rules thereunder including the Intermediary Rules for holistic regulation of Dark Patterns.
Separately, while the CCPA had invited stakeholder comments on the draft regulations for dark patterns, it appears that despite public comments indicating concerns about regulatory overlaps, lack of specificity, and of being too restrictive,25 - many of these concerns remain unaddressed. There also seems to have been very few incremental revisions made by the CCPA to the initial draft of the Dark Pattern Guidelines, such as (i) the linking of 'commercial gains' only to a few specified dark patterns such as confirm shaming and nagging;26 (ii) the addition of three new specified dark patterns i.e., (a) trick questions;27 (b) SaaS billing;28 and (c) rogue malware;29 and (iii) the deletion of guideline stating that the provisions of the Consumer Protection Act will apply in the case of contravention of the Dark Pattern Guidelines which, in fact, dilutes the Dark Pattern Guidelines.
HOW DO THE DARK PATTERN GUIDELINES COMPARE TO SIMILAR GUIDELINES ABROAD?
Contrasting the Dark Pattern Guidelines with similar guidelines in other jurisdictions, it becomes evident that there is much to come in terms of jurisprudence with regard to dark patterns and its impact in India. The Digital Services Act, 2022, for instance, issued by the European Union ("EU") defines dark patterns as "practices that materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions. Those practices can be used to persuade the recipients of the service to engage in unwanted behaviors or into undesired decisions which have negative consequences for them."30 Likewise, a report released by the Federal Trade Commission ("FTC") of the United States describes dark patterns as "design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm."31 Both the foregoing jurisdictions have factored in the need for a materiality qualifier vide the consequences on a consumer/user which are caused by the use of dark patterns which may help in better enforcement, thereby, objectively basing it on the impact of such practices on the user.
Further, dark patterns have been contemplated as having an adverse effect even in the context of privacy, data security and user autonomy under the California Consumer Privacy Act of 2018. This legislation lays down the principles for taking valid consent of a user by prohibiting the use of double negative language, making it difficult for a user to opt for privacy protection choices or making the process of opting out of a subscription or sale cumbersome.32 If a business fails to comply with these principles it is said to be using dark patterns. In this regard, it has been stated in the California Consumer Privacy Act that "A user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decision-making, or choice" in the manner specified above.33 Such nuanced approach on addressing privacy related issues is the need of the hour in India, given that we will very soon have the DPDPA taking effect.
CONCLUSION
While this effort of CCPA to regulate dark patterns in India is definitely a step in the right direction, it may take more than these guidelines to combat the long standing and deeply rooted dark pattern practices. The pressing requirement is to ensure seamless integration of the data protection and e-commerce legislations in India with the Dark Pattern Guidelines to truly regulate dark patterns. Being at a very nascent stage, this legislation can be expected to evolve with time and more effectively address the concerns around dark patterns.
Footnotes
1. See the article authored by Dan Ariely titled 'The End of Rational Economics' dated July 2009 for more on this topic here.
2. See the article authored by Krishna Rupanagunta, Ajay Parasuraman and Sourav Banerjee titled 'Behavioral Economics: Bridging the information gap' dated October 07, 2013 for more on this topic, here.
3. See the Consumer Protection Act, 2019 here.
4. See the Guidelines for Prevention and Regulation of Dark Patterns, 2023 here.
5. Guideline 2(j) of the Dark Pattern Guidelines defines 'User' as "any person who accesses or avails any computer resource of a platform".
6. Guideline 2(b) of the Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022 defines 'Advertiser' as "a person who designs, produces and publishes advertisements either by his own effort or by entrusting it to others in order to promote the sale of his goods, products or services and includes a manufacturer and service provider of such goods, products or services".
7. Section 3(k) of the Consumer Protection (E-commerce) Rules, 2020 defines 'Sellers' as "the product seller as defined in clause (37) of Section 2 of the act and shall include any service provider".
8. Section 3(i) of the Consumer Protection (E-commerce) Rules, 2020 defines 'Platforms' as "an online interface in the form of any software including a website or a part thereof and applications including mobile applications".
9. Guideline 2(e) of the Dark Pattern Guidelines.
10. Guideline 2(i) of the Dark Pattern Guidelines defines specified 'Dark Patterns' as "the dark patterns as listed and defined in Annexure 1 and shall include any other dark pattern that Central Consumer Protection Authority may specify from time to time or otherwise".
11. Annexure I to the Dark Pattern Guidelines.
12. Guideline 4 of the Dark Pattern Guidelines.
13. 'Consumer' can be understood to mean any person who buys any goods or avails any services for a consideration which has been paid or promised and includes any beneficiary of such service or goods other than the person who buys goods or avails of the services for any commercial purposes. See Section 2(7) of the Consumer Protection Act here.
14. 'Unfair trade practice' can be understood to mean a trade practice which, adopts any unfair or deceptive practice for promoting the sale, use or supply of any goods or services. See Section 2(47) of the Consumer Protection Act here.
15. 'Restrictive trade practice' can be understood to mean a trade practice which tends to bring about manipulation of price or its conditions of delivery or to affect flow of supplies in the market relating to goods or services imposing unjustified costs or restrictions on the consumers. See Section 2(41) of the Consumer Protection Act here.
16. Section 2(34) of the Consumer Protection Act defines 'Product Liability' as "the responsibility of a product manufacturer or product seller, of any product or service, to compensate for any harm caused to a consumer by such defective product manufactured or sold or by deficiency in services relating thereto".
17. Section 9(v) of the Consumer Protection Act.
18. Dark pattern would include practices or deceptive design pattern that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights.
19. Consumer Protection Act empowers the CCPA to draft guidelines to protect consumer interests, (Section 18 of the Consumer Protection Act).
20. See the Draft Guidelines for Prevention and Regulation of Dark Patterns, 2023 here.
21. Section 18 of the Consumer Protection Act.
22. Entry 13, Annexure I of the Dark Pattern Guidelines defines Rogue Malware as "using a ransomware or scareware to mislead or trick user into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer."
23. Section 2(k) of the IT Act, 2000
24. Section 43(c) of the IT Act, 2000; Section 65 of the IT Act, 2000.
25. See Disha Verma and Prateek Waghre, 'Let there be light: our submissions on the Consumer Affairs Ministry's draft Dark Patterns Guidelines' dated October 10, 2023 https://internetfreedom.in/submissions-on-dark-patterns-guidelines/ here; Are India's guidelines on dark patterns too strict? Dated December 08, 2023 here; and Sarasvati NT, ' Draft Guidelines On Dark Patterns Will Impact Ease Of Doing Business, Cause Regulatory Overlaps: Asia Internet Coalition' dated October 10, 2023, here.
26. Supra at 3; and Supra at 5.
27. Entry 11, Annexure I of the Dark Pattern Guidelines defines 'Trick Question' as "the deliberate use of confusing or vague language like confusing wording, double negatives, or other similar tricks, in order to misguide or misdirect a user from taking desired action or leading consumer to take a specific response or action."
28. Entry 12, Annexure I of the Dark Pattern Guidelines defines SaaS Billing as "to the process of generating and collecting payments from consumers on a recurring basis in a software as a service (SaaS) business model by exploiting positive acquisition loops in recurring subscriptions to get money from users as surreptitiously as possible."
29. Supra at 22.
30. See recital 67 of the EU Digital Services Act of 2022 here.
31. See p. 2 of the Bringing Dark Patterns to Light Report released by the FTC dated September 2022 here.
32. See section 7004(a), California Consumer Privacy Act Regulations, effective from March 29, 2023 here.
33. See section 7004(c), California Consumer Privacy Act Regulations, effective from March 29, 2023 here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
