Misleading Dark Patterns on Digital Platform: Consent engineered through guilt

June 8, 2026
Misleading Dark Patterns on Digital Platform

By Vikrant Rana, Anuradha Gandhi and Abhishekta Sharma

Introduction

On June 01, 2026, the Central Consumer Protection Authority (CCPA) issued a significant order against Physicswallah Limited (hereinafter referred to as Party), the EdTech unicorn behind the pw.live platform, finding it guilty of deploying three distinct dark patterns. The matter taken up suo moto by CCPA culminated in a penalty of INR 5,00,000 and a binding direction to eliminate all dark patterns from the platform immediately.[1]

Facts of the Case

The CCPA order identified three practices on Party’s official website and phone application as the subject of the suo moto proceeding:

  1. Basket Sneaking- the Pre-Selected INR 10 donation
    The CCPA observed that the Party had pre-selected the option “Donate for PW Foundation” during the purchase process, thereby automatically adding INR 10 to the final payable amount without obtaining explicit consent from consumers.The pre-ticked donation feature remained operational from February 14. 2024 o December 24, 2025, for approximately a period of 22 months contributing to donation amount of INR 2.47 crore from 21,36,962 users.

    The mechanism was disabled on December 24, 2025, following receipt of first CCPA notice dated December 04, 2025.

    The CCPA’s Director General (Investigation), in the investigating report found this constituted Basket Sneaking that is the automatic addition of charges to a transaction without the consumer’s explicit consent, which capitalizes on expedited transactions to induce unintended financial commitments and fundamentally pressurizes consumer decision-making while compromising transactional transparency.

  2. Confirm Shaming- the “know more” guilt trigger
    When a consumer clicked “know more” in relation to the donation feature, the message displayed mention that to empower lives through supporting marriages financially of needy people, advancing education of children and promoting healthcare in underserved communities- donate to support the cause.This message was presented simultaneously with a pre-selected donation option during a moral pressure and emotional obligation upon consumer to retain the donation amount rather than exercising a free and neutral choice.

    The CCPA concluded this as a manipulative interface design and violating the Consumer Protection Act, 2019, Consumer Protection (E-Commerce) Rules, 2020 and Guidelines for Prevention and Regulation of Dark Patterns, 2023 by creating a sense of fear or shame or ridicule or guilt in the mind of the user so as to nudge the user to act in a certain way.[2]

    The combination of pre-selected default and guilt inducing messaging when the user sought to investigate the charge was held to fall squarely within this definition.

  3. Forced Action-Personal Data as the Price of “Free” Course
    The CCPA also found that the Party promoted educational courses as “free” while simultaneously requiring consumers to mandatorily furnish mobile numbers and email IDs before access could be granted.The CCPA independently accessed the free course through multiple test accounts and found that the educational content, including videos and study material, remained identical across accounts and no elements of personalization, customized learning pathway or differentiated academic experience was found to be associated with the collection of email addresses or mobile numbers contradicting to the Party’s stated justification for mandatory data collection.

The findings of the Case

The CCPA’s formal findings against the Party was:

  1. Section 2(9), Consumer Protection Act, 2019[3]Consumer rights: the right to be informed, the right to be protected against unfair trade practices, and the right to seek redressal. Impaired by the pre-selected donation mechanism, emotionally manipulative prompts, and mandatory data conditioning of “free” courses.
  2. Section 2(28), Consumer Protection Act, 2019[4]Misleading advertisement: promoting courses as “free” without adequately disclosing mandatory personal information disclosure requirements constitutes concealment of material information.
  3. Section 2(47), Consumer Protection Act, 2019[5]– the basket sneaking mechanism, inserting ₹10 donations via default pre-selection constituted an unfair and deceptive commercial practice.
  4. Consumer Protection (E-Commerce) Rules, 2020[6]– Rule 4(9) (pre-ticked checkboxes prohibited) and Rule 4(3) (no unfair trade practice in the course of business).
  5. Guidelines for Prevention and Regulation of Dark Patterns, 2023[7]– Basket Sneaking, Confirm Shaming, and Forced Action.

Directions by CCPA

The Authority directed that the Party shall ensure that no dark patterns are employed on its platform, website, application or any other digital interface and imposed a penalty of INR 5,00,000, further directing to submit compliance report within 15 days from receipt of the Order.

The Planet 49 mirror- Europe’s Pre-ticked Reckoning

The CCPA’s reasoning in this case tracks the jurisprudence established by the Court of Justice of the European Union in the Planet 49 case

Bundesverband der Verbraucherzentralen v. Planet49 GmbH,[8] CJEU Grand Chamber[9] commonly known as Planet49 case against a German online gaming company-Planet49, operating promotional lotteries. On its registration page, a second checkbox relating to the placement of advertising and tracking cookies on the user’s device was pre-ticked by default. Users had to actively deselect it to refuse. The German Federal Association of Consumer Organizations challenged this practice as incompatible with the ePrivacy Directive and General Data Protection Regulations (GDPR) consent requirements.

