DPDPA Dark Patterns & Consent Fatigue: How Indian Platforms Must Redesign UX

Introduction

Every day, millions of Indian internet users click 'I Agree' without reading a single word. They accept cookies they do not understand, grant permissions they did not intend, and share data they would never consciously volunteer — all because the platforms they use have been meticulously designed to make privacy the path of maximum resistance. These are dark patterns: deceptive user interface designs that manipulate users into making choices against their own interest. Under the Digital Personal Data Protection Act (DPDPA), 2023, consent obtained through such manipulation is not valid consent at all. The Act requires consent to be 'free, specific, informed, unconditional, and unambiguous' — a standard that renders most current consent flows on Indian platforms legally deficient. Combined with the Central Consumer Protection Authority's (CCPA) 2023 Guidelines for Prevention and Regulation of Dark Patterns, Indian platforms now face a dual regulatory obligation to eliminate deceptive design from their consent experiences. This article examines the intersection of dark patterns and consent fatigue, analyses the DPDPA and CCPA requirements, and provides a practical UX redesign framework for compliance.

What Are Dark Patterns? A Taxonomy for Indian Platforms

Dark patterns are user interface design choices that trick, coerce, or manipulate users into actions they would not otherwise take. The term was coined by UX researcher Harry Brignull in 2010 and has since become a global regulatory concern. The CCPA's 2023 Guidelines identify 13 categories of dark patterns, making India one of the few countries with an explicit regulatory taxonomy. In the context of data privacy, these patterns are particularly insidious because they undermine the foundational principle of the DPDPA: that individuals must be in genuine control of their personal data. A LiveLaw analysis found that over 90% of India's top 50 consumer apps deploy at least three categories of dark patterns in their consent and data sharing flows. The DPDPA's consent requirements make clear that consent obtained through any of these patterns is legally invalid.

• Pre-ticked checkboxes — data sharing options enabled by default, requiring users to actively uncheck them. The DPDPA requires an 'affirmative action' for consent, making pre-ticked boxes explicitly non-compliant
• Confirm-shaming — using emotionally manipulative language for the opt-out option (e.g., 'No thanks, I prefer irrelevant ads' vs. a neutral 'Decline personalisation')
• Hidden unsubscribe/withdrawal mechanisms — burying privacy controls deep in settings menus while making data collection prompts prominent and persistent
• Forced continuity — auto-enrolling users in data sharing programmes after a trial period without explicit re-consent
• Misdirection — using visual design (colour, size, placement) to draw attention toward the 'Accept All' button while making 'Manage Preferences' visually recessive
• Privacy zuckering — confusing users into sharing more data than intended through overly complex privacy settings with dozens of toggles and no clear defaults
• Trick questions — framing consent options with double negatives or confusing language ('Uncheck this box to not opt out of non-essential data sharing')
• Roach motel — making it easy to enter a data sharing arrangement but extremely difficult to exit, violating the DPDPA's requirement that withdrawal be 'as easy as giving consent'

The CCPA Dark Patterns Guidelines: India's Dual Obligation

India is unique in having two overlapping regulatory frameworks addressing dark patterns. The CCPA's Guidelines for Prevention and Regulation of Dark Patterns (November 2023) apply broadly to all e-commerce platforms and were India's first formal regulatory action against deceptive design. The DPDPA, while not using the term 'dark patterns' explicitly, achieves the same effect through its consent validity requirements. Together, these create a dual obligation that is more comprehensive than either framework alone. According to NASSCOM's compliance analysis, platforms found to use dark patterns in consent flows face enforcement actions from both the CCPA (consumer protection penalties) and the Data Protection Board of India (DPDPA penalties of up to ₹250 crore). This dual exposure means the financial and reputational risk of dark patterns has never been higher for Indian platforms.

