Mint Explainer | How data privacy rules may tighten screws on dark patterns in e-commerce, food delivery apps

For years, platforms have been using forced opt-ins, embedded opt-outs, and misleading redirects to trick users into sharing more data than they intended.

Under the new DPDP Rules announced on November 14, these tactics, known as dark patterns, may face tougher scrutiny. The rules put consent at the heart of data processing and sharpen choice and control for users.

Karan Taurani, vice president of Elara Securities, said withdrawing consent for users should be as easy as granting it; It means cleaner interfaces, fewer buried settings, and tighter limits on what platforms can collect by default.

Notably, the DPDP Act will have an impact on e-commerce platforms regarding the collection of customer data and may not directly impact the dark patterns identified by the Center in November 2023.

The rules require e-commerce platforms to delete inactive user data after three years, cut off the long tail of stored information that often enables dark patterns, and introduce government-registered consent administrators — intermediaries that allow users to consent, review and withdraw through a unified dashboard.

Dark patterns and how apps use them

Consumer businesses are inherently dependent on behavioral patterns that rely on repeated triggers and high-speed interface interactions to drive conversions. Dark patterns on platforms can take many forms:

• Prompts with time pressure, such as “only two left” or “fees will increase soon”
• Image-heavy location requests that force the “Allow” option
• Add-ons and upsells automatically added to checkout flows
• Subscription pop-ups, boost multipliers, opaque platform fees
• Familiar default-on toggles or pre-selected checkboxes.

While these were previously considered product design tactics, under DPDP rules they can now be examined as interfaces that affect how users accept data sharing.

Industries such as e-commerce, express commerce, food delivery and app taxis use an average of seven or more dark models, according to LocalCircles’ survey this year.

“They sit at the intersection of high-volume data collection and UI (UI)-led decision-making,” said Probir Roy Chowdhury, partner at JSA Advocates and Solicitors.

What do DPDP rules say about data collection?

DPDP rules place strict limits on what data companies can collect and why. Companies must tell users why they need their data, what they will use it for, how long they will keep it, when their consent will expire, and when they will remove the data from the companies’ systems if it is no longer needed.

“Data fiduciaries cannot collect data ‘just in case’ or for an unspecified future use,” JSA’s Chowdhury said.

This standard also makes it difficult to justify blanket or blanket permissions.

Harsh Walia, Partner at Khaitan & Co., said the Act does not mandate a separate checkbox for each micro-purpose, but lumping together significantly different purposes “risks weakening specificity and data minimization and is likely to be incompatible.”

Bundling is the aggregation of multiple permissions into a single option so that the user cannot accept or reject each one independently.

Marketing and behavioral profiling, which are increasingly central to the fast-paced commerce and market economy, face similar constraints.

“Marketing, behavioral profiling, and personalized pricing are often not ‘essential’ to delivering the core service,” Walia says, meaning they require separate opt-ins.

The tightening comes at a time when ad spend and personalized promotions are rising on Amazon, Flipkart, food delivery and flash commerce platforms, and the industry’s most trusted growth vehicles are coming under regulatory pressure.

Elara’s Taurani said “advertising spend and revenue for e-commerce players can have a significant impact on profitability, as advertising revenue drives 40-120% of operating profit for flash commerce platforms and foodtech platforms.”

Amazon India’s advertising and related services revenue grew by 25% in FY25, while 21% growth in its core marketplace business made it one of the fastest growing segments, according to data from business intelligence platform Tofler.

Given the scale and frequency of user interactions, e-commerce, flash commerce, and ride-hailing platforms may also face increased scrutiny as potential material data fiduciaries (SDFs); Walia explained that this definition triggers stricter obligations on audits, data management, breach reporting and algorithmic transparency.

Even without explicitly pointing out the dark patterns, Aparna Gaur, partner at Trace Law Partners, said, “The DPDP Act ties interface design too closely to consent… Even withdrawing should be as easy as giving consent.”

According to a LocalCircles survey, over 73% of online platforms use “forced action,” which causes users to do something they didn’t choose just to get ahead. Another 69% use ‘drip pricing’, where extra fees only appear on the final payment.

Approximately 53% use ‘bait and switch’; It shows one offer upfront but then offers something different. According to the survey, approximately 47% of users use “interface interference,” using layout tricks or confusing buttons to direct users to the platform’s preferred options.

Regulator is resetting

Regulatory actions are gaining momentum. The Central Consumer Protection Authority (CCPA) in May warned 11 platforms, including ride-hailing apps Ola and Rapido, to monitor their interfaces for dark patterns.

The CCPA issued a notice to Uber about its “advance tip” feature, which directs passengers to pre-select a tip when booking.

The sweep soon expanded to include Zomato, Swiggy and Zepto, and more than 50 companies were told to remove deceptive designs; Zepto has since refactored some parts of its payment flow.

CCPA has fined Rapido so far this year ₹A fine of Rs 10 lakh was imposed for misleading “car with warranty” claims and platforms like FirstCry were also penalized for similar violations related to pricing.

Advocates explained that while the CCPA’s 2023 dark pattern guidelines remain the primary consumer protection rules for deceptive design, the DPDP rules introduce a separate, parallel layer of review wherever interface choices affect consent, data minimization or opt-out; these areas explained that many dark pattern tactics naturally overlap.

But gaps remain

Although more prescriptive in design than Europe’s General Data Protection Regulation (GDPR), some gaps remain. “DPDP is a little more prescriptive on UI/UX (user interface, user experience). because dark patterns are now linked to confirmation validity. The GDPR addresses manipulative design through guidance and enforcement, but the Indian Rules embed design obligations more directly within the compliance framework,” Chowdhury said.

Archana Balasubramanian, partner at Agama Law Associates, said the DPDP rules and the Act are designed as a general document rather than prescriptive rules.

Stating that the data considered “necessary” is still open to interpretation, he warned that businesses may continue to benefit from gray areas until the sanctions are resolved, and noted that some dark patterns have continued historically because “businesses always find a way out.”

What can companies do going forward?

“E-commerce companies and ad tech platforms will need to invest more in compliance and permission management systems,” said Elara’s Taurani.

First-party players like Eternal, Swiggy, and Nykaa have a structural advantage as their deep, permission-focused datasets reduce dependency on external tracking and reduce compliance risk. By contrast, ad tech players that are smaller or dependent on third parties may struggle, he added.

While an Amazon India spokesperson said the company was evaluating the rules, a Flipkart spokesperson said it would fully comply with the requirements within the given timelines.