AI-POWERED DARK PATTERNS: ALGORITHMIC DECEPTION, CONSUMER AUTONOMY, AND THE LEGAL GAP IN INDIA’S DIGITAL FRAMEWORK

AUTHOR: VISHAL V V

Table of Contents

OCCUPATION:ADVOCATE

To the Point

Artificial intelligence now helps shape the interfaces that consumers use on India’s biggest e-commerce, food delivery, travel and financial services platforms, determining which options are highlighted, how choices are framed and when urgency cues are triggered. AI personalisation has made things more convenient, but it’s also opened the door for a more sophisticated kind of manipulation, algorithmic-driven deceptive design, or AI-powered dark patterns. Traditional dark patterns are static designs set by human UX teams, and are the same for every user. AI-driven interfaces, in contrast, adapt in real-time to each user’s behavioral profile, inferred cognitive biases and emotional state  making them harder to detect and more effective. Evidence, such as the Neurorights Foundation’s 2024 audit and CCPA enforcement data, demonstrates that many of India’s 900 million internet users (TRAI, 2025) are exposed to this sort of personalised manipulation without awareness or any avenue for redress, through methods such as AI-calibrated urgency timers, algorithmically selected pre-ticked add-ons at checkout, manipulative cookie   consent flows, AI-obstruction of cancellations and AI-generated messages of false scarcity. India’s existing framework The IT Act, 2000, the Consumer Protection Act, 2019 and the DPDP Act, 2023 was not designed to deal with AI-adaptive deception. This article maps that gap and recommends specific reforms.

Use of Legal Jargon

Dark Pattern means a deceptive interface design that manipulates consumers into unintended actions, and is an unfair trade practice under Section 2(47), CPA 2019. Algorithmic Manipulation: exploiting cognitive biases through machine learning without informed knowledge Informed Consent: free, specific, informed and unambiguous consent under Section 6, DPDP Act 2023. Data Fiduciary: an entity which determines the purpose and means of processing of personal data under Section 2(i) of DPDP Act 2023. Intermediary Liability: platform’s responsibility under Section 79, IT Act 2000 and the 2021 Intermediary Guidelines. Unfair Trade Practice: defined in Section 2(47), CPA 2019 to include any deceptive method adopted to promote the sale of goods or services. Cognitive Liberty: the right to mental self-determination, increasingly acknowledged in digital rights discourse. Ex-ante Regulation: proactive intervention that stops harm from happening, instead of reactive, after-the-fact enforcement ,crucial for AI-adaptive systems.

The Proof

India has 900 million+ internet users by 2025 (TRAI Annual Report, 2025)  the highest number of victims of dark patterns in the world. The Neurorights Foundation’s 2024 audit found 96.7% of consumer app companies reserve the right to share behavioural data with third parties, raising doubts over whether consent under Section 6 of the DPDP Act is meaningful when data-sharing reservations are near-universal. The CCPA received over 10,000 complaints of deceptive digital practices in 2024-25 (Ministry of Consumer Affairs, 2025). In December 2024, the CCPA penalised BookMyShow and IndiGo Airlines for basket-sneaking and false urgency violations India’s first formal enforcement of dark pattern regulation. In June 2025, the CCPA issued a mandatory self-audit advisory to e-commerce platforms (CCPA-1/1/2023), which is valid until December 2026. But the CCPA’s Guidelines for Prevention and Regulation of Dark Patterns, 2023, lists thirteen prohibited categories and none of them specifically address AI-generated or adaptive dark patterns, thus leaving the most sophisticated form of manipulation entirely outside the current regulatory perimeter.

Abstract

India’s digitalisation has given rise to a new form of harm   algorithmic psychological manipulation through AI-driven dark patterns that change interfaces in real time based on profiling of a user’s emotional state, cognitive biases, browsing behaviour and socio-economic indicators, siphoning off consent, transactions and data beyond the user’s real intent. This article critically examines the legal standing of AI powered dark patterns under Indian law, mapping the relevant provisions of the IT Act 2000, the CPA 2019, the DPDP Act 2023 and the CCPA’s 2023 Dark Pattern Guidelines, and argues that while India has taken significant steps, none of these instruments explicitly deal with the AI-adaptive dimension, where deception is automated, personalised and scalable. The article concludes with recommendations for legislative reform including amendment of the IT Act to recognise algorithmic deception as a distinct offence and introduction of ex-ante audit obligations for AI-driven user interfaces based on analysis of Indian case law and comparative international frameworks – the EU Digital Services Act and AI Act, both 2024. The article is for a mixed readership  advocates and judges, doctors, teachers and middle-class digital consumers  to arm every Indian with awareness, legal protection and the vocabulary to demand policy change.

Keywords: Dark Patterns, AI Manipulation, Consumer Protection Act 2019, IT Act 2000, DPDP Act 2023, CCPA Guidelines, Algorithmic Deception, Cognitive Liberty, Informed Consent, India Cyber Law.

