Boardrooms Beware: India's Evolving Digital Governance Framework

1. In June of 2025, the Central Consumer Protection Authority of India (CCPA) issued an advisory to e-commerce companies and industry associations to conduct self-audits and identify dark patterns within 3 months, from the date of the advisory. Based on the voluntary audit reports, e-commerce platforms were encouraged to self-declare and enable fair digital ecosystems for consumers.

Thirteen dark patterns were identified by the CCPA in its 2023 guidelines, including false urgency, forced actions, subscription traps, interface interference, nagging, trick questions etc. While the guidelines per se have no teeth, they represent India’s walk into the realm of digital governance, which among others includes the Digital Personal Data Protection Act, 2023 with its accompanying rules, the Competition Act, 2002 and the Draft Digital Competition Bill (DCB), the Consumer Protection (E-Commerce) Rules, 2020, the 2023 dark patterns guidelines, and the upcoming Digital India Act.

Through these legislations, India has begun recognizing the volume, sensitivity and risks associated with collection and processing of data by entities, and the need to regulate them. The essence of these regulations, stem from the Government's desire to protect consumers and small businesses, from data giants in the digital economy. A summary of the relevant regulations/legislations governing India’s digital markets (as on date), and an analysis of their inter-compatibility follows:

1. Consumer protection laws:

1. Any consumer in the country can approach consumer fora, seeking compensation and damages for deficiencies in service and unfair trade practices (which includes dark patterns) caused due to unfair conduct of e-commerce platforms. The E-Commerce Rules, 2020 prescribe a strict code of conduct for entities who sell goods and services online.
2. It is within the scheme provided under Section 19 of the Consumer Protection Act, 2019 for the CCPA to investigate into allegations of violation of consumer rights or the existence of unfair trade practices or false/misleading advertisements, either suo motu, or upon the receipt of any complaint, information, or reference by the Government, including references from consumer fora that consumers may approach complaining against the adoption of dark patterns by companies.
3. The CCPA is also permitted to refer matters to a regulator established under another law, if it is of the opinion that the matter falls under the jurisdiction of such regulator. This includes possible references to the Competition Commission of India (CCI), or in the future, the Data Protection Board (DPB).

2. Data protection law:

1. The Digital Personal Data Protection Act, 2023 (DPDPA) is a comprehensive framework for protecting digital personal data of individuals and ensures entities process such data in the manner prescribed. The law places emphasis on the requirement of obtaining clear and informed consent from users. Entities will need to review their UI and UX and also ensure that data collected by them is being processed for ‘legitimate purposes’ as per the DPDPA.
2. The DPDPA compliance requires companies to reassess consent mechanisms, offer easy consent withdrawal, adopt grievance redressal mechanisms and conduct periodic audits. Companies recognised as a “Significant Data Fiduciary” (SDF) must comply with additional obligations such as undertaking data protection impact assessments, appointing Data Protection Officers, and adhering to data localisation mandates. The 2025 draft rules framed under the DPDPA prescribe specific procedure and shed light on compliance requirements.
3. As per the Intermediary Guidelines, 2021 (under the Information Technology Act, 2000), entities must take reasonable efforts to remove deceptive and misleading content (including dark patterns). For third party content, entities will have to comply with the voluntary take-down mechanism prescribed under the guidelines.
4. Entities designated as SDF under the DPDPA, may face penalties up to USD 23 million for non-compliance. Breaches of personal data attracts penalties up to USD 28 million, regardless of whether the entity is designated as SDF or not.

3. Antitrust law:

1. The Competition Act, 2002, regulates practices such as anti-competitive agreements, abuse of dominance, and regulates mergers and acquisitions. India’s antitrust watchdog, the CCI, is uniquely positioned to tackle competition concerns in the digital space. Recent judgments against tech giants regarding abuse of dominance with respect to technological bundling, and mandatory imposition of privacy policies without consumer choice, have begun to re-shape traditional methods of antitrust investigations.
2. The legislature and the CCI have been consistently updating the applicable laws to be better poised to tackle anti-competitive practices in the digital age. The updated and digital-ready Determination of Cost Regulations 2025 (predatory pricing regulations) are one such example.
3. The proposed draft of the DCB seeks to implement an ex-ante framework for regulating competition in the digital space. It proposes to regulate “systematically significant digital enterprises”, a title which can be earned not just with high market presence, turnover, exploitation of economies of scale, but also though collection of large amounts of user data. The DCB also identifies and prohibits activities such as self-preferencing, exploitation of non-public data for gaining competitive advantage, and digital bundling.
4. The CCPA or consumer fora, or even the DPB, can make a reference to the CCI under Section 21 of the Competition Act, 2002, or vice versa under Section 21A. Similar provisions exist under the DCB. The CCI may also take suo motu cognizance of actions or proceedings and initiate an investigation to examine potential adverse effects on competition in India, including abuse of dominant positions, or in the future, violations of obligations under the DCB.
5. Of particular concern to boardrooms, is the quantum of penalties leviable under the Competition Act and the DCB. The CCI may impose up to 10% of the average global turnover derived from all products and services, over the preceding three (or one, in the case of the DCB) financial years (or more in the case of cartels under the Competition Act). Such penalties may even extend to group entities and in some cases, the entire group’s turnover may be considered for calculation of penalties.

While India has been moving away from criminal liability for breaches of economic laws, the shift is accompanied by a marked rise in monetary liabilities. While Indian businesses have historically been slow to adopt regulatory changes, the need of the hour is comprehensive compliance and risk management, beginning at the board level. Privacy compliance, especially, must be viewed as an investment to build trust, and not as a cost. Framework such as privacy by design, avoidance of dark patterns, compliance checklists, security systems, data minimisation, etc. will help domestic companies and foreign entrants to navigate the evolving data protection landscape in India.

The intersectional nature of these laws requires urgent and immediate attention from businesses hoping to participate in India’s evolving digital marketplaces. The recent advisory on dark patterns signals India’s regulatory direction and must serve as a wake-up call to boardrooms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.