Aakriti Bansal, Medianama
November 26, 2025

MediaNama’s Take: The Central Consumer Protection Authority’s (CCPA) decision to publish 18 self-declarations confirms only a partial picture of its dark pattern(s) identifying exercise. The authority has stated that 26 platforms have filed their declarations, but it has made only 18 of them public. This gap means the public still cannot see what eight major platforms submitted or whether those filings contain any meaningful detail. Moreover, even among the published declarations, several are one-paragraph statements that offer almost no insight into the scope or accuracy of the companies’ internal audits.

LocalCircles’ new survey adds further complications, reporting that 21 of the 26 platforms that submitted declarations still display at least one dark pattern. This finding suggests that the CCPA’s reliance on voluntary self-assessment may not be enough to shift platform behaviour at scale. It also raises questions about what the unpublished declarations contain and whether the missing submissions are similarly sparse or incomplete.

Notably, the CCPA has not clarified how it plans to verify the accuracy of any of the declarations, whether published or unpublished. If filings remain unverified for months, compliance risks turning into a box-ticking exercise rather than a meaningful regulatory process. Therefore, the next phase matters far more than the publication of select declarations, because the current approach raises more questions than it answers.

What’s the News

The CCPA has made 18 dark pattern self-declarations public, despite stating that 26 platforms have filed their compliance letters. The publication follows an RTI filed by MediaNama that revealed which companies had submitted their declarations, and pointed out that none of the filings had been available to the public at the time.

These declarations stem from the Ministry’s June 5 advisory, which required e-commerce and quick commerce companies to conduct internal audits under the 2023 Guidelines for Prevention and Regulation of Dark Patterns and submit compliance letters within 90 days.

For context, Moneycontrol reported that Amazon has still not filed its declaration and has asked for additional time. A senior government official told the publication that the government “has done what it had to” and does not plan further discussions.

The official also said that any punitive action would depend on consumer complaints routed through channels such as the national consumer helpline. This indicates that the enforcement approach continues to be reactive rather than compliance-driven.

What Did The CCPA Ask Platforms To Do?

The June 5 advisory set out a simple compliance framework for digital platforms. It asked every e-commerce and quick commerce company to complete a self-audit of its website and mobile app within 90 days and check their interfaces for the 13 dark patterns listed in the 2023 guidelines. Platforms were required to file a self-declaration confirming compliance once this internal review was complete.

However, the advisory did not specify how the audit should be conducted. Companies were free to choose any methodology, and the CCPA did not prescribe a standard format, a uniform checklist, or a minimum evidence requirement. Also, the advisory did not require independent audits or third-party validation.

Furthermore, there was no explanation of how the CCPA planned to verify whether the declarations were accurate or complete. In effect, the responsibility for defining the scope, depth, and rigour of the audit rested entirely with each platform.

What the CCPA Has Done With the Declarations

As mentioned before, the CCPA has now published 18 self-declarations on its website. The release confirms that companies submitted their compliance letters, but it does not indicate whether the authority evaluated the accuracy or depth of the filings.

Several platforms submitted very short statements that simply assert compliance without describing any checks or findings. BigBasket, Zomato, Blinkit and Swiggy were among the companies that filed especially minimal disclosures. The CCPA has not explained why these filings were accepted or whether any follow-up questions were asked. Therefore, asking for and disclosing self-declarations shows some administrative progress, but it does not reflect any regulatory scrutiny.

This lack of verification aligns with concerns raised by Devangshu Dutta, Founder of business consulting firm Third Eyesight. He told MediaNama that self-declarations “do not change things much” when regulators do not audit submissions or impose consequences.

Further, Dutta remarked that most companies comply at the minimum level required if their claims are not examined and are not made public in full. According to him, revenue-driving design choices such as forced add-ons, confusing checkout flows or misleading scarcity claims will not be voluntarily removed sans oversight.

What Independent Evidence Shows

LocalCircles’ latest audit presents a sharply different picture from the companies’ filings. The organisation found that 21 of the 26 platforms that submitted “dark pattern free” declarations still use one or more manipulative design practices. The assessment relied on feedback from more than 250,000 consumers across 392 districts along with AI-assisted testing.

The most common violations include forced action, subscription traps, bait and switch, basket sneaking, interface interference and disguised advertisements. In practice, these dark patterns respectively mean that users are pushed into steps they did not choose, face hidden or hard-to-cancel subscriptions, see offers change during checkout, encounter fees added at the last moment, get nudged toward platform-favoured choices, and come across ads that appear as regular listings.

LocalCircles also identified drip pricing (gradually adding mandatory fees during the checkout process) on 11 of the 26 companies, including Flipkart, Myntra, Cleartrip, MakeMyTrip, BigBasket, Zomato and Blinkit, among others. The organisation said that many platforms appear to misunderstand what qualifies as drip pricing, which has led to incomplete corrections.

Trust Can Erode Due To Gap Between Declarations And User Experience

Sachin Taparia, Founder of LocalCircles, said that the problem begins with the absence of any verification. “Our understanding is that CCPA is wanting that companies submit a self-declaration at the earliest. However, there is no cross checking of claims that is being done by the CCPA, and as a result the companies are not being as thorough with their dark-pattern detection and resolution,” he said.

