India's digital landscape is undergoing a significant transformation as new data privacy regulations take aim at deceptive design practices commonly used by e-commerce, food delivery, and ride-hailing applications. The Digital Personal Data Protection (DPDP) Rules, 2025, notified on November 14, could fundamentally alter how platforms obtain user consent and handle personal information.
What Are Dark Patterns and How Do Apps Use Them?
For years, consumer platforms have employed sophisticated interface designs known as dark patterns to manipulate user behavior. These tactics include forced opt-ins, buried opt-outs, and misleading prompts that trick users into sharing more data than they initially intended. According to experts, these practices are now facing heightened regulatory scrutiny.
Karan Taurani, executive vice president at Elara Securities, explains that the new rules place consent at the center of data processing, significantly enhancing user choice and control. "Withdrawal of consent for users must be as easy as giving it — translating into cleaner interfaces, fewer buried settings and tighter limits on what platforms can collect by default," he stated.
Common dark patterns identified across platforms include time-pressured prompts like "only two left" or "fees increasing soon," visually weighted location requests that push "Allow," auto-added add-ons during checkout, subscription pop-ups, surge multipliers, and pre-selected checkboxes. A LocalCircles survey this year revealed that sectors like e-commerce, quick-commerce, food-delivery, and app taxis use seven or more dark patterns on average.
Key Provisions of the DPDP Rules 2025
The new regulations impose strict limitations on data collection practices. Companies must now clearly inform users why they need their data, how they will use it, how long they will retain it, when consent expires, and when data will be removed if no longer needed. Probir Roy Chowdhury, partner at JSA Advocates and Solicitors, emphasized that "Data fiduciaries cannot collect data 'just in case' or for some undefined future use."
This standard makes bundled or catch-all permissions difficult to justify. While the Act doesn't require separate checkboxes for every micro-purpose, bundling materially different purposes together "creates a risk of undermining specificity and data minimisation and is likely to be non-compliant," according to Harsh Walia, Partner at Khaitan & Co.
Marketing and behavioral profiling—crucial to quick-commerce and marketplace economics—face similar constraints. Walia notes that "Marketing, behavioural profiling and personalised pricing are typically not 'necessary' to deliver the core service," meaning they require separate opt-ins from users.
Impact on Business Models and Profitability
The regulatory tightening comes at a critical time when ad spending and personalized promotions are surging across platforms like Amazon, Flipkart, and food-delivery services. This puts the sector's most relied-upon growth levers under significant pressure.
Elara's Taurani warned that ad spends and revenue of e-commerce players "can have a severe impact on profitability as ad revenue drives 40-120% of operating profit for quick-commerce platforms, and food-tech platforms." Amazon India's advertising and allied services revenue grew 25% in FY25, compared to 21% growth in its mainstay marketplace business, making it one of the fastest-growing segments according to data from business intelligence platform Tofler.
E-commerce, quick-commerce and ride-hailing platforms may also face heightened scrutiny as potential Significant Data Fiduciaries (SDFs)—a designation that triggers stricter obligations around audits, data governance, breach reporting and algorithmic transparency.
Regulatory Action and Enforcement
Regulatory action against dark patterns has been gathering momentum throughout 2025. The Central Consumer Protection Authority (CCPA) warned 11 platforms in May, including ride-hailing apps Ola and Rapido, to audit their interfaces for dark patterns. The CCPA also issued a notice to Uber over its "advance tip" feature that prompts riders to pre-select a tip during booking.
The scrutiny soon expanded to include Zomato, Swiggy and Zepto, with over 50 firms instructed to remove deceptive designs. Zepto has since reworked parts of its checkout flow in response. So far this year, the CCPA has fined Rapido ₹10 lakh for misleading "guaranteed auto" claims and has penalized platforms like FirstCry for similar pricing-related violations.
Aparna Gaur, partner at Trace Law Partners, explained that even without explicitly naming dark patterns, "DPDP Act ties interface design very closely to consent… Even withdrawal must be as easy as giving consent."
According to LocalCircles data, over 73% of online platforms use 'forced action,' making users do something they didn't choose just to proceed. Another 69% use 'drip pricing,' where extra fees appear only at final checkout, while 53% use 'bait & switch' tactics, showing one offer upfront but delivering something different later.
Challenges and Future Outlook
Despite being more design-prescriptive than Europe's General Data Protection Regulation (GDPR), some implementation gaps remain. Archana Balasubramanian, partner at Agama Law Associates, noted that the DPDP rules and the Act are drafted more like a general document rather than prescriptive rules. What counts as "necessary" data is still open to interpretation, and businesses may continue exploiting grey areas until enforcement mechanisms settle.
Looking ahead, Elara's Taurani predicts that "E-commerce companies and ad-tech platforms will need to invest more in compliance and consent management systems." First-party players like Eternal, Swiggy, and Nykaa are structurally advantaged as their deep, consent-led datasets reduce reliance on external tracking and lower compliance risk. In contrast, smaller or third-party-dependent ad-tech players may struggle to adapt.
While an Amazon India spokesperson said the company is assessing the rules, a Flipkart spokesperson committed to fully complying with the requirements within the provided timelines. The industry-wide shift toward transparent data practices marks a significant step in protecting Indian consumers from manipulative digital interfaces while reshaping how businesses approach user consent and data collection.
