India’s CCPA fines McAfee over violation of consumer rights

0
2
McAfee Dark Pattern Penalty
LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link

India’s Central Consumer Protection Authority (CCPA) has fined McAfee Software India after finding the company engaged in unfair trade practices, issued misleading advertisements, used dark patterns and violated consumer rights.

The CCPA – a national regulatory bodyunder the government of India that promotes, protects and enforces consumer rights – investigated McAfee over misleading renewal reminders in 2025.

For renewal reminders, McAfee showed its consumers an online notification that gave them options of “accept risk” and “renew now”, instead of a simple “cancel” or “skip”.

“The use of fear-based terminology such as ‘accept risk’, coupled with the visual prominence accorded to the ‘renew now’ option and absence of a neutral and equally prominent opt-out mechanism during the relevant period, constituted a deceptive and manipulative trade practice,” the CCPA said in its ruling in May 2026.

The CCPA imposed a INR100,000 (USD1,049) penalty on McAfee, issued several guidelines and ordered it to submit a compliance report within 15 days of receipt of the order.

In the case presented to the authority in 2025, it was argued the notification design was a manipulative dark pattern and constituted “confirm shaming” under the CCPA guidelines. It forced consumers to renew their subscription by representing that non-renewal would be irresponsible or reckless. This deprived the consumers of making a neutral and informed choice.

The CCPA ordered an inquiry and found the renewal request was not a contractual agreement with individual consumers, but a uniform digital design.

The CCPA said dark patterns in digital interfaces operated psychologically because consumers might not recognise or report it as manipulative. However, the lack of individual complaints could not be construed as an absence of consumer harm.

The CCPA then issued a show cause notice to McAfee, which then said it had now added a neutral “skip” opt-out option.

McAfee did not respond to the authority seeking details on an explanation for the design and the steps the company took to ensure compliance with consumer protection laws. The authority also said McAfee’s response that it had changed the button affirmed that the earlier design was neither fair nor transparent.

The CCPA said this post-notice corrective behaviour did not extinguish liability from earlier deployment of a manipulative interface and ordered further investigation.

The investigation found that the use of “accept risk” was a classic confirm- shaming tactic to frame opting out of a subscription as acceptance of such risks and emotionally pressure consumers into renewals. The investigation also found that McAfee had no separate data to show how many renewals were direct results of the design.

The investigation, conducted by the director general found evidence lacking for multiple aspects, including statutory and regulatory requirements.

During the investigation, no evidence was found showing that the updated design had been deployed across the platform. McAfee also did not provide documentary evidence of checks, audits and aligned processes, even though they were required to maintain these records by law.

McAfee argued that the phrase “accept risk” only reflected an ordinary consequence of a lapse in renewing its cybersecurity subscription and was not false or misleading in context.

McAfee also argued the design was only shown to existing subscribers, who were well aware of the context of the words. It also said the design did not create any artificial fear or false urgency and therefore was not “confirm shaming” under the Guidelines for Prevention and Regulation of Dark Patterns, 2023.

The company also informed the authority its usual opt-out option of an “X” button on the top right corner existed for all consumers.

McAfee denied any engagement in unfair trade practices or misleading advertisements as the notification only presented renewal-related information for existing subscribers and did not influence/impair consumer choice or autonomy or presented false or misleading information.

McAfee said its immediate corrective action after receiving the CCPA notice showed full co-operation and willingness to comply with the laws and regulations.

McAfee cited CCPA’s ruling against InterGlobe Aviation (Indigo Airlines) for alleged dark patterns where the authority had not imposed any penalty, as Indigo had rectified the language once notified. McAfee submitted that following this case, there should be no penalty against McAfee as it had changed the subscription renewal design.

In its deliberations, the CCPA said the options in the design could have been a simple “yes” and “no”, and not emotionally loaded terminologies.

The CCPA also said the screenshot presented to the authority, showed no visible “X” option. While acknowledging this, McAfee sought liberty to confirm if the option appeared while hovering over the top right corner.

In the screenshots that McAfee presented showing its corrective action, the “X” appeared in a subdued grey colour, but the renewal options were displayed prominently.

The CCPA said McAfee’s reliance on the technological literacy of users was misplaced as it did not justify using subscription designs “capable of nudging or manipulating consumer decision making through visual prominence, fear-based wording or asymmetrical presentation of options”.

McAfee said that before the change in design, there were 355,133 subscription renewals in 2025.

LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link