March 2026 • 10 min read
The era of "growth hacking at all costs" using deceptive UI is officially ending in India. The CCPA, ASCI, and DPDPA are actively penalising apps that use dark patterns. Ethical design is not just about legal compliance — it is a critical long-term retention lever. If you trick a user into paying, you win a transaction but lose a customer forever. Pre-ticked checkboxes are illegal. Fake countdown timers are fineable. Cancellation must be as easy as subscription.
For the last decade, Indian consumer tech operated in the Wild West. To appease venture capitalists demanding month-on-month growth, Product Managers frequently resorted to psychological manipulation — making it impossible to cancel subscriptions, adding items to carts automatically, and using aggressive, fear-inducing copy ("Are you sure you want to lose your savings forever?").
The regulatory hammer has finally dropped. The Central Consumer Protection Authority (CCPA) and the Advertising Standards Council of India (ASCI) have published strict, legally binding guidelines identifying and banning specific dark patterns. The Digital Personal Data Protection Act (DPDPA) fundamentally alters how apps can collect and process user data. Ignorance of the law is no longer a defence. Product teams must audit their entire UX flows or risk devastating fines and forced app store removals.
Product Managers often implement these patterns believing they are "optimising conversion." In reality, they are destroying user trust.
Drip pricing exploits the sunk-cost fallacy. A user searches for a flight from Delhi to Mumbai and sees ₹4,000. They spend 10 minutes entering passenger details, selecting a seat, and filling out forms. On the final payment screen, the total jumps to ₹5,200 due to a mandatory "Convenience Fee," an un-removable "Handling Charge," and a pre-selected travel insurance policy. Because the user has invested 10 minutes, they often pay — but with immense resentment. The CCPA mandates that all mandatory fees must be included in the upfront displayed price.
A "Roach Motel" is an interface where checking in is effortless but checking out is practically impossible. Subscribing to a premium fitness app takes one click via UPI AutoPay. Cancelling requires navigating through FAQ pages, calling a customer care number only active between 10 AM and 5 PM, or sending a manual email. Under new guidelines, cancelling a service must be as frictionless as subscribing to it.
Rampant in Indian e-commerce and hotel booking apps. A user views a hotel room and sees: "Only 1 room left! 42 people are looking at this right now!" with a 15-minute countdown timer. If these numbers are tied to real-time inventory, it is legitimate. If the countdown resets on page refresh, or "42 people" is a randomised frontend script, it is a deceptive dark pattern. The ASCI aggressively monitors and penalises fabricated scarcity.
Forced continuity: user signs up for a "14-Day Free Trial" requiring a credit card. On day 14, the app quietly charges for an annual subscription without a 48-hour prior warning email. "Sneak into Basket": a food delivery app automatically adds a ₹15 "Donation to Charity" or ₹50 "Premium Packaging" into the cart by default, forcing the user to manually uncheck to remove it. Consent must be opt-in, never opt-out.
Beyond legal compliance, ethical design is a business imperative. Dark patterns artificially inflate short-term metrics (Day-1 Conversion Rate, initial ARPU) but devastate long-term, high-leverage metrics (LTV, NPS, D90 Retention).
If you trick a price-sensitive Indian user into paying for an accidental subscription, they will issue a chargeback through their bank, leave a 1-star Play Store review, rant on Twitter, and never return. Conversely, if you send a clear email saying "Your trial ends in 2 days — click here to cancel," you build immense brand equity. Trust is the highest-converting currency in the Indian digital market.
Before deploying any new feature or pricing page, force your team through these four tests:
The Symmetry Test: Is the "Cancel Subscription" button exactly as visible, clickable, and accessible as the "Subscribe Now" button?
The Consent Test: Are any checkboxes (marketing emails, data sharing, extra fees) pre-ticked by default? If yes, you are non-compliant with DPDPA.
The Reality Test: Are "Limited Time Offers" and inventory alerts tied to real backend data, or are they frontend illusions?
The Grandma Test: If your grandmother used this app, would she accidentally buy something she did not intend to?
The CCPA can impose fines up to ₹10 lakh for misleading advertisements and ₹50 lakh for subsequent offences. Under DPDPA, violations related to data consent can attract penalties up to ₹250 crore. Beyond fines, the CCPA has the power to order product recalls and issue public notices naming the offending company — the reputational damage often exceeds the financial penalty.
Yes, under DPDPA 2023. Consent must be "free, specific, informed, unconditional, and unambiguous." A pre-ticked checkbox fails the "free" and "unambiguous" requirements. All consent mechanisms must require an affirmative action (the user must actively check the box). This applies to marketing email opt-ins, data sharing agreements, add-on purchases, and charity donations in checkout flows.
Run the four-test audit above across every user flow that involves payment, subscription, data collection, or cancellation. Record screen videos of 5 non-technical friends attempting to cancel a subscription, remove an add-on from cart, or opt out of marketing emails. If any of them fail or take more than 30 seconds, you have a dark pattern. The most common offenders: checkout flows, subscription management, notification permissions, and data sharing consent screens.
Don't wait for a regulatory fine or PR crisis. Our advisory team can run a complete UX teardown to identify and replace dark patterns with ethical, high-converting design.
Book Free Strategy Call →