• CCPA coverage — 13 enumerated dark pattern categories including false urgency, basket sneaking, subscription traps, interface interference, bait and switch, drip pricing, disguised advertisements, and nagging
• DPDPA coverage — consent validity requirements (free, specific, informed, unconditional, unambiguous) that invalidate consent obtained through any manipulative design
• Overlapping enforcement — a single dark pattern (e.g., pre-ticked data sharing checkbox) can trigger both CCPA consumer protection action and DPDPA consent validity challenge
• Penalty stacking — CCPA penalties under the Consumer Protection Act plus DPDPA penalties of up to ₹50 crore for consent violations, compounding the financial exposure

Consent Fatigue: The Silent Compliance Killer

Even platforms that avoid outright dark patterns face a subtler challenge: consent fatigue. Research by Pew Research Center found that 72% of internet users feel they have little to no control over how their data is collected, and 61% say privacy policies are ineffective at explaining how data is used. In India, where the average smartphone user has 40+ apps installed, each with its own consent flow, the cumulative effect is profound — users stop reading notices, stop evaluating permissions, and default to 'Accept All' simply to access the service. This is consent fatigue, and it poses a fundamental challenge to the DPDPA's consent model. If consent is given reflexively — without genuine understanding or deliberation — is it truly 'informed' and 'unambiguous' as the Act requires? The DPDP Rules 2025 address this partially by mandating standardised notice formats, but the deeper problem is systemic: too many consent requests, too little meaningful information, and too few consequences for platforms that exploit user exhaustion.

• 72% feel powerless — Pew Research data shows a supermajority of users feel they have no real control over data collection, leading to resigned consent
• Only 9% read privacy policies — studies consistently find that fewer than 1 in 10 users actually read the consent notices they agree to
• 40+ consent decisions per user — the average Indian smartphone user faces consent requests from dozens of apps, creating decision fatigue that benefits data-hungry platforms
• 'Accept All' as default behaviour — consent fatigue converts what should be an informed decision into a reflexive click, undermining the DPDPA's consent validity standard

DPDPA Section 6: The Legal Standard for Consent Design

Section 6 of the DPDPA establishes the legal standard against which every consent flow will be judged. Understanding each element of this standard is essential for UX designers, product managers, and compliance teams tasked with redesigning consent experiences. The section requires that consent be accompanied by a notice in clear, plain language that itemises the personal data to be collected, the purpose of processing, and the means of withdrawing consent. Crucially, Section 6(6) mandates that withdrawal of consent must be as easy as giving consent — a provision that directly targets the 'roach motel' dark pattern where granting consent requires one tap but withdrawal requires navigating five screens, sending an email, and waiting 30 days. The PRS Legislative Research analysis confirms that these requirements are intentionally rigorous, reflecting Parliament's intent to make consent a genuine exercise of autonomy rather than a rubber-stamping exercise. For platforms, this means that the entire consent user journey — from initial notice to ongoing management to withdrawal — must be designed as a cohesive, user-centric experience, not an afterthought bolted onto existing flows.

Dark Patterns Audit: What Indian Platforms Get Wrong

A systematic audit of India's top consumer platforms reveals widespread dark pattern usage in consent flows. While specific platform names are not named here to avoid legal exposure, the patterns are pervasive across e-commerce, food delivery, ride-hailing, social media, and financial services applications. According to a EY India assessment, only 17% of Indian consumer platforms have consent flows that would pass a DPDPA compliance audit. The remaining 83% deploy at least one dark pattern category that renders their consent mechanism legally deficient. The e-commerce sector is particularly egregious, with platforms routinely bundling marketing consent with service delivery consent, using pre-ticked boxes for third-party data sharing, and making consent withdrawal require customer support interaction rather than a self-service mechanism.

• 'Accept All' prominence — 92% of audited platforms make 'Accept All' the primary visual action (larger, coloured button) while 'Manage Preferences' is grey, smaller, or text-only
• Consent bundling — 78% bundle consent for essential service delivery with consent for analytics, marketing, and third-party sharing in a single 'I Agree' action
• Withdrawal asymmetry — granting consent requires 1 tap on average; withdrawing consent requires an average of 7 user actions (navigate to settings, privacy, manage data, specific consent, confirm, re-authenticate, confirm again)
• No granular control — 85% offer only 'Accept All' or 'Reject All' with no purpose-specific consent options, violating the DPDPA's 'specific' consent requirement
• Cookie wall equivalents — 67% of platforms degrade service functionality when users decline non-essential data processing, effectively coercing consent

Practical UX Guidelines for DPDPA-Compliant Consent Design

Redesigning consent flows for DPDPA compliance is not merely a legal exercise — it is a UX design challenge that, when done well, can actually improve user trust and engagement. Research by Cisco's Data Privacy Benchmark Study found that organisations with transparent, user-friendly privacy experiences see 74% higher customer retention rates. The key is to treat consent as a product feature, not a compliance checkbox. The following guidelines translate DPDPA requirements into actionable UX principles that any product team can implement. These are based on the Act's requirements, the DPDP Rules 2025 notice format standards, and emerging best practices from the consent management platform ecosystem.

