Tanmay Doneria and Dhanya Jha
INTRODUCTION
Have you ever become frantic over the “only 2 pieces left” notification on your potential purchase? Did you eventually end up buying that product?
If the answer to both the questions is in the affirmative, then you may have fallen prey to a dark pattern that creates a sense of false urgency in order to influence you into buying the product. The term “dark patterns”, as coined by Harry Brignull in 2010, refers to design arrangements that make it difficult for users to exhibit their actual preferences or influence them into making decisions that do not conform with their preferences.
In the present world, consumers have shown a significant transition towards digital platforms and online market places. This has paved a path for commoditization of user data, which has given rise to widespread use of dark patterns which are used to acquire user data to the maximum possible extent, the ethics of such means are questionable. Dark patterns are often veiled as usage of complicated jargons in the terms and conditions, lengthy privacy policies, pre-checked boxes leading to excessive disclosure of user information, charging of hidden fees, etc. They can broadly be analyzed under five heads, i.e. nagging, obstruction, sneaking, interface interference, and forced action.
Concerned by the burgeoning use of dark patterns, the Department of Consumer Affairs, on 30th June 2023, sternly upbraided e-commerce giants against employing them. The press release elucidates that the employment of dark patterns deviously manipulates the consumer, which in turn goes against consumer interests. Even though the government’s cognizance of this issue is welcomed, it does not suffice, since regulating dark patterns and protecting consumer interests would take a lot more this. Unfortunately, the release fails to sufficiently address the ramifications of dark patterns vis à vis the grave violation of the mental privacy of consumers.
This article seeks to delve deeper into the psychological intricacies associated with dark patterns and the data protection implications that arise from the employment of such designs. The article also provides an insight into how the Personal Data Protection Bill, 2023 can protect the data privacy rights of users whose choices are unethically manipulated.
THE CONSUMERS’ CATASTROPHE: BREACH OF MENTAL AND INFORMATIONAL PRIVACY
An individual’s ability of self-determination over their mind is called cognitive liberty. The use of dark patterns causes substantial impediments to this cognitive liberty of consumers by negatively influencing their behaviour and consequently, violating their individual autonomy. When a consumer surfs through an e-commerce website, which is intricately designed with multiple dark patterns traps, they involuntarily cede autonomy over their thoughts and irrationally proceed to purchase products they otherwise would not have.
For instance, an online marketplace may display falsified information pertaining to the number of live purchases of the item or send high demand messages on products that the consumer has viewed. By doing this, the intent of the platform is to craftily influence the customer’s decision, create a misleading façade about the demand of the product, and consequentially, make them purchase the product. This deliberate attempt to sway a consumer’s decision violates their cognitive liberty as the consumer no longer has autonomy over their thought process and ends up buying the product.
An extension of the violation of cognitive liberty is the violation of informational privacy. There is an intertwined relationship between mental privacy and informational privacy, i.e. the breach of mental privacy leads to a subsequent extraction of information which the user would not have shared under normal circumstances, thereby breaching informational privacy. An example of this would be privacy zukering, which is a tactic that platforms use to manipulate a consumer’s cognitive abilities by intricately bundling permissions in lengthy terms of use which the users do not even look at and give consent to without reading. It also includes default grant of consent to data sharing, confirm-shaming, etc. This leads to a grave violation of the users’ informational privacy, since, the users are not determining for themselves and are not cognizant about the extent of information they are agreeing to share with the data fiduciary.
THE LEGAL PERSPECTIVE: “COGNITIVE LIBERTY AND “INFORMATIONAL PRIVACY”
Neither cognitive liberty nor informational privacy are explicitly recognized under any legislation. The authors contend that cognitive liberty can be construed to be a right stemming from Article 19 as well as Article 21 of the Constitution of India.
Article 19 envisages freedom of thought and expression. This freedom of thought would also extend to right to self-determination, i.e., to decide for oneself without any external manipulation or influence.
