India – FIG Paper (No. 25 – Series 2): Shedding Light On Dark Patterns In FinTech: Impact Of DPDP Act.

Introduction:

The new draft guidelines titled ‘Guidelines for Prevention and Regulation of Dark Patterns, 2023’[1] (“Draft Dark Pattern Guidelines”), released by the Department of Consumer Affairs in September 2023, define dark patterns as “any practices or deceptive design patterns using UI/UX (user interface/user experience) interactions on any platform; designed to mislead or trick users to do something they originally did not intend or want to do; by subverting or impairing the consumer autonomy, decision making or choice; amounting to misleading advertisement or unfair trade practice or violation of consumer rights”.

In practice, these patterns exploit human psychology and trick people into making unwanted choices/ purchases. It has become a menace for the FinTech industry. These patterns are used to encourage people to sign up for loans, credit cards, and other financial products that they may not need or understand. However, the new Digital Personal Data Protection Act, 2023 (“DPDP Act”), can be used to bring such dark patterns under control. The DPDP Act requires online platforms to seek consent of Data Principals through clear, specific and unambiguous notice before processing any data. Further, the Act empowers individuals to retract/ withdraw consent to any agreement at any juncture. Therefore, organisations will have to undertake technical and organisational measures to align their data collection practices with the principles of fairness, transparency and accountability.

Draft Guidelines:

The Draft Dark Pattern Guidelines provides for certain specific instances where such patterns are currently in use:

1. False urgency: This pattern creates a sense of urgency to make a decision, such as by telling the user that an offer is only available for a limited time.
2. Basket sneaking: This pattern adds items to a user’s cart without their knowledge or consent.
3. Confirm shaming: This pattern makes it difficult for users to cancel a subscription or other service.
4. Forced action: This pattern requires users to take action, such as agreeing to a privacy policy, to continue using a service.
5. Subscription traps: This pattern makes it difficult or impossible for users to cancel a subscription, such as by requiring them to call a customer service number or navigate through a complex maze of menus.

Implications for FinTech qua the Data Law:

The Draft Dark Pattern Guidelines, coupled with the recent promulgation of the DPDP Act, is likely to have a significant impact on the FinTech industry. Companies will need to review their user interfaces and remove any dark patterns that they are using and protect the personal data and use the data for ‘legitimate purposes’ only and take consent from users, through clear affirmative action, in unambiguous terms. They will also need to develop new ways to promote their products and services without relying on deception. However, implementation and compliance with the DPDP Act may be challenging. The biggest challenge may arise while maintaining a balance between accessing user data for personalisation and user privacy. Further, companies will have to invest in additional resources to ensure personalised marketing is in line with the Act’s stringent data protection requirements.

Next Steps for Compliance:

To comply with the Draft Dark Pattern Guidelines and the DPDP Act, FinTech companies would have to:

1. review their user interfaces and marketing materials to ensure that they are not using dark patterns.
2. obtain clear and informed consent from users before collecting or using their personal data.
3. provide users with the ability to access, correct, and delete their personal data.
4. protect user data from unauthorised access, use, or disclosure.
5. educate consumers about dark patterns and how to identify them and develop industry standards for user interfaces that are free of dark patterns.
6. integrate pop-up notifications or consent documentation on digital platforms for upholding compliance.
7. offer comprehensive and customised user interactions on digital platforms.
8. enhance user interfaces by adopting encryption, multi-factor authentication and routine security safeguards measures.
9. mechanism to ensure completeness, accuracy, consistency and correctness of the data processed.
10. ensure that platforms target the right audience without disclosing personal information.
11. grievance redressal mechanism to cater to consumer complaints with respect to dark patterns.
12. conduct periodic audits to prevent data breach.

By taking these steps, the industry can help create a more transparent and fairer digital ecosystem for consumers.

Concluding thoughts:

The Draft Dark Pattern Guidelines are a positive step towards protecting consumers. FinTech companies need to take steps to comply with the guidelines and avoid using deceptive user interface designs. Consumers also need to be aware of dark patterns and how to avoid them. By working together, a more transparent and fairer financial services industry can be created. The Guidelines, along with the recent DPDP Act, will make use of online platforms a safer place for customers.  

---

[1] Draft Guidelines for Prevention and Regulation of Dark Patterns 2023.pdf (consumeraffairs.nic.in)