Relevant Laws / Statutory Provisions

Information Technology Act, 2000

Section 43 introduces civil liability for unauthorised data extraction that could extend to AI dark patterns that secretly extract data without genuine consent. Section 66C criminalises fraudulent use of identity, which could be involved in AI-generated false urgency messaging (e.g. fake “your account will be deleted” alerts). Section 66D punishes cheating by personation which may involve AI-chat or AI-voice deception of imitating a real person or authority to obtain information or payment. Section 79 provides conditional safe harbour to intermediaries which platforms can lose if they knowingly use dark patterns in contravention of the 2021 Intermediary Guidelines, Rule 3(2) of which provides for a Grievance Officer through which dark pattern complaints can be escalated.

Consumer Protection Act, 2019

Section 2(9) ensures the right to information and protects consumers from unfair trade practices. Section 2(47) defines unfair trade practice broadly enough to include AI-adaptive manipulation for product promotion. Section 18(1) gives the CCPA power to issue guidance, investigate complaints, and mandate corrective action  the foundation for the 2023 Dark Pattern Guidelines and the 2025 self-audit advisory. For the first offence, penalties up to Rs. 10 lakh and for subsequent offences Rs. 50 lakh are provided under Section 21. The CCPA’s 2023 Guidelines ban thirteen types of dark pattern, such as false urgency, basket sneaking, hidden charges, and misdirection, but not those produced by AI.

Digital Personal Data Protection Act, 2023

Section 4 limits processing of personal data only on the basis of consent or legitimate use. Section 6 requires consent to be free, specific, informed, unconditional and unambiguous. Pre-ticked boxes, misleading opt-in flows and hidden consent requests do not meet this requirement. Section 8 creates a duty on Data Fiduciaries to ensure data accuracy, limit storage and implementation of security safeguards, a duty that is strained by AI profiling for dark pattern targeting. Section 25 empowers the Data Protection Board of India to impose penalties up to Rs. 250 crore, thereby providing a robust enforcement mechanism against systematic deployment of dark patterns. 

Bharatiya Nyaya Sanhita, 2023

Section 318 (cheating) is triggered where AI dark patterns cause a user to deliver property, money or data under false pretences. Section 319 (cheating by personation) covers AI impersonation of authority, brands or persons for user action extraction. If AI-generated fake reviews or fake social proof are used to defame competing brands, the defamation law under Section 356 may be applicable.

Case Laws

CCPA v. BookMyShow & IndiGo Airlines (December 2024): The CCPA found both entities guilty of basket sneaking automatically adding travel insurance and convenience fees without explicit consent — and false urgency indicators, in violation of the 2023 Guidelines. Both were penalised and directed to rectify their checkout flows, marking India’s first formal enforcement establishing that interface design itself can constitute an unfair trade practice under Section 2(47), CPA 2019. The CCPA did not, however, address whether AI-adaptive personalisation of such patterns aggravates liability, a doctrinal silence that future amendments to the Guidelines should close by treating AI-optimisation of any prohibited pattern as an aggravating factor.

Arijit Singh v. Codible Ventures LLP & Ors.,   : AI platforms scraped the singer’s voice data to generate synthetic clones for commercial use without consent. The Bombay High Court granted an interim injunction restraining such use, recognising that AI-generated deceptive output is actionable under Indian law  a principle extendable by analogy to AI systems generating deceptive UI that impersonates urgency, authority, or social proof.

Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) : A nine judge Constitution Bench held that privacy is a fundamental right under Article 21, recognising both informational privacy and decisional privacy  freedom from external interference in personal choices. This provides a direct constitutional basis for challenging AI systems that profile a user and reconfigure an interface specifically to override independent judgment. Articles 14 and 19(1)(a) are also implicated, since AI-adaptive systems may target vulnerable populations more aggressively and distort the informational environment in which consumers act.

Samir Agrawal v. ANI Technologies Pvt. Ltd. (Ola), (2021) : In a competition-law case concerning Ola’s dynamic pricing algorithm, the Supreme Court acknowledged that algorithmic systems can produce market-distorting outcomes without any human decision-maker actively directing the result. Applied to AI dark patterns, this supports the proposition that a platform cannot escape liability for manipulative interfaces by pointing to the opacity of its own machine-learning models, and strengthens the case for ex-ante audit obligations over purely reactive enforcement.

