In today’s digital economy, user experience is not just a design concern — it’s a compliance matter. Interfaces that subtly guide or influence user behaviour are increasingly coming under regulatory scrutiny. One such area, now squarely in focus, is the use of dark patterns.
On June 5, 2025, the Central Consumer Protection Authority issued an advisory requiring businesses to conduct self-audits and submit compliance declarations regarding dark patterns used on their digital platforms. As per the advisory, businesses have been advised to carry out this internal assessment within three months of the notification date.
The advisory builds on the 2023 Guidelines for Prevention and Regulation of Dark Patterns and signals a more active phase in enforcement under the Consumer Protection Act, 2019.
What Are Dark Patterns?
Dark patterns refer to interface design practices that may influence users into making decisions they would not otherwise take under informed or neutral circumstances. The CCPA’s guidelines explicitly identify several such patterns, including:
-
False urgency, such as countdown timers that reset upon refresh.
-
Basket sneaking, where additional products or charges are added without clear consent.
-
Confirm shaming, which uses emotionally manipulative language to discourage opt-outs.
-
Disguised advertising, where paid promotions resemble editorial content.
-
Subscription traps, involving unclear cancellation processes.
While design flexibility is essential for business innovation, these patterns may be considered unfair trade practices when they mislead or impair user autonomy.
Global Scale Of Dark-Pattern Usage
The problem of dark patterns is not limited to one geography; it is a global phenomenon affecting digital platforms across industries. A global sweep by the International Consumer Protection and Enforcement Network reviewed 642 websites and mobile apps and found that over 75% used at least one dark pattern. In addition, one in four internet users is likely to encounter these practices during online interactions.
These findings highlight how widespread the issue has become and reinforce the growing global push for stricter compliance and ethical design.
Why The Advisory Matters?
The three-month window provided in the CCPA’s advisory is more than a soft recommendation — it sets a clear expectation that companies will proactively identify, document and address non-compliant patterns in their digital interfaces.
Businesses are also expected to submit formal declarations affirming their adherence to the 2023 guidelines, and maintain internal records of the audit methodology, findings and corrective actions.
Notably, the advisory comes against the backdrop of show-cause notices already issued by the CCPA to several major e-commerce platforms in India. These notices reportedly pertain to practices like pre-ticked checkboxes, auto-added add-ons and difficult unsubscribe flows — all falling under dark patterns as per the 2023 Guidelines.
The CCPA has already issued 11 specific notices related to dark-pattern violations, alongside over 400 notices for broader unfair trade practices. In a bid to promote sector-wide compliance, the government also held a consultative meeting with representatives from over 50 digital platforms, discussing best practices and expectations regarding interface design and consumer autonomy.
Globally, regulators have taken comparable steps. Notably, the Italian Data Protection Authority imposed a €300,000 fine on a marketing company for GDPR violations related to dark patterns. Meanwhile, across the EU, joint regulatory efforts have targeted practices such as urgency cues, disguised advertising and default consent mechanisms.
These actions highlight a common regulatory concern: interface design must enable fair, informed and autonomous user choice.
Compliance Implications For Indian Businesses
While the current advisory does not prescribe penalties, it is a preparatory step toward enforcement. Businesses in the digital ecosystem — particularly e-commerce, online travel, fintech, gaming and aggregators — are expected to initiate structured assessments. The key actions include:
-
Conducting cross-functional audits involving legal, product, marketing and design teams to review user journeys.
-
Identifying and mapping UI elements that may fall within the scope of dark patterns as defined in the 2023 guidelines.
-
Documenting findings and any remedial measures undertaken, in line with the advisory’s expectations.
-
Revisiting consent and disclosure flows, including subscription opt-ins, add-on pricing, and cancellation processes.
These steps are not simply checkboxes but require cross-departmental collaboration, with a focus on aligning product design with consumer protection principles.
The advisory aligns with a broader trend in India’s digital regulatory landscape. From the Digital Personal Data Protection Act, 2023 to guidelines on influencer disclosures, the regulatory ecosystem is evolving rapidly, particularly where digital consumer rights are concerned.
The CCPA’s advisory, combined with the issuance of show-cause notices — marks a progression from policy framing to compliance implementation. It signals that interface-level practices are now part of the regulatory conversation on consumer protection in India.
Penalties, Enforcement Powers, Regulatory Exposure
Although the CCPA’s June advisory does not specify immediate penalties, the Consumer Protection Act, 2019, outlines clear consequences, including fines of up to Rs 10 lakh for a first offence and Rs 50 lakh for repeat violations. The CCPA also has broader powers, including ordering refunds, product recalls, or mandating redesign or removal of non-compliant digital interfaces.
In addition to this, businesses may face scrutiny from other regulators. Under the Digital Personal Data Protection Act, penalties can reach Rs 250 crore per breach. Misleading design elements linked to influencer promotions can trigger action under the ASCI’s guidelines, while the Competition Commission of India may investigate dark patterns as exploitative or anti-competitive conduct.
Beyond regulatory risks, the commercial impact can be significant. These include damage to reputation, loss of user trust, lower conversion rates, investor concerns and potential delays in IPO or acquisition timelines. Legal exposure is also growing, with the increasing likelihood of class action lawsuits and damage claims — especially as regulatory precedents begin to take shape.
The issuance of show-cause notices since March 2025 confirms that enforcement has already begun.
Way Forward
For digital businesses, the next few months offer an opportunity to take stock and respond proactively. Given that show-cause notices have already been issued since March 2025, this period allows companies to build internal awareness on dark patterns and their implications, but also to demonstrate a proactive compliance posture.
Legal review must now be tightly integrated into product development and marketing workflows. Teams should establish audit protocols and documentation practices aligned with the CCPA expectations and build ethical design standards that balance commercial goals with user trust.
As regulatory expectations evolve, digital compliance is no longer limited to backend processes or privacy notices. Increasingly, it is embedded in the design of consumer-facing journeys, making it essential for legal, design, and business teams to work in tandem.
By Jignesh Thakkar, partner & leader – global compliance solution at EY India; and Siladitya Dasgupta, senior manager, risk consulting, EY India.
Disclaimer: The views expressed here are those of the author and do not necessarily represent the views of NDTV Profit or its editorial team.
. Read more on Opinion by NDTV Profit.