Data Privacy, AI And Technology Newsletter | January 2026

Welcome to this edition of the Data Privacy, AI and Technology Newsletter. This issue provides a consolidated overview of significant regulatory, policy, and market developments across India's rapidly evolving technology and fintech landscape. It captures key updates issued by central regulators and ministries, including developments relating to intermediary due diligence, data protection, AI governance, digital identity, online content regulation, and emerging frameworks for generative AI and copyright. The edition also covers important fintech regulatory changes introduced by the Reserve Bank of India impacting payment banks and non-banking financial companies. In addition, the newsletter features recent judicial pronouncements from the High Courts, the NCLAT, and consumer authorities, offering valuable insights into evolving legal interpretations on data privacy, online fraud, digital consumer protection, competition, and technology-enabled rights enforcement.

Updates: Industry Updates: India

Technology Updates

MeitY issues advisory to intermediaries regarding unlawful online content:

December 29, 2025: MeitY issued an advisory to all intermediaries under the provisions of Information Technology Act, 2000 (IT Act) and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 (IT Rules) which, inter alia, include the following:

• Intermediaries are statutorily obligated to observe due diligence in order to avail exemption from liability in respect of third-party information uploaded, published, on or through their platforms.
• Intermediaries must make reasonable efforts to ensure that users do not host, modify, publish, transmit, store, any information that is obscene, pornographic, paedophilic, or otherwise unlawful.
• Intermediaries must expeditiously remove or disable access to such unlawful content upon receipt of actual knowledge through court orders or reasoned intimation from the Government.
• Intermediaries must deploy accessible reporting and grievance redressal systems, while significant social media intermediaries are additionally required to deploy technology-based measures, to proactively prevent the dissemination of such unlawful content.
• Any content which is in the nature of material depicting an individual in any sexual act or conduct, or any impersonation thereof must be removed within twenty-four (24) hours of receipt of a complaint from the affected individual or any person on such individual's behalf.

Link Here

MeitY issues an advisory to virtual private network service providers and other intermediaries regarding observance of due diligence for hosting, sharing, transmitting of personal user information:

December 11, 2025: MeitY issued a specific advisory to intermediaries, websites such as "proxyearth.org", "leakdata.org" along with Virtual Private Network (VPN) service providers who were found to be permitting public access to personal information of users without their consent. Following are the key obligations which, inter alia, include:

• Intermediaries must ensure compliance with their due diligence obligation under the IT Act and the IT Rules, that is, the intermediary must take immediate and effective action to remove any information belonging to another person to which the user does not have any right or is invasive of another's privacy, or affects public order, security of the state, etc.
• The safe harbour protection under section 79 of the IT Act will not apply if such intermediaries fail to observe the due diligence obligations set out above.
• The intermediaries including VPN service providers are obligated to provide information under its control or possession, or assistance to the Government agency for the purposes of verification of identity, or for the prevention, detection, investigation, or for cyber security incidents within the stipulated timeframes.

Link Here

Minister of Electronics and Information Technology issues a response to questions raised in Lok Sabha regarding ethical implications of AI:

December 10, 2025: Minister of Electronics and Information Technology, Mr. Jitin Prasada, issued a response to the questions raised in Lok Sabha regarding the measures introduced by the Government with regards to ethical implications of Al, AI governance and regulation by stating that:

• The Government has launched the IndiaAI mission in March 2024 to establish a robust and inclusive AI ecosystem aligned with India's development goals.
• IndiaAI application development pillar has been introduced which aims to develop AI applications for India for sectors such as climate change and disaster management, assistive technologies for learning disabilities. As on date thirty (30) applications have been approved, which includes Krishi Sah 'AI' yak - Farming Co-pilot, QScan, VoxelBox, Jiveesha etc.
• Multiple sector-specific hackathons have been organized in partnership with other ministries and Government institutions such as CyberGuard AI Hackathon, IndiaAI Hackathon on Mineral Targeting 2025, Cancer AI & Technology Challenge (CATCH).

Link Here

Minister of Electronics and Information Technology issues a response to questions raised in Lok Sabha regarding third party apps:

December 10, 2025: Minister of Electronics and Information Technology, Mr. Jitin Prasada, issued a response to the questions raised in Lok Sabha regarding the measures introduced by the Government with regard to usage: (a) of data of users by third party apps without direct consent from users (b) of undisclosed, unidentifiable 'cookies' by e-commerce websites that breach the data privacy of users.

