Mint Explainer | How data privacy rules may tighten screws on dark patterns in e-commerce, food delivery apps

For years, platforms have engaged in forced opt-ins, buried opt-outs, and misleading prompts to trick users into sharing more data than they intended.

Under the new DPDP Rules, notified on 14 November, these tactics, known as dark patterns, may face heightened scrutiny. The rules put consent at the centre of data processing, sharpening choice and control for users.

Withdrawal of consent for users must be as easy as giving it — translating into cleaner interfaces, fewer buried settings and tighter limits on what platforms can collect by default, said Karan Taurani, executive vice president at Elara Securities.

Notably, the DPDP Act will have a bearing on e-commerce platforms pertaining to their harvesting of customer data, and may not directly influence dark patterns as defined by the Centre in November 2023.

The rules require e-commerce platforms to delete inactive-user data after three years, trimming the long tail of stored information that often enables dark patterns and introduce government-registered consent managers — intermediaries that let users give, review and withdraw consent through a unified dashboard.

Dark patterns and how apps use them

Consumer companies inherently depend on behavioural patterns to drive conversions, relying on repeated triggers and high-velocity interface interactions. Across platforms, dark patterns can take many forms:

• Time-pressured prompts like “only two left" or “fees increasing soon"
• Visually weighted location requests that push “Allow"
• Auto-added add-ons and upsells in checkout flows
• Subscription pop-ups, surge multipliers, opaque platform fees
• Familiar default-on toggles or pre-selected checkboxes.

While earlier these were treated as product-design tactics, under the DPDP rules, they can now be examined as interfaces that influence how users agree to data sharing.

Sectors like e-commerce, quick-commerce, food-delivery, and app taxis use seven or more dark patterns on average, according to the LocalCircles survey this year.

“They sit at the intersection of high-volume data collection and UI (user interface)-led decision-making," said Probir Roy Chowdhury, partner, JSA Advocates and Solicitors.

What the DPDP rules say about data collection

The DPDP rules impose strict limits on what data companies can collect and why. Companies must inform users why they need their data, what they will use it for, how long they will retain it, when their consent expires, and when they will remove the data from the companies' systems if it is no longer needed.

“Data fiduciaries cannot collect data ‘just in case’ or for some undefined future use," said JSA’s Chowdhury.

That standard also makes bundled or catch-all permissions difficult to justify.

The Act does not mandate a separate checkbox for every micro-purpose, but bundling materially different purposes together “creates a risk of undermining specificity and data minimisation and is likely to be non-compliant", said Harsh Walia, Partner at Khaitan & Co.

Bundling is lumping multiple permissions into one choice, so the user cannot independently accept or reject each one.

Marketing and behavioural profiling — increasingly central to quick-commerce and marketplace economics — face similar constraints.

“Marketing, behavioural profiling and personalised pricing are typically not ‘necessary’ to deliver the core service," Walia says, meaning they require separate opt-ins.

This tightening comes just as ad spend and personalised promotions surge across Amazon, Flipkart, food-delivery and quick-commerce platforms — putting the sector’s most relied-upon growth levers under regulatory pressure.

Ad spends and revenue of e-commerce players “can have a severe impact on profitability as ad revenue drives 40-120% of operating profit for quick-commerce platforms, and food-tech platforms", said Elara's Taurani.

Amazon India’s advertising and allied services revenue grew 25% in FY25, against a 21% growth in its mainstay marketplace business, making it one of the fastest-growing segments, data from business intelligence platform Tofler showed.

Given their scale and frequency of user interactions, e-commerce, quick-commerce and ride-hailing platforms may also face heightened scrutiny as potential significant data fiduciaries (SDFs) — a designation that triggers stricter obligations around audits, data governance, breach reporting and algorithmic transparency, explained Walia.

Even without explicitly naming dark patterns, “DPDP Act ties interface design very closely to consent… Even withdrawal must be as easy as giving consent," said Aparna Gaur, partner at Trace Law Partners.

Over 73% of online platforms use ‘forced action’, making users do something they didn’t choose, just to move ahead, according to LocalCircles survey. Another 69% use ‘drip pricing’, where extra fees appear only at the final checkout.

Around 53% use ‘bait & switch’, showing one offer upfront but delivering something different later. About 47% use ‘interface interference’, using layout tricks or confusing buttons to push users toward choices the platform prefers, the survey added.

The regulator is zeroing in

Regulatory action has been gathering pace. The Central Consumer Protection Authority (CCPA) in May warned 11 platforms, including ride-hailing apps Ola and Rapido, to audit their interfaces for dark patterns.

CCPA issued a notice to Uber over its “advance tip" feature — which prompts riders to pre-select a tip during booking.

The sweep soon widened to Zomato, Swiggy and Zepto, with over 50 firms told to remove deceptive designs; Zepto has since reworked parts of its checkout flow.

So far this year, the CCPA has fined Rapido ₹10 lakh for misleading “guaranteed auto" claims and has also penalised platforms like FirstCry for similar pricing-related violations.

While the CCPA’s 2023 dark patterns guidelines remain the primary consumer-protection rules for deceptive design, the DPDP rules introduce a separate, parallel layer of scrutiny wherever interface choices affect consent, data minimisation or withdrawal—areas where many dark-pattern tactics naturally overlap, explained lawyers.

But gaps remain

Despite being more design-prescriptive than Europe’s General Data Protection Regulation (GDPR), some gaps remain. “The DPDP is slightly more prescriptive on UI/UX (user interface, user experience) behaviour because dark patterns are now linked to consent validity. GDPR addresses manipulative design through guidance and enforcement, but the Indian Rules place design obligations more directly into the compliance framework," said Chowdhury.

The DPDP rules and the Act are drafted more like a general document rather than prescriptive rules, said Archana Balasubramanian, partner at Agama Law Associates.

What counts as “necessary" data is still open to interpretation, she said, warning that businesses may continue exploiting grey areas until enforcement settles, noting that some dark patterns have historically persisted because “businesses have always found a way out".

What companies could do going forward

“E-commerce companies and ad-tech platforms will need to invest more in compliance and consent management systems," said Elara's Taurani.

First-party players, such as Eternal, Swiggy, and Nykaa, are structurally advantaged, as their deep, consent-led datasets reduce reliance on external tracking and lower compliance risk. In contrast, smaller or third-party-dependent ad-tech players may struggle, he added.

While an Amazon India spokesperson said the company is assessing the rules, a Flipkart spokesperson said it will fully comply with the requirements within the timelines provided.