admin
November 26, 2025
Aakriti Bansal, Medianama
November 26, 2025
MediaNama’s Take: The Central Consumer Protection Authority’s (CCPA) decision to publish 18 self-declarations confirms only a partial picture of its dark pattern(s) identifying exercise. The authority has stated that 26 platforms have filed their declarations, but it has made only 18 of them public. This gap means the public still cannot see what eight major platforms submitted or whether those filings contain any meaningful detail. Moreover, even among the published declarations, several are one-paragraph statements that offer almost no insight into the scope or accuracy of the companies’ internal audits.
LocalCircles’ new survey adds further complications, reporting that 21 of the 26 platforms that submitted declarations still display at least one dark pattern. This finding suggests that the CCPA’s reliance on voluntary self-assessment may