The grant of privacy to any individual over his thoughts and decision-making is an essential aspect of right to life and privacy under Article 21 of the Constitution of India. Furthermore, the Apex Court, in the landmark judgement of K.S. Puttuswamy, held that informational privacy is a facet of the right to privacy as envisaged by Article 21 of the Constitution of India. The Court also directed the legislature to ensure that the data protection regime adequately addresses the threat that lies to the informational privacy of individuals. In furtherance of the same, a committee was constituted under the supervision of Justice B.N. Srikrishna to frame a legislation addressing data privacy concerns.
Dark patterns breach privacy which is in contravention of the bedrock of data protection laws. Therefore, it is necessary that India’s data protection laws address dark patterns which specifically breach user privacy and data.
The Personal Data Protection Bill has been revised at multiple instances since 2019. After an extensive consultation for over four years, the Digital Personal Data Protection Bill, 2023 has finally received a green signal by the Cabinet and will be tabled during the Monsoon session of the Parliament. It would be interesting to see if the Bill, after two revisions, will adequately address concerns surrounding violations of mental and informational privacy, though none of the drafts have addressed the potential violations by dark patterns.
DATA PROTECTION AND DARK PATTERNS
Unlike the Digital Services Act, 2022 of the European Union, which restricts online platforms from utilizing design features that deceive or exploit consumers, India’s Data Protection Bill does not explicitly address informational privacy violations by dark patterns.
However, a possible construction with respect to consent while extracting information can be made from the last draft of the bill, i.e. the Digital Personal Data Protection Bill, 2022. Section 7(1) of the Digital Personal Data Protection Bill, 2022 defines consent of the data principal as:
“any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose”
Emphasis is drawn to the consent being “freely given” and “informed”. Dark patterns encroach upon an individual’s right to self-determination, thereby manipulating their consent. Even though the users are consenting to a certain option on a webpage (for example, consenting to sharing their credit card information), such a consent would ideally not fall under the ambit of “freely given”. Similarly, when consumers consent to the intentionally lengthy terms and conditions on a certain website, they are merely falling for a dark pattern and not necessarily giving an “informed” consent.
The Bill does not cover violations by dark patterns; however, when a data fiduciary extracts data through manipulating consent, it naturally falls under the Data Protection Bill.
Another provision that can be ingeniously implemented against violations of dark patterns is Section 7(4), which states that “the Data Principal shall have the right to withdraw her consent at any time…The ease of such withdrawal shall be comparable to the ease with which consent may be given.” When this provision is looked at from the perspective of dark patterns, it precisely confronts roach motel , a dark pattern designed that makes it difficult to withdraw consent. By using the roach motel, digital platforms intentionally impede cancellations for services. This is in clear violation of the provisions of the Bill.
It would be interesting to see how these provisions are drafted in the much-awaited Digital Personal Data Protection Bill, 2023, and most importantly, how these provisions play out when implemented.
CONCLUSION
Dark patterns impact a plethora of legal domains such as mental and informational privacy, fundamental rights, and cyber regulations. These deceptive design arrangements undermine and manipulate a user’s ability to make informed choices and exert control over their own decision-making processes. It is crucial to view the informational and data privacy violations by dark patterns with the lens of the upcoming Digital Personal Data Protection Bill, 2023. Analyzing the previous drafts yields an understanding of how the upcoming legislation can address data violations executed by the employment of dark patterns.
Further, the recognition of violation of cognitive liberty of people requires more jurisprudence in the context of the violation of informational privacy, which is closely intertwined with mental privacy. Even though the Department of Consumer Affairs has taken a stand against dark patterns, the existing consumer protection laws are not sufficient to deal with the informational and data privacy implications of dark patterns. Thus, the burden falls on the Data Protection Bill to provide the consumers appropriate remedies against dark patterns which specifically target their information and data.
The Supreme Court has acknowledged the importance of privacy in the digital age and directed the legislature to develop a comprehensive data protection legislation. The Personal Data Protection Bill, which is currently under revision, presents an opportunity to address the issue of dark patterns and their impact on user privacy.
The authors are third-year students of Rajiv Gandhi National University of Law, Punjab
Image Credits: iStock
Constitutional Law Society 
Leave a comment