The Minister responded that:

• Digital Personal Data Protection Act, 2023 (DPDP Act), mandates processing of personal data with free, informed, specific and unambiguous consent.
• DPDP Act recognizes both the rights of the individual to protect their personal data and the need to process such personal data for lawful purposes.
• Any data fiduciary including third-party apps processing personal data without valid consent amounts to a violation of the DPDP Act.
• Till the time DPDP Act and the rules framed thereunder get implemented, data fiduciaries are required to follow SPDI framework, including consent requirements, purpose limitation, security safeguards, and grievance redressal mechanisms.

Link Here

Unique Identification Authority of India amended the Aadhaar (Authentication and Offline Verification) Regulations, 2021:

December 9, 2025: Unique Identification Authority of India (UIDAI) introduced the Aadhaar (Authentication and Offline Verification) Amendment Regulations, 2025, which, inter alia, incorporate the following key changes:

• Introduction of the following terms:
  • "Aadhaar Application" this term brings UIDAI managed mobile and web applications such as 'mAadhaar App', 'Aadhaar App', 'Aadhaar QR Scanner App', 'myAadhaar Portal' under a unified regulatory framework. These applications provide Aadhaar number holders with an interface to access Aadhaar-related services, including offline verification.
  • "Aadhaar Verifiable Credential" (AVC) means a digitally signed document issued by UIDAI containing last four (4) digits of Aadhaar number and demographic data (such as name, address, gender, etc.) along with the photograph of the Aadhaar number holder. The AVC enables the Aadhaar holder to disclose selective information with an Offline Verification Seeking Entity (OVSE) for the purpose of verifying the demographic information or photograph of the Aadhaar holder. This is a significant step towards enhancing privacy, as it provides Aadhaar holders with greater control over what data they want to disclose to OVSEs.
  • "Offline Face Verification" a new mode of offline verification whereby a live facial image of the Aadhaar holder is captured and verified against the photograph stored within the Aadhaar Application. This mechanism requires the Aadhaar holder's physical presence, enabling the OVSE to match the live image with the photograph available in the Aadhaar Application. This is a significant safeguard aimed at minimizing impersonation and fraudulent use of Aadhaar verifiable credentials, thereby strengthening the integrity of the verification process.
• AVC verification has been recognized as a permitted mode of offline verification. Further, UIDAI has clarified that offline verification may be carried out either with or without Offline Face Verification. This expands the recognized modes of offline verification and enhances flexibility for stakeholders.
• Mandatory registration with UIDAI of OVSEs that intend to undertake Aadhaar Paperless Offline e-KYC verification or AVC verification through Aadhaar Application. Thus, introducing a structured and comprehensive registration framework for OVSEs.

Link Here

Ministry of Finance has authorized the Securities and Exchange Board of India to direct intermediaries to remove unlawful content:

December 8, 2025: The Ministry of Finance has authorized the Securities and Exchange Board of India (SEBI) to direct intermediaries, including social media platforms, websites, and digital media outlets to remove unlawful stock-related content, which violates Section 11(1) of the Securities and Exchange Board of India Act,1992, pertaining to investor protection and the regulation of the securities market. This authorization reflects the Government's tighter scrutiny on finfluencers and other entities spreading misleading financial information online.

Link Here

DPIIT Releases Part I of Working Paper on Generative AI and Copyright: Proposes 'One Nation, One License, One Payment' Framework

December 8, 2025: The Department for Promotion of Industry and Internal Trade (DPIIT) published Part I of its Working Paper on the AI-Copyright Interface, titled "One Nation, One License, One Payment: Balancing AI Innovation and Copyright", and made it available for public and stakeholder consultation for thirty (30) days. The working paper reflects the recommendations of an eight-member Committee constituted on April 28, 2025, assessing the adequacy of the existing law in India to address challenges posed by generative AI, particularly the use of copyright-protected works as training data and copyrightability and authorship of outputs generated by generative AI, including the applicability of moral rights and attribution of liability for infringing outputs.

After examining multiple global approaches for providing licenses in order to access the copyrighted materials as training data, the Committee proposed a hybrid statutory model, under which:

• AI developers would receive a blanket license to use all lawfully accessed content for AI training, without individual negotiations;
• Royalties would become payable only upon commercialization of AI systems, with rates determined by a Government-appointed committee and subject to judicial review;
• A centralized, nonprofit organization, the Copyright Royalties Collective for AI Training (CRCAT) will be created, comprising of copyright societies and Collective Management Organisations (CMOs), for managing royalty collection from AI developers and distribution, ensuring low transaction costs, legal certainty, and equitable access, including for start-ups and Micro, Small, and Medium Enterprises.

