Wringing Consent from Consumers: A Violation of Privacy and Consumer Rights

By Anuradha Gandhi and Rachita Thakur

Introduction

The State Consumer Disputes Redressal Commission, Chandigarh, ruled against a coffee store for collecting and using customer’s mobile numbers without consent, citing unfair trade practiced and dark patterns. The court emphasized that mobile numbers are indicative of sensitive personal data like names, addresses, location and even bank account details including OTPs for financial transactions. Unauthorized access to such data without consent is a privacy breach, strictly governed by data protection laws[1].

What does the Advisory say?

The complainant was forced to provide his mobile number to place an order at a coffee shop, as the cashier claimed it was mandatory for billing and marketing purposes. After receiving the bill, the complainant got a message stating that his Loyalty Wallet had been credited with 19.15 points with the expiry date of the same. The complainant alleged that the practice amounts to “Dark Patterns”, which the government discourages. Additionally, the complainant alleged that collecting personal data in such a manner makes it prone to leakage or hacking, leading to further harassment through unwanted calls and solicitations. It was also stated that many such companies sell consumer data for profit, exploiting customers for commercial gain. The complainant cited breach of section

Issue of the Case

Whether such forced contact is an unfair trade practice
Whether the act of parties amounts to “Dark Patterns”

Ruling

The Commission rules that such practice is an unfair trade practice as the coffee shop violated government’s instructions (circular bearing No.J24/34/2023-CPU dated 26.05.2023 of Government of India, Department of Consumer Affairs ), which advised retailers that consumer’s mobile numbers should not be collected without their express consent and that providing a mobile number should not be mandatory pre-condition for purchasing goods or services. [2]

Further, the commission ruled that the act of the coffee shop amounted to “ For more information on Dark Patterns, kindly refer our article at https://ssrana.in/articles/guidelines-prevention-regulations-dark-patterns/

The court emphasized that mobile numbers are linked to sensitive personal data, including names, addresses, bank accounts and OTPs, making them vulnerable to misuse, tracking and privacy breaches. Therefore, the court ruled that[3]:

Providing a mobile number is not required to generate a bill;
Customers should be informed about how their data is collected and used;
Consent is essential before collecting personal information;
Customers should have the choice to share or withhold data;
Retailers should adopt suitable security measures to safeguard the personal information they collect

Decision

The commission ordered the coffee shop:

To immediately delete the personal information collected and refrain from practicing such unfair trade practices;
To strictly act in accordance with the government’s instructions and not to obtain mobile number and personal details of customers without their express consent;
To pay INR 2500 as compensation for the above act.

Our Analysis

Dark Patterns under Advertising Standards Council of India (ASCI) Guidelines
As per ASCI Guidelines for Online Deceptive Design Patterns in Advertising, the use of “Forced Action”, where users are compelled to share personal information to access or purchase a product or service has been classified as a dark pattern. ASCI recommends that users must have the freedom to choose whether or not to share personal information in exchange for a service. Non-compliance with this guideline may attract penalties under the Consumer Protection Act, 2019 as dark patterns are deemed unfair trade practices under the Guidelines for Prevention and Regulation of Dark Patterns, 2023 issued by Central Consumer Protection Authority[4]
Existing Data Privacy Framework
Presently, India’s framework on Data Privacy is governed by the Information Technology Act, 2000 and the Rules thereunder i.e. the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. However, the recently enacted Digital Personal Data Protection Act, 2023 (DPDP Act) is set to replace the IT act. The ruling in this case highlights the importance of lawful data processing, particularly concerning consent and consumer .

The key privacy principles applicable here which promotes legitimate, fair and secure data processing includes:
1. Collection Limitation: Data must be collected lawfully, fairly and where necessary, with the knowledge and consent of the data subject
2. Purpose Specification: Data should only be used for the specific purpose t was collected for and the purpose shall be disclosed at the time of collection.
3. Security Safeguards: Personal data must be protected by reasonable security safeguards at all times
4. Accountability: Data Fiduciaries are responsible for complying with the law and demonstrating such compliance.[5]
Consent Framework under the DPDP Act
Under the DPDP Act personal data can be processed for a lawful purpose and with the consent of the Data Principal (individual to whom personal data relates)[6]. Such consent shall be free, specific and unambiguous with a clear affirmative action. It shall signify an agreement to the processing of personal data for the specified purpose and limited to such personal data as is necessary for such specified purpose[7]. Additionally, businesses must provide prior notice explaining what data will be collected and for what purpose[8]. Furthermore, it is essential that the Data Principal must be given the right to withdraw consent at any time, and such withdrawal shall be as easy as the giving of consent.[9]
Telecom Regulatory Authority of India (TRAI)
TRAI has issued the Telecom Commercial Communications Customer Preference (Second Amendment) Regulations, 2025[10] , further reinforcing the consent framework for promotional communications. The regulations provide consumers with an opt-out option for promotional messages, and senders are prohibited from seeking consent again for 90 days. Additionally, consent provided for completing an ongoing transaction will only be valid for 7 days, preventing businesses from sending unsolicited messages or calls long after the initial agreement. Furthermore, Service and transactional messages will require explicit consent for any further communication once the contract is completed.[11]