Dark Patterns and DPDPA Compliance

The intersection of DPDPA and the Guidelines for Prevention and Regulation of Dark Patterns, 2023 creates overlapping compliance obligations. Dark patterns—deceptive design practices manipulating users into unintended actions—fundamentally violate DPDPA's consent requirements. This article examines how design choices become compliance failures.

Dark patterns are deceptive UI/UX practices that manipulate users into actions they did not intend. Common examples include pre-checked consent checkboxes, colour-coded buttons emphasising data-sharing options, fine print hiding critical privacy terms, and confusing navigation making opt-out difficult. These practices exploit psychological biases and cognitive shortcuts.

DPDPA requires consent that is free, informed, specific, and unambiguous. Dark patterns violate each element: they coerce through manipulation rather than free choice, obscure rather than inform, bundle rather than specify, and create ambiguity rather than clarity. A consent obtained through dark patterns is legally void under Section 6.

The Dark Patterns Guidelines 2023 and DPDPA operate concurrently. Organisations face enforcement from Consumer Protection authorities for dark patterns and from the Data Protection Board for consent violations arising from the same design choices. This dual exposure amplifies compliance risks for platforms employing manipulative interfaces.

Compliant design requires: equal visual prominence for accept and reject options, clear plain-language descriptions of data uses, single-step opt-out mechanisms, no pre-selected consent options, and transparent presentation of consequences. Privacy by design principles must inform UI/UX decisions from inception.