Link Here

Link Here

Minister of Electronics and Information Technology issues a response to questions raised in Lok Sabha regarding protection of personal images and data given to AI Apps:

December 3, 2025: Minister of Electronics and Information Technology, Mr. Ashwini Vaishnaw, issued a response to the questions raised in Lok Sabha regarding the measures introduced by the Government with regards to (a) protection of personal images and data given to AI Apps (b) detection and removal of deepfakes and morphed images by social media platforms (c) mandatory removal of unlawful content within thirty-six (36) hours of being reported (d) mandatory labelling/watermarking of AI-generated content.

Mr. Ashwini Vaishnaw responded that:

• The DPDP Act, and the Digital Personal Data Protection Rules, 2025 (DPDP Rules), apply uniformly to all forms of digital personal data and establishes a comprehensive framework that empowers individuals with specific rights over their personal data. This includes personal images and data.
• Multiple advisories have been issued to social media intermediaries in order to detection and removal of unlawful and false content, including malicious synthetic media and deepfakes.
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2025 (IT Amendment Rules, 2025) has been introduced mandating intermediaries to remove or disable access to specified unlawful content within thirty-six (36) hours of receiving actual knowledge through a court order or authorized Government intimation.
• Draft amendments to IT Rules have been prepared, proposing to strengthen due-diligence obligations for intermediaries, mandatory labelling, watermarking and traceability mechanisms introduced to identify AI-generated manipulated content and prevent misinformation.

Link Here

Fintech updates

RBI amends multiple master directions specific to payment banks

December 2025: The RBI issued a set of amendments to multiple master directions applicable to payment banks that were originally released in November 2025, further refining the regulatory and compliance framework applicable to payments banks operating in India.

The amendment directions inter alia include:

Reserve Bank of India (Payments Banks - Know Your Customer) Amendment Directions, 2025: As background, the Reserve Bank of India (Payments Banks - Know Your Customer) Directions, 2025 were issued on November 28, 2025, creating a sector-specific KYC framework designed specifically for payments banks, replacing the more general Reserve Bank of India (Know Your Customer (KYC)) Directions, 2016. On sharing KYC information with the Central KYC Records Registry (CKYCR), the amendment direction issued on December 29, 2025 further adds an explanation that the Regulated Entity that most recently uploaded or updated a customer's KYC information in the CKYCR will be responsible for verifying the customer's identity and/or address, as applicable. Consequently, any bank that downloads and relies on such KYC records from the CKYCR is not required to independently re-verify the authenticity of the customer's identity and/or address, provided the KYC records downloaded from CKYCR are current and compliant with PML framework. A similar amendment has also been issued in favour of NBFCs under the Reserve Bank of India (Non-banking Financial Companies - Know Your Customer) Amendment Directions, 2025.

Link Here

Reserve Bank of India (Payments Banks - Miscellaneous) Amendment Directions, 2025: The Reserve Bank of India (Payments Banks - Miscellaneous) Directions, 2025 dated November 28, 2025, laid out key provisions for payment banks related to role of the board, acceptance of deposits, financial conduct and prohibited activities. The amendment directions issued on December 11, 2025, provide a clarification that payments banks may maintain current accounts without restriction for customers whose total exposure across the banking system is below INR 10 crore. A condition has been included that for customers whose total banking system exposure is INR 10 crore or more, payments banks may maintain only collection accounts and not regular current accounts.

Link Here

Reserve Bank of India (Payments Banks - Undertaking of Financial Services) (Amendment) Directions, 2025: The Reserve Bank of India (Payments Banks - Undertaking of Financial Services) Directions, 2025, issued on November 28, 2025, laid out a regulatory framework for payments banks to undertake financial services. The amendment directions issued on December 5, 2025, clarify and standardise permissible business activities of payments banks, especially regarding agency and referral arrangements.

Payments Banks can act as agents for third-party product or service providers (TPPSPs). This means they may facilitate the sale of regulated financial products/services such as insurance, mutual funds, pension funds, etc., without assuming risk. Activities can include marketing, sales, customer support, and after-sales service linked to these products.

