[By Akhil Raj & Ekta Gupta]
The authors are students of National Law University Odisha.
INTRODUCTION
If a person frequently purchases airline tickets online, they have probably encountered websites that use the phrase “I will stay unsecured” in the event that the buyer declines insurance coverage. This is a classic example of how dark patterns function to nudge people into making forced choices thereby generating commercial gains for the sellers, advertisers, or any such platform.
According to data revealed by the Advertising Standards Council of India (ASCI), 29% of the advertisements they processed between 2021 and 2022 were influencers’ covert advertisements, indicating a kind of dark pattern. Hence, in a virtuous endeavor to regulate the e-marketplace and to rein in the use of dark patterns, the Central Consumer Protection Authority (CCPA) introduced the ‘Guidelines for Prevention and Regulation of Dark Patterns, 2023’ (The Dark Patterns Guidelines). The Dark Patterns Guidelines pique interest owing to its admirable aims and purpose but this blog strives to go beyond the fine print and unveil the limitations in terms of its applicability, stringency, and obscure provisions.
NOTABLE ASPECTS OF THE GUIDELINES
The Dark Patterns Guidelines representing an important attempt to regulate deceptive interfaces and protect ‘users’, define dark patterns as manipulative digital design practices that are used to deceive users to influence their decisions and choices. Such devious practices shall amount to misleading advertisement, unfair trade practice, or violation of consumer rights. In other words, it states that engaging in any dark pattern practice for commercial gain that impairs user choice amounts to an unfair trade practice or misleading ad under consumer protection law. The applicability of the Dark Patterns Guidelines extends to all platforms, advertisers, and sellers and it unequivocally forbids any person from indulging in the practice of dark patterns.
The Dark Patterns Guidelines provides illustrations of specific dark pattern practices. For instance, online travel sites may use ‘false urgency’ tactics like claiming “only 1 room left!” to pressure users to make quick purchases. Food delivery apps can engage in ‘basket sneaking’ by automatically adding a small donation amount during checkout without consent. Platforms can use ‘confirm shaming’ by displaying messages like “No thanks, I want to stay uninformed” when users try to reject newsletter signups, guilting them into accepting. ‘Nagging’ tactics can be seen when education sites relentlessly prompt users to share emails or accept cookies to access services, persistently disrupting the experience. These demonstrate how various dark pattern techniques exploit users through deceptive design elements on online platforms.
Although, these specific dark patterns have been recognized but the definitions and the interpretation of their functionality as mentioned in the Guidelines are not legally binding and may change from case-to-case basis
RECONCILING INCONSISTENCIES AND GAPS WITH EXISTING LAWS:
E-market platforms and consumer data are the prime focus of the Guidelines and these aspects also fall within the scope of other statutes including the Information Technology Act, 2000 (IT Act), the Digital Personal Data Protection Act, 2023 (DPDP Act), and the Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisement, 2022 (Advertisement Guidelines).
To begin with, the wide definition provided for ‘platforms’ in the Dark Patterns Guidelines brings within its ambit, all sorts of platforms which are an online interface in the form of any software, making such platforms liable for any dark patterns that they indulge in. This implies that even intermediaries which can also be an online-market place fall within the scope of the definition. However, the inconsistency is that Section 79 of the IT Act extends safeguard to an intermediary from any information or data from third parties, presented in any way, that they provide access to or store on their platforms.
Further, the Dark Patterns Guidelines prohibits the practices where the user is forced to enter some personal details (for example, email Id and contact information) in order to avail of the services offered by the platform. However, it overlaps with the DPDP Act which is quite particular about the requirement of explicit consent of the person to whom such data relates.
Before the Dark Patterns Guidelines, the Advertisement Guidelines defined non-misleading and valid ads, banning false and dishonest ads. This intent and objective intersects with the Dark Patterns Guidelines.
The CCPA did not consider the prospect of amendments in the existing Advertisement Guidelines or the existence of other coinciding legislations before the release of the Dark Patterns Guidelines leading to an ambiguity in its implementation. The Dark Patterns Guidelines specify that the provisions under the guideline should not be interpreted to be in derogation of any other law which has been regulating dark patterns. But, even the existence of coinciding legislations would amount to confusion. In this case, the regulatory authorities could issue clarifications in the form of FAQs or notifications and should adopt a phased implementation in order to avoid market disruption.
