In early 2025, India's Department of Consumer Affairs sent an unusually blunt note to the country's e-commerce giants and online intermediaries: audit yourselves, within three months, against the Central Consumer Protection Authority's Guidelines for the Prevention and Regulation of Dark Patterns, 2023. Surface every false urgency timer, every basket-sneaking add-on, every confirm-shaming guilt trip — and fix them, or expect the regulator to come knocking.
It is, in many ways, the right instinct. Dark patterns are not free speech; they are interface design choices engineered to subvert the user's stated preferences. India is the world's most populous digital consumer market, and the asymmetry between a first-time online shopper in Tier-3 India and a well-resourced product team optimising for conversion is real. A floor on manipulative design is overdue.
But how that floor is built — and how aggressively it is policed — will determine whether India's framework becomes a quiet global model or another compliance thicket that punishes the careful and lets the cynical escape.
What the guidelines actually say
The CCPA notified the dark patterns guidelines on 30 November 2023 under the Consumer Protection Act, 2019. They enumerate 13 specific practices that are now treated as unfair trade practices when used by any person, platform, advertiser or seller offering goods and services in India:
- False urgency and scarcity claims ("Only 1 left!" when stock is unlimited)
- Basket sneaking — adding items or services without consent
- Confirm shaming — using guilt-laden language to nudge a choice
- Forced action — requiring sign-ups or sharing data beyond what is needed
- Subscription traps and interface interference
- Bait and switch, drip pricing, disguised advertisements
- Nagging, trick wording, SaaS billing tricks and 'rogue malware' patterns
The 2025 advisory layers a compliance step on top of this: platforms must self-audit and submit declarations of compliance. Industry groups including NASSCOM and the Internet and Mobile Association of India have publicly engaged with the process, and several large marketplaces have begun publishing internal design-review protocols in response.
Where the framework gets it right
Three features of the Indian approach deserve credit, and frankly, study by other jurisdictions.
First, enumeration over abstraction. The EU's Digital Services Act bans dark patterns in Article 25 but defines them only as practices that "materially distort or impair" user decisions — a standard that leaves designers guessing. India's list of 13 named practices, with worked examples in the schedule, gives a product manager something concrete to test against on a Tuesday morning.
Second, technology-neutral drafting. The guidelines apply to platforms, sellers and advertisers regardless of business model. A travel aggregator, a quick-commerce app and a SaaS dashboard are all on the hook for the same baseline — which prevents the regulatory arbitrage that bedevils sector-specific rules.
Third, a self-audit pathway. Asking platforms to find and fix problems first, rather than launching investigations cold, mirrors the better instincts of the GDPR's accountability principle. Done well, it builds internal compliance muscle rather than a one-off legal exercise.
Where it risks overreach
The trouble starts where the guidelines meet the messy reality of digital commerce.
Several of the 13 practices are written in language broad enough to sweep in legitimate design. "False urgency" is clearly bad when stock is unlimited; it is genuinely informative when a flight has three seats left. "Nagging" — repeated prompts to take an action — can be manipulative, but it can also be the way an app legitimately reminds a user to enable two-factor authentication. The line between a "dark" pattern and a competent, persuasive one is real, but it is not always crisp.
Two specific risks deserve attention as the audit deadline matures into enforcement:
- Over-removal of useful signals. Faced with vague liability, platforms will strip out genuine scarcity indicators, comparative pricing and personalised recommendations — features consumers actually use. India's startups, many funded by an increasingly muscular domestic VC base, cannot afford the same army of compliance lawyers as global incumbents.
- Regulator-by-press-release risk. Recent Indian regulatory practice has leaned toward advisories and informal guidance rather than notice-and-comment rulemaking. That speed has virtues, but it weakens the predictability that good-faith businesses need to invest. The dark patterns space — where design choices ship every sprint — is especially sensitive to moving goalposts.
A more proportionate path
None of this argues against the rules. It argues for sharper edges. A pro-innovation, proportionate Indian framework would do four things in the next twelve months.
Publish a public enforcement matrix. The CCPA should distinguish clearly between practices that are per se prohibited (basket sneaking, hidden subscription renewals) and those that are contextually problematic (urgency claims, nagging). Bright lines for the worst conduct, balancing tests for the rest.
Create a safe harbour for documented A/B testing. Platforms that can show pre-deployment review, disclosure to users, and an exit path no harder than the entry path should be presumptively compliant. This rewards good design hygiene without freezing experimentation.
Tier obligations by scale. A 12-person SaaS startup should not face the same audit burden as a marketplace with 100 million monthly users. The DSA's distinction between very large online platforms and the rest is a useful template.
Coordinate with the DPDP Act. The Digital Personal Data Protection Act, 2023 already regulates consent flows — a core dark-pattern vector. Sequencing the two regimes prevents duplicate filings and inconsistent guidance from the CCPA and the forthcoming Data Protection Board.
India has a genuine chance to set the global template here. The EU is still negotiating its Digital Fairness Act; the US FTC's 2022 report on dark patterns remains largely advisory. A clear, enumerated, proportionate Indian regime — enforced with predictability and a light touch on honest experimentation — would protect consumers without taxing the very startups powering the country's digital economy. The audit deadline was the easy part. The next eighteen months are where the policy gets made.