The CJEU’s Grand Chamber held unequivocally that a pre-ticked checkbox does not constitute valid consent under either the ePrivacy Directive or the GDPR. The Court held that consent requires an active expression of will not mere passivity and that a user’s failure to deselect a pre-ticked box cannot constitute a clear and affirmative indication of agreement. The burden lies on the data controller to demonstrate valid consent was obtained.

The Court also clarified that the information provided to the user about cookies must include the duration of operation and whether third parties have access information that must be given before consent is sought.

Post-Planet 49, European Data Protection Authorities levied enforcement actions totaling hundreds of millions of euros against platforms whose consent architectures relied on pre-ticked defaults, manipulated hierarchies, or buried reject options. France’s CNIL fined Google €150 million and Meta €60 million for exactly this pattern.  The changes that this judgement brought about in EU “silence, pre-ticked boxes or inactivity should not constitute consent”.The CCPA’s order, while imposing a far smaller financial penalty, establishes the same doctrinal foundation in India. The quantum will grow as the DPDP Act’s enforcement machinery activates.

The Digital Personal Data Protection Act, 2023 [10]Dimension

The CCPA’s order was adjudicated under the Consumer Protection Act, 2019 and the E-Commerce Rules, 2020. But the same conduct collecting personal data through pre-selected defaults, conditioning access to services on mandatory data disclosure, and deploying emotional manipulation to overcome consumer resistance  simultaneously engages India’s Digital Personal Data Protection Act, 2023 (DPDP Act), whose enforcement machinery, once fully operational, carries far larger financial consequences.

The consent mechanism under DPDP Act

The DPDP Act requires that consent must be “free, specific, informed, unconditional, and unambiguous with clear affirmative action.” The CCPA order, decided under consumer law, is effectively a preview of what a Data Protection Board proceeding on the same facts would conclude.

The mandatory collection of mobile numbers and email addresses as a condition of accessing “free” courses presents an additional obligation under DPDP Act. Consent needs to be “unconditional” restricting data processing beyond what is necessary for the service.

Secondly would a pre-ticked box constitute a clear notice in the layout of the website where the consumer in the general lethargy is likely to ignore it or would it constitute a sneaking in practice

The participation required from consumers is not to give active or explicit consent but to actively withdraw or withhold their consent

The Penalty Architecture

The CCPA’s penalty of ₹5,00,000 is constrained by the ceiling under Sections 20–21 of the Consumer Protection Act (₹10 lakh for first violation; ₹50 lakh for subsequent). The penalty under DPDP Act can scale upto INR 250 crore.

The “Forced Action” Practice

The CCPA’s finding that mandatory data disclosure as a condition of “free” course access constitutes “Forced Action” has a direct DPDP Act counterpart. The consent requirement, under DPDP Act read with the DPDP Rules on purpose limitation, establishes that a data fiduciary cannot make the provision of a service contingent on consent to data processing that exceeds what is strictly necessary for that service. The CCPA found there was no evidence of personalisation attributable to the collected data.

The Broader Risk Matrix for Platforms

Any digital platform whether in education, e‑commerce, fintech, health‑tech, or media that has deployed similar checkout patterns must now evaluate its exposure to consumer data privacy risks and initiate comprehensive compliance audits of its website. The implications of such exposure can be significant:

  1. Legal Liability: Potential action under the Consumer Protection Act, the Digital Personal Data Protection (DPDP) Act, and other emerging data privacy and technology regulations.
  2. Regulatory & Investor Impact: Violations may erode investor confidence, undermine digital ethics benchmarks, and heighten IPO or investment risks.
  3. Operational & Marketing Costs: Consumer marketing databases and behavioral profiles built on forced‑action mechanisms or pre‑ticked consent may require deletion or re‑collection, resulting in substantial financial and reputational costs.

The system that relying on consumer fatigue rather than active consent is bypassing the law by using a dark pattern where the consumer in a hurry to access the service does not deselect the pre ticked or pre decided choices. Hence the right to make a choice is actively taken away from the consumer.

[1] *Physics_Wallah_Limited_Order_01June2026.pdf

[2] Clause iii of Annexure 1,

[3] https://indiankanoon.org/doc/19628693/

[4] https://indiankanoon.org/doc/47873513/

[5] https://indiankanoon.org/doc/117738049/

[6] https://www.consumerprotection.in/rule-4-duties-of-e-commerce-entities/

[7] Guidelines for Prevention and Regulation of Dark Patterns, 2023

[8] EUR-Lex – 62017CJ0673 – EN – EUR-Lex

[9] (C-673/17, 1 October 2019)

[10] a2023-22.pdf

More Articles

  1. Criminal Proceedings Cannot Continue After DRT-Approved Loan Settlement
  2. Bangladesh Trademarks: The Opportunity Hidden in the Numbers
  3. UKIPO 2026: Higher Fees, Stricter Rules, and a Hard Deadline for EU Trade Mark Holders
  4. There Is No World Patent: Choosing Between the PCT and Convention Routes from India
  5. Delhi High Court Declares GSK’s ‘CALPOL’ a Well-Known Trademark
  6. Commercial Use of Music on Social Media: Analyzing the Zee Entertainment v. Nykaa Copyright Infringement Dispute
For more information please contact us at : info@ssrana.com