India’s consumer digital economy is projected to reach the $1 trillion mark by 2030, with the e-commerce market expected to touch $350 billion by the same year.
As digital India continues to grow, companies are engaged in a struggle to secure a larger share of the online market. In this competitive landscape, companies deploy new and innovative strategies, sometimes blurring the line between ethical and manipulative practices. This can lead to consumers making choices they may not have otherwise intended.
Across the globe, regulators are grappling with instances where e-commerce players employ deceptive designs to subtly influence users to provide sensitive information or to make purchases or sign up for services they may not genuinely desire. These practices, termed as dark patterns, have detrimental effects on user trust, informed decision-making, and privacy.
The regulators had to step in and ensure that the interest of online consumers is safeguarded. On November 30, 2023, the Central Consumer Protection Authority (“CCPA”) released its guidelines for prevention and regulation of Dark Patterns used in e-commerce platforms (“Guidelines”) in exercise of its powers under Section 18 of the Consumer Protection Act (“the Act”).
CCPA guidelines on Dark Patterns
At present, the Guidelines identify 13 practices (namely, False Urgency, Basket Sneaking, Confirm Shaming, Forced Action, Subscription Trap, Interface Interference, Bait and Switch, Drip pricing, Disguised advertisement, Nagging, Trick Question, SaaS Billing and Rogue Malwares) as dark patterns.
False Urgency, as the name suggests, is a practice adopted by the service provider/ advertiser to mislead a consumer to take an immediate action, which he or she would not have pursued, if there was no actual urgency. Subscription traps make it very difficult for consumers to unsubscribe from the services once opted by him or her. Drip pricing is a practice of hiding final prices of products/services at first instance, and then finally revealing them at checkout. The list of dark patterns given in the Guidelines is not exhaustive and can be expanded by CCPA as and when different practices come to light.
While the Guidelines do not prescribe any separate penalty for dark patterns, the definition clearly calls out “dark patterns” as amounting to unfair trade practice or violation of consumer rights or misleading advertisements. Thus, any e-commerce player, seller or advertiser found indulging in such practices would be liable to penalties under the relevant provisions of the Act. With respect to misleading advertisements, the penalty could go up to INR 50 lakhs and an imprisonment term of up to 5 years, as the case may be.
There are judicial precedents wherein the Consumer Courts have condemned dark patterns and imposed penalty on companies employing them. For instance, in a case against an airline operator, the National Consumer Disputes Redressal Commission held that sudden surge in pricing of tickets even though low fares were projected before the booking was initiated, amounts to ‘misleading advertisement, unfair and deceptive practice’.
Recently, CCPA penalized certain coaching institutes on account of publishing false and misleading advertisements about their coaching institute on their website. Further, CCPA has also issued notice to an e-commerce player for indulging in dark patterns with respect to its subscription policy.
Dark Patterns dealt globally
Privacy and consumer protection laws across the world also regulate dark patterns. For instance, EU’s Digital Services Act defines dark patterns as “practices that materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions”.
The US California Privacy Rights Act, 2018 and Colorado Privacy Act, 2021 define it as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making or choice”. Similarly, European Data Protection Board guidelines issued in March 2022 identify certain practices as dark patterns.
EU and US regulators have imposed penalties on companies for using dark patterns. For example, Amazon was asked by the European Commission to enable consumers with the option to unsubscribe services by just two clicks, i.e., a prominent and clear ‘cancel button’ as opposed to the previous process which required consumers to scroll multiple pages.
The Italian Data Protection Authority imposed a €300,000 penalty on marketing company, Ediscom S.p.A., for use of ‘dark patterns’ in collection of consent on its website. Federal Trade Commission (“FTC”), USA penalised Vonage with US$ 100 million on finding that they were charging consumers without their consent and had made cancellation of services a tedious process.
FTC also penalized Epic Games with US$ 245 million for tricking players of Fortnite to purchase in-game utilities. The French Data Protection Authority penalised Apple Distribution International with a fine of €8,000,000 for storing identifiers on mobile devices without consumer’s consent.
Summing up
These Guidelines, apart from creating awareness amongst consumers about deceptive practices, are a heads-up to the e-commerce companies to revisit their practices and consumer interface designs. The intent is also to ingrain informed consent in online user interface.
However, there seems to be a lack of clarity on the adjudicatory process once a platform is accused of indulging in dark patterns. It will be interesting to see how the regulator evaluates evidence in cases such as ‘false urgency’ and ‘bait and switch’ as these are purely data driven.
Further, the nexus between dark patterns and privacy as a subject-matter, may create jurisdictional overlap between the regulator under CPA and Digital Personal Data Protection Act, 2023 (“DPDP Act”). For instance, the dark pattern of ‘subscription trap’ may attract actions under these Guidelines as well as DPDP Act, which requires informed consent before use of financial data for confirming subscription. Similarly, in case of ‘rogue malwares’ actions could lie under both, Guidelines as well as Information Technology Act, 2000.
While these Guidelines provide new lenses to the e-commerce consumer, they will also lead to reassessment and in some cases, revamp of marketing and advertising strategies which have long been adopted by the e-commerce industry. It would be interesting to see how the regulator/ commissions decipher between practices which can be termed as persuasive marketing strategies as opposed to practices which have been illustrated as dark patterns.