The amendment also outlines referral services, where payments banks may refer customers to TPPSPs for financial products without involvement in product execution or branding. That is, neither the bank must participate in TPPSP processes, nor will its name or brand appear in any product or service documents.

Link Here

RBI amends multiple master directions specific to Non-Banking Financial Companies

December 2025: The RBI issued a set of amendments to multiple master directions applicable to Non-Banking Financial Companies (NBFCs) that were originally notified in November 2025, further refining the regulatory and compliance framework applicable to NBFCs operating in India.

The amendment directions inter alia include:

The Reserve Bank of India (Non-Banking Financial Companies - Undertaking of Financial Services) (Amendment) Directions, 2025: Reserve Bank of India (Non-Banking Financial Companies - Undertaking of Financial Services) Directions 2025, laid out provisions for NBFCs inter alia related to undertaking of financial services including opening subsidiary / joint venture / or undertaking investment abroad. The amendment direction issued on December 5, 2025, adds a new paragraph requiring NBFCs that are group entities of a Scheduled Commercial Banks to adhere to the provisions of the Reserve Bank of India (Commercial Banks - Undertaking of Financial Services) Directions 2025, to the extent the same business/activity is undertaken by both the NBFC and the parent bank.

Link Here

Reserve Bank of India (Non-Banking Financial Companies - Credit Information Reporting) Amendment Directions, 2025: Reserve Bank of India (Non-Banking Financial Companies - Credit Information Reporting) Directions, 2025, govern provisions related to efficient functioning of the credit information reporting system for NBFCs.

Key highlights of the amendment directions issued on December 4, 2025, inter alia, include a revision to the reporting timeline for NBFCs to submit credit information to Credit Information Companies. The earlier requirement of reporting was within 7 calendar days of data maintained on a fortnightly basis (i.e., as on the 15th and last day of the respective month), which has been replaced with fixed monthly reporting dates, namely the 9th, 16th, 23rd, and the last day of each month. The amendment directions will come into effect from July 1, 2026.

Link Here

Link Here

Judgements:

Delhi High Court mandates e-KYC and enhanced disclosure obligations for domain name registrations to curb brand impersonation and online fraud:

December 24, 2025: In Dabur India Limited vs. Ashok Kumar & Ors. (CS (COMM) 135/2022), the Delhi High Court held that Electronic Know Your Customer (e-KYC) is mandatory for all domain name registrations in India, thereby establishing a new legal requirement for Domain Name Registrars (DNRs) to verify the identity of online domain name registrants at the point of registration, and also periodically after that.

Facts and background of the case: Dabur India Limited, the proprietor of the well-known trademark "DABUR," instituted the suit seeking permanent injunctions against unknown persons who had registered multiple domain names incorporating the mark "DABUR" and were operating deceptive websites. These websites falsely represented themselves as official Dabur portals and invited the public to apply for distributorships, franchises, and employment, often collecting registration fees and other payments. The plaintiff demonstrated that the impugned domain names reproduced Dabur's trademarks, logos, trade dress, and content, thereby amounting to infringement, passing off, and impersonation. The registrants' identities were largely concealed due to incomplete or fictitious information with DNRs and use of privacy protection feature provided by the National Internet Exchange of India (NIXI).

Judgement: The Court observed that the impugned domain names incorporating the registered and reputed mark "DABUR" were identical or deceptively similar and were used to deceive the public by falsely offering franchises and distributorships. As a result, the Court granted an interim injunction against seven identified domain names and extended protection to future infringing registrations adopting identical, prefix/suffix or alphanumeric variations. Furthermore, the Court held that repeated misuse of infringing domain names to perpetrate fraud, phishing and brand impersonation reflects a systemic failure in the domain name registration ecosystem. The Court observed that "privacy by default", inadequate verification of registrant details, and lack of coordination between registrars, registries and authorities have enabled large-scale deception, adversely impacting trademark owners, consumers, and public interest. Recognizing that domain names constitute the "online soul of a business", the Court issued remedial directions which, inter alia, include:

• DNRs and registry operators were directed to discontinue default masking of registrant details and permit privacy protection only as an opt-in, paid service.
• Disclosure of complete registrant contact and payment-related information was made mandatory within seventy-two (72) hours upon request by courts, law-enforcement agencies or parties with legitimate interest.
• Registry operators were directed to put in place necessary measures to ensure that DNRs execute uniform agreements providing for the permanent blocking of infringing or unlawful domain names, thereby preventing re-registration of such domain names through any other DNR.
• Prohibited promotion of alternative domain names in respect of injuncted marks and held that such conduct would disentitle DNRs from safe harbour protections under Section 79 of the IT Act./li>
• DNRs have been mandated to appoint grievance officers and undertake e-KYC based verification in accordance with CERT-In and NIXI requirements.

