Balancing data protection and commercial practice

The coming implementation of the Digital Personal Data Protection Act, 2023 (DPDPA), has required businesses to begin restructuring their processes and systems to comply with its data protection obligations. Data fiduciaries, entities that determine the means and purposes of processing personal data, will not only have to create frameworks and documentation but will also have to re-examine their websites, mobile applications and other user interfaces to meet transparency and consent obligations.

Data fiduciaries that rely on user consent to process personal data must ensure they comply with the standards prescribed by the new law. Organisations must obtain specific consent from individuals for each processing activity, usually collected and recorded through request forms displayed on their websites or mobile applications. Depending on user access, data fiduciaries may also display additional consent forms when users sign up for or request extra offerings. The risk of consent fatigue may prompt most businesses to avoid making excessive consent requests. However, as a best practice businesses should refresh consent regularly.

Consent requests through such forms must be clear and must offer data principals a true option to grant permission to process their personal data. The withholding of consent must not deny users’ access to the products or services offered by the business. Data principals must also be offered the option to consent to each distinct processing activity. This is usually done through toggles, which ideally should not be pre-checked to agree. However, even a close reading of the new law provides no clarity on this suggestion.

Similar to the EU’s General Data Protection Regulation cookie banner requirements, consent forms may contain accept all and reject all buttons, allowing users to consent or decline all proposed processing activities through one click. However, an option to provide granular consent for each processing activity must also be provided, usually through a “more options” button on the form.

In addition to meeting the requirements under the DPDPA, consent request forms must also conform to Indian consumer protection laws. The recently issued Guidelines for Prevention and Regulation of Dark Patterns, 2023 (guidelines), under the Consumer Protection Act, 2019, protect individuals from dark patterns. These deceptive designs are generally understood to mean practices or design patterns within a platform’s user interface that manipulate consumers into participating in a particular activity by undermining their autonomy. These design choices amount to unfair trade practices and misleading advertisements, both of which are prohibited under consumer law.

Certain dark patterns identified under the guidelines may have direct implications for data fiduciaries in the process of structuring their consent request forms. For example, certain colours used on a platform, chosen to nudge a user to consent rather than clicking the reject button, may constitute interface interference. Repeated prompts and pop-ups to obtain consent may constitute nagging. The deliberate use of confusing language to misdirect a user into providing consent could be considered a trick question. An example would be a question such as “Do you wish to opt out of receiving marketing?” that can only be answered “Yes, I would like to receive updates” or “Not now” rather than by a simple affirmation. All these examples of dark patterns are prohibited under the guidelines.

The guidelines provide an illustrative list of prohibited designs but make it clear that individual facts and circumstances determine whether a practice is a dark pattern. As there are no standards for identifying dark patterns, businesses must approach these exercises from the perspective of the user and ensure they give users a reasonable degree of transparency and clarity. This can only happen through the creation of clearly defined internal rules and principles that are triggered prior to or at the time of the design and development of user interfaces. Although the law does not require adherence to principles of privacy by design and default, businesses would be well advised to adopt such principles from both legal

and design perspectives. Any consent request must meet the requirements of consumer law, of data protection law and of applicable sectoral standards.

Mathew Chacko is a partner, Aadya Misra is a counsel and Vishnu Naduvakkad is an associate at  Spice Route Legal.