Conclusion

AI-enabled deceptive interfaces are an operational reality for a large and growing share of India’s digital consumers, creating harm that is economic, psychological and constitutional in character. India has made some promising first moves: the thirteen prohibited categories of the CCPA, the consent standard of the DPDP Act, the enforcement architecture of the CPA, and the judicial precedents from Puttaswamy to Arijit Singh, all suggest that Indian courts are alert to algorithmic and AI-driven harms. But the critical gap remains: no Indian statute, rule or judicial pronouncement has specifically addressed AI-adaptive dark patterns, where deception is not static but learns, evolves and personalizes  a gap that is being exploited at scale across 900 million connected devices. This article recommends amendments to the IT Act, 2000 to introduce “algorithmic deception” as an offence under a new Section 66F, with graded penalties based on scale and intent; amendments to the CCPA Dark Pattern Guidelines, 2023 to explicitly prohibit AI-generated and AI-adaptive dark patterns as an aggravated category; mandatory algorithmic impact assessments for digital platforms deploying AI in user interfaces, modelled on Article 9 of the EU AI Act, 2024; enabling the Data Protection Board to conduct suo motu investigations into platforms whose AI systems systematically compromise consent; and plain-language disclosure whenever an AI system is actively personalising a user’s interface in real time, operationalising cognitive liberty as a digital right. India has the constitutional basis, statutory framework and institutional ability to take the lead in this effort; what is needed is the legislative will to act before the gap becomes a chasm.

Frequently Asked Questions (FAQs)

Q1. What is a dark pattern, and how is it different from normal advertising?

A dark pattern is a deceptive design trick embedded in an app or website that psychologically tricks a user into doing something not intended, such as sharing data, buying an add-on, or agreeing to a subscription. Unlike advertising, which is transparent persuasion, dark patterns are hidden manipulations that exploit cognitive biases; the CCPA Guidelines, 2023 officially prohibit thirteen types in India, including false urgency, hidden charges, and basket sneaking.

Q2. What makes AI-powered dark patterns more dangerous than ordinary dark patterns?

Traditional dark patterns are static designs made by human developers. AI-powered dark patterns are dynamic they analyse browsing history, purchase behaviour, and emotional state in real time and adapt the interface to exploit personal vulnerabilities, emphasising scarcity for price-sensitive users or triggering loss aversion for emotionally invested ones. This personalised manipulation is far more effective and currently has no specific legal prohibition in India.

Q3. What can I do if I believe I have been a victim of a dark pattern?

Options include filing a complaint with the National Consumer Helpline (1800-11-4000) or the e-Jagriti portal; lodging a complaint with the CCPA through the Consumer Commission; approaching the Data Protection Board under the DPDP Act, 2023 for consent-related violations; filing an FIR under Section 66D of the IT Act, 2000 or Section 318 of the BNS, 2023 for fraudulent interface manipulation; or seeking relief before a Consumer Disputes Redressal Commission under the CPA, 2019.

Q4. Does India have a law specifically targeting AI-generated dark patterns?

Not yet. India’s current framework  the IT Act 2000, CPA 2019, DPDP Act 2023, and CCPA Guidelines 2023  provides partial coverage through provisions on unfair trade practices, consent violations, and fraud, but none specifically addresses the AI-adaptive dimension. This is the primary legal vacuum this article identifies, and legislative reform through amendment of the IT Act and the CCPA Guidelines is urgently recommended.

Q5 . Is there any international law India can model reforms on?

Yes. The European Union’s Digital Services Act, 2024 explicitly prohibits dark patterns on digital platforms. The EU AI Act, 2024 classifies AI systems that exploit user vulnerabilities as “high-risk” and imposes mandatory risk assessments and transparency obligations under Article 9. India can adopt a composite model combining DSA-style dark pattern prohibitions with AI Act-style algorithmic impact assessments, grounded constitutionally in the Puttaswamy privacy right.

References

[1] Information Technology Act, 2000, Sections 43, 66C, 66D, 79.

[2] Consumer Protection Act, 2019, Sections 2(9), 2(47), 18, 21.

[3] Digital Personal Data Protection Act, 2023, Sections 4, 6, 8, 25.

[4] Bharatiya Nyaya Sanhita, 2023, Sections 318, 319, 356.

[5] CCPA, Guidelines for Prevention and Regulation of Dark Patterns, 2023.

[6] CCPA Advisory on Self-Audit by E-Commerce Platforms, CCPA-1/1/2023-CCPA, June 5, 2025.

[7] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.

[8] Arijit Singh v. Codible Ventures LLP & Ors., 2024 SCC OnLine Bom 2655.

[9] Samir Agrawal v. ANI Technologies Pvt. Ltd. (Ola), (2021) 2 SCC 126.

[10] CCPA Enforcement Action v. BookMyShow & IndiGo Airlines, December 2024.

[11] IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Rule 4(2).

[12] Regulation (EU) 2022/2065 — Digital Services Act, applicable from February 2024.

[13] Regulation (EU) 2024/1689 — Artificial Intelligence Act, Article 9.

[14] IAPP, India’s CCPA Guidelines on Dark Patterns: Welcome Signal, But Law is Still Soft, September 25, 2025.

[15] SCC Times, The Legal Perils of Dark Patterns in India, September 16, 2025.

[16] TRAI Annual Report, 2025.

[17] Neurorights Foundation Audit of Consumer Neurotechnology Companies, 2024.

Leave a Reply

Your email address will not be published. Required fields are marked *