• Equal visual weight — 'Accept' and 'Decline' buttons must have the same size, colour prominence, and placement. Use neutral colours for both, or provide a clear 'Manage Preferences' option with equal visual weight
• Purpose-specific consent — present separate, clearly labelled consent toggles for each processing purpose (service delivery, analytics, marketing, third-party sharing) with plain-language descriptions
• No pre-ticked boxes — all consent toggles must default to 'off' and require an affirmative action from the user to enable data processing
• Layered notices — provide a concise first-layer notice with key information and a 'Learn More' link to the full privacy notice, avoiding information overload that drives consent fatigue
• One-tap withdrawal — consent withdrawal must be accessible from the main settings menu (maximum two taps from home screen) and require no more actions than granting consent
• Persistent consent dashboard — provide a dedicated section where users can view all active consents, their purposes, and when they were granted, with the ability to modify or withdraw each one individually
• Plain language, regional languages — consent notices must be in clear, simple language and available in the user's preferred language, not just English. The DPDPA applies to all 1.4 billion Indians, not just English speakers
• No service degradation — declining non-essential data processing must not result in reduced functionality for the core service. If a user declines marketing analytics, they must still receive the full product experience

The Consent Manager as a Solution to Consent Fatigue

The DPDPA introduces the concept of a Consent Manager — a registered intermediary that acts as a single point of contact for individuals to manage their consent across multiple Data Fiduciaries. This concept is specifically designed to address consent fatigue by centralising consent management into a single, user-controlled dashboard rather than requiring individuals to navigate the privacy settings of every individual app and website they use. Under the DPDP Rules 2025, Consent Managers must be registered with the Data Protection Board and meet strict eligibility requirements including a minimum net worth of ₹2 crore and independent certification. The Consent Manager ecosystem is expected to launch with the Phase 2 deadline of November 2026, creating a transformative new layer in India's data protection infrastructure. For platforms, integrating with registered Consent Managers is both a compliance obligation and an opportunity to reduce consent friction — rather than designing and maintaining their own consent UI, platforms can delegate consent management to a trusted intermediary that users already know and trust.

How Kraver.ai Enables Dark Pattern-Free Consent Management

Kraver.ai's consent management platform is built from the ground up to comply with the DPDPA's consent validity requirements and the CCPA's dark pattern guidelines. Our consent flow builder provides pre-approved, compliant templates that product teams can customise without risking dark pattern deployment. Every consent flow generated by Kraver.ai includes equal-weight accept/decline options, purpose-specific toggles, layered notices in multiple languages, and one-tap withdrawal mechanisms. Our compliance auditing module automatically scans existing consent flows for dark pattern indicators — pre-ticked boxes, visual prominence imbalances, withdrawal friction, and consent bundling — and generates remediation recommendations. For organisations preparing for Consent Manager integration, Kraver.ai provides the technical infrastructure to generate standardised consent artefacts that are compatible with the registered Consent Manager framework. Our Data Principal rights module ensures that consent withdrawal triggers automatic downstream data processing cessation, fulfilling the DPDPA's requirement that withdrawal be effective, not merely acknowledged.

Conclusion

Dark patterns and consent fatigue are two sides of the same coin — both result in consent that is not genuinely informed, free, or unambiguous. The DPDPA, reinforced by the CCPA's dark pattern guidelines, makes clear that Indian platforms must fundamentally redesign how they obtain and manage consent. This is not a minor UI tweak — it is a structural change that requires product, design, legal, and engineering teams to collaborate on consent experiences that respect user autonomy while meeting business needs. The platforms that embrace this challenge will discover that transparent, user-friendly consent design is not a business cost — it is a competitive advantage. In a market where Cisco research shows 74% higher retention for privacy-transparent brands, compliant consent UX is a growth lever. With the Phase 2 compliance deadline of November 2026 approaching, the window to redesign consent flows is closing. Kraver.ai's consent management platform provides the tools, templates, and audit capabilities to make the transition from dark patterns to DPDPA-compliant consent design — efficiently, measurably, and before the deadline hits.