SUBSTANTIAL SHORTCOMINGS
Despite having noble intentions behind the introduction of the Dark Patterns Guidelines, the dearth of appropriate provisions in its substantive part makes its effective execution challenging. For instance, in case of violation of the Dark Pattern Guidelines, it does not allude to the forum to be approached in that case. Albeit, when the draft was released, it stated that in case of any violation, the provisions of the Consumer Protection Act, 2019 (CPA), shall apply. By removing this provision, the CCPA left the Dark Patterns Guidelines toothless.
Additionally, the absence of specific penalties for the contravention of the Dark Patterns Guidelines strips away the enforcement authority. Since, in a general scenario, corporate entities in the form of e-commerce platforms indulge in such practices, thereby demanding the existence of penal provisions. Although, the exact amount of the compensation to be awarded would depend on the facts and circumstances of each case, levying a specific penalty can be the way forward. For instance, penalizing the alleged entity to disgorge a certain percentage of its average turnover in the last preceding years and increasing it for the repeat offenders. The non-existence of any penal provisions heavily affects the stringency of the Dark Pattern Guidelines.
Another facet that has not garnered much attention, but significantly impacts the interpretation of the Dark Patterns Guidelines, is the word “user” in it. It defines a user as, “shall mean any person who accesses or avails any computer resource of a platform.” This definition does not find a place in the parent legislation, i.e., CPA and it specifically defines a consumer. It is pertinent to note that, there is a difference between the two terms- a user and a consumer, as a person can be a user without purchasing any good or availing any service, but for being a consumer, these conditions should necessarily exist. This difference was drawn as the CPA allows only a consumer to be a complainant in case of a violation and not a user. Therefore, even if the existence of the provision regarding the violation of the Dark Patterns Guidelines is assumed in the guidelines itself, as was also the case with the draft, the CPA would not have applied unless it was amended to include “user” within its purview.
The phrase, “designed to mislead or trick users to do something” in the definition of dark patterns reveals the need for determining intention in order to establish dark patterns. Intention being a subjective ingredient and non-quantitative in nature is hard to ascertain in such cases. The over-reliance on intention in turn makes the investigation and verification process arduous. Not to mention, in this particular case, the mere usage of dark patterns hampers the rights of the users leading to an unfair trade practice, even if intention is not considered.
There are two separate statutes internationally that precede the Dark Pattern Guidelines in India, namely, ‘The Digital Services Act, 2022’ (DSA) of the European Union and ‘The California Consumer Privacy Act, 2023’ (CCP Act). The former defines dark patterns as practices that are either on purpose or in effect influence choices and the latter defines dark patterns on similar lines as having the effect of impairing user autonomy. To deduce from the definitions, it is crystal clear that the effect is of paramount importance and not the intention.
The Dark Patterns Guidelines lists 13 specific forms of dark patterns but overlooks certain other significant forms of dark patterns that are prevalent. ASCI pointed out some other common types of dark patterns such as ‘Obscured Pricing’, ‘Privacy Zuckering’, ‘Roach Motel‘, and ‘Deliberate Misdirection’. Hence, despite the recognition of these other forms of dark patterns by ASCI itself, the policymakers did not consider the need to include them within the Dark Patterns Guidelines.
CONCLUSION
The Dark Pattern Guidelines signify a well-intentioned and appropriately timed effort to curb the perfidious practices but suffer from substantial lacunae. Even if it is supposed that the policymakers decided to follow the lead of other regimes, keeping in mind the need of the hour, it seems that the guidelines were released without proper deliberations leading to ambiguity.
India has remarkably improved in terms of Ease of Doing Business over the past half a decade but regulations of this nature dissuade businesses from widening their enterprise. However, as it is also a matter of gross violation of user rights, a balance needs to be struck between the rights of an individual and the Ease of Doing Business. Nonetheless, a balance between them cannot be sought by allowing the platforms to self-regulate themselves as it goes against the very rudimentary aspect of profit maximization by the businesses. In conclusion, the CCPA empowered under the CPA is the suitable authority to bring regulations in this area but the fruitful implementation would depend upon them making well-informed rectifications to these guidelines.