Taparia added that discrepancies between declarations and user experience could harm trust. “LocalCircles has found dark patterns on 21 of the 26 platforms submitting self-declarations. If this exercise is not done with high accuracy, both platforms doing so and CCPA could see consumer trust being impacted,” he said.

Importantly, Dutta echoed this concern, saying that the absence of penalties or reputation-related consequences allows companies to self-declare compliance while keeping revenue-generating patterns intact. He described the current process as “more an administrative formality [rather] than a behaviour-changing regulatory tool”.

Why This Matters

The gap between self-declarations and independent audits in the true sense of the word brings the real enforcement question into focus. What should the next phase of regulation look like?

In this context, Dutta said that regulators need to move beyond self-certifications and mandate detailed user experience (UX) audit reports that map every user journey, including pop-ups, onboarding, search, checkout, cancellations and returns.

He explained that regulators should reinforce this by demanding substantive evidence instead of brief compliance letters. This evidence can include screenshots and screen recordings of key flows, version histories that show how an interface changed over time, and product design documents or A/B testing results that reveal why specific nudges were introduced. To explain, A/B testing is essentially a method for comparing two versions of something to see which one performs better.

Furthermore, Dutta noted that platforms already collect extensive data on user complaints and drop-off points, which can help identify harmful or confusing design choices. He also said that independent third-party attestations, similar to security or accessibility audits, can provide a credible external check and increase the cost of non-compliance.

Multiple Annual Audits For Apps that Change Interface Frequently

Notably, Dutta stressed that most dark pattern categories appear across e-commerce, quick commerce and Direct-to-Consumer (D2C) websites, which means regulators can create a baseline audit standard that works across sectors instead of relying on platform-specific interpretations. He also suggested that audits should occur at least once a year, and companies that frequently modify their interfaces may need to report two or three times annually.

The larger concern now is whether the CCPA plans to move toward such a structured framework. Without independent verification and clear audit expectations, companies can continue declaring compliance even when manipulative designs remain embedded in their interfaces.

(Published in Medianama)

A recent experience with one of the quick service restaurants took me back to my post-graduate class of Consumer Service Standards.

We studied five essential elements of service standards, which are:

1. A Charter of Service, including a description of the service the retailer intends to provide and, where applicable, the benefits customers are entitled to receive;
2. Service Pledges, focusing on such elements as openness, fairness, courtesy, professionalism, etc.;
3. Specific Delivery Targets for key aspects such as timeliness, access and accuracy;
4. The Delivery Costs; and
5. Redressal Mechanisms that customers can use when they feel standards have not been met.

The last, redressing complaints, is the most important and difficult aspect among these elements. It requires instant responsiveness and sufficient empowerment of staff to manage a dissatisfied customer.

Standard operating procedures requires staff to follow the procedures as they are written, whereas store staff need to immediately respond to a unique situation every time ensuring that personal judgement will be called for on every occasion.

To elaborate on how important is responsiveness and sufficient empowerment of staff; I will like to discuss a recent experience with a quick service restaurant. I will first describe my reactions as a customer to understand the consumer’s expectations and reaction when a retailer is unable to meet the same and then will analyze the same from a retailer’s and a consultant’s perspective.

I ordered for some salad which contains some soye chunks with diced vegetables in some dressings from a QSR. We quite often order from this restaurant and are quite happy with their products and services. However, this time the salad they delivered had only veggies; no soye chunks and no dressing.

So I called them back to tell that they have sent the salad without soya chunks and dressing and if they could replace the same. The boy at the reception said “Please give me your number and my boss will call you back”.

I was feeling really hungry as I didn’t eat breakfast in the morning (rather just had a toast), so in 15 min I gave them a call again which went unanswered. By now the loyalty for the restaurant and likeness for its products had evaporated. So I called again in 10 minutes to tell them to take their salad back and return the money. This time the associate was kind enough to ask if I would like to get the salad replaced, I said no you please take your salad back. Fifteen minutes latter a delivery boy came to return the money and I returned the salad.

Now let’s analyze the action and reaction of both retailer and customer to go to the root cause of the issue. The product delivered was wrong; however because of the previous good repute of the retailer the customer didn’t mind the mistake and called the retailer to replace the product. The associate at the reception took the phone number of the customer and said that store manager will return the call. Clearly, the service provider was not empowered to take the decision. By the time he was able to figure out that the salad needs to be replaced, 25 minutes had passed by and the customer had lost the patience. However, there were no apologies made by the retailer which is again because of the lack of the redress guidelines or lack of training for the same!

While SOPs are important to minimize the gaps in the service delivery, Redress mechanisms are essential to get things right in case a gap arises in service delivery. Complaint and redress mechanisms require empowering the employees who serve the customers. This enables them to take instant decision as and when the need be.

So while developing or reviewing the SOPs, it is important for retailers to ensure that complaint and redress mechanisms are not only weaved in the SOPs but also provide sufficient empowerment to service providers.