Link Here

Delhi High Court grants ex-parte injunction protecting Jr. NTR's personality and publicity rights:

December 22, 2025: In Nandamuri Taraka Rama Rao vs. Ashok Kumar / John Doe & Ors. (CS(COMM) 1305/2025), the Delhi High Court granted an ex-parte, ad-interim injunction restraining unauthorised entities from commercially exploiting the personality and publicity rights of actor Nandamuri Taraka Rama Rao (popularly known as "Jr. NTR"), including through infringing merchandise and AI-generated content and directed e-commerce platforms and intermediaries to take down infringing listings.

Facts and background of the case: The plaintiff, a well-known Telugu film actor approached the Delhi High Court alleging unauthorized commercial exploitation of his name, image, likeness, nicknames, and registered trademarks such as "NTR", "Jr. NTR", "NANDAMURI" and "MAN OF MASSES" by multiple third-party sellers and online platforms. The suit alleged large-scale sale and promotion of infringing merchandise, as well as misuse of the plaintiff's persona through digital content and AI-generated material, without consent. The plaintiff asserted that such acts infringed his personality and publicity rights, caused consumer deception, reputational harm, and unjust enrichment of the defendants.

Judgment: The Delhi High Court held that the plaintiff had established a strong prima facie case, noting his celebrity status, longstanding goodwill, extensive brand endorsements and registered trademark rights. Relying on settled precedent recognizing proprietary rights in a celebrity's persona, the Court held that continued sale of infringing merchandise would cause irreparable harm to the celebrity. Accordingly, the Court granted an ex-parte ad-interim injunction restraining the defendants from manufacturing, selling, or promoting infringing merchandise or content, including AI-generated media, directed take-down of infringing URLs, ordered compliance by e-commerce platforms and intermediaries within seventy-two (72) hours, and issued consequential directions for re-indexing and future compliance under the IT Rules.

Link Here

National Company Law Appellate Tribunal clarifies that WhatsApp-Meta data sharing remedial directions extend to advertising purposes:

December 15, 2025: In WhatsApp LLC vs. Competition Commission of India & Ors. (I.A. No. 6817 of 2025 in Competition Appeal (AT) No. 1 of 2025), the National Company Law Appellate Tribunal (NCLAT), New Delhi, rectified an inadvertent inconsistency in its earlier judgment dated November 4, 2025 and clarified that the remedial directions requiring user choice, transparency, opt-out and revocable consent apply to WhatsApp user data collection and sharing for all non-WhatsApp purposes, including both advertising and non-advertising purposes.

Facts and background of the case: By an order dated November 18, 2024, the Competition Commission of India (CCI) had found that WhatsApp and Meta abused their dominant position under Sections 4(2)(a)(i) and 4(2)(c) of the Competition Act, 2002, arising from WhatsApp's 2021 Privacy Policy, which imposed coercive "take-it-or-leave-it" consent forcing users into accepting expansive data sharing as a condition to using WhatsApp without any effective opt-out thus enabling cross-platform data sharing that foreclosed competition in the online display advertising market.

On an appeal to NCLAT, in its judgment dated November 4, 2025, NCLAT upheld findings of CCI in relation to abuse and sustained remedial directions i.e., emphasizing upon user choice, effective opt-out, transparency and purpose limitation. However, NCLAT set aside the five-year ban on sharing of user data for non-WhatsApp purpose of advertising. Thereafter, CCI sought clarification contending that an inadvertent inconsistency in the operative portion of the NCLAT judgment diluted safeguards regarding data collection and sharing for non-WhatsApp purposes, including non-advertising and advertising purposes. WhatsApp and Meta opposed the application, arguing it amounted to an impermissible review rather than a clarification.

Judgment: The NCLAT held that the application was maintainable, noting that Section 53-O(2)(f) of the Competition Act, 2002 expressly empowers the Tribunal to review its decisions. On merits, the Tribunal found a clear mismatch between its findings and the operative portion of the November 4, 2025 judgment. It reiterated that the core principle underlying the remedies was the removal of exploitation by restoring user choice, and that any non-essential data collection or cross-use, including advertising or non-advertising purposes, can occur only with express and revocable user consent. As a result, NCLAT clarified that remedial directions apply to WhatsApp user data collection and sharing for all non-WhatsApp purposes, including both advertising and non-advertising uses, and granted WhatsApp three (3) months to implement compliance measures.

Link Here

Orissa High Court directs inclusion of opt-out clause in automated permanent academic account registry consent form

December 12, 2025: In Rohit Anand Das & Ors. vs. State of Odisha & Ors. (W.P.(C) No. 8285 of 2025), the Orissa High Court held that while the Automated Permanent Academic Account Registry (APAAR) initiative is voluntary in nature, the existing consent form violates the fundamental right to privacy of children under Article 21 as it does not provide parents an express option to refuse consent or opt out of the APAAR initiative and accordingly directed the authorities to amend the consent form to include an opt-out/refusal clause in the model consent form.

Facts and background of the case: The writ petition was filed pursuant to creation of APAAR ID, an initiative to assign students unique IDs linked to their Aadhaar numbers to track their educational records and academic achievements. A father of a minor child studying in a school in Bhubaneswar, challenged the consent form issued by the school pursuant to directions of the Ministry of Education seeking parental consent for generation of an APAAR ID linked to Aadhaar. The petitioners contended that the form permitted sharing of personal and academic data with multiple stakeholders for undefined "limited purposes", infringing the child's right to privacy under Article 21 and violating principles laid down in K.S. Puttaswamy v. Union of India. The central issue before the Court was whether the absence of an opt-out clause in the consent form vitiated the voluntary nature of the APAAR initiative.

Judgment: The Orissa High Court held that the case was not adversarial in nature, as all authorities unanimously maintained that the APAAR initiative was voluntary. However, the Court found merit in the petitioners' apprehension that the consent form did not provide any mechanism to refuse consent at the outset. Relying extensively on K.S. Puttaswamy judgment, the Court reiterated that children enjoy heightened protection of privacy and that Aadhaar cannot be made a compulsory requirement for availing the fundamental right to education under Article 21-A. The Court rejected the argument that a post-consent withdrawal clause sufficiently safeguarded privacy, holding that meaningful consent requires the ability to refuse consent ab initio. Observing that the model consent form was not worded in consonance with the stated voluntary nature of the scheme, the Court allowed the writ petition and directed the authorities to amend the consent form to expressly include an refusal of consent/opt-out clause from the initiative, within two (2) months.

Link Here

Central Consumer Protection Authority holds Zepto guilty of unfair trade practices involving dark patterns:

December 4, 2025: In a case filed against Zepto Marketplace Pvt. Ltd. (Zepto) regarding alleged violation of consumer rights and unfair trade practices (Case No. Z-10/1/2025-O/O (US-CCPA)), the Central Consumer Protection Authority (CCPA) held that Zepto engaged in unfair trade practices by deploying dark patterns, specifically drip pricing and basket sneaking, in violation of the Consumer Protection Act, 2019 and the Guidelines for Prevention and Regulation of Dark Patterns, 2023.

Facts and background of the case: The CCPA took suo motu cognizance of the matter following its routine examination of e-commerce platforms for the prevalence of dark patterns. During scrutiny of the Zepto platform, CCPA observed that products were displayed at a lower price at the selection stage, while additional charges, such as handling charges and Zepto Pass Membership fee were added at the checkout stage. These charges were not disclosed upfront and were added automatically through a pre-ticked option, without explicit consumer consent. The issues before CCPA were whether:

• The incremental disclosure of mandatory charges amounted to drip pricing; and
• The auto-addition of Zepto Pass Membership constituted basket sneaking, thereby impairing consumer autonomy and informed consent.

Judgment: The CCPA held that Zepto's practices violated Sections 2(28) and 2(47) of the Consumer Protection Act, 2019 and contravened the Guidelines for Prevention and Regulation of Dark Patterns, 2023. CCPA found that the difference between the initial displayed price and the final checkout price misled consumers and undermined their right to be informed. It further held that the pre-ticked addition of Zepto Pass Membership amounted to basket sneaking and violated the requirement of explicit consumer consent. While noting the corrective measures later adopted by Zepto, the CCPA held that such steps were reactive and did not absolve past violations. Accordingly, CCPA directed Zepto to discontinue the identified dark patterns, conduct periodic self-audits, publish self-audit declarations, and imposed a penalty of INR 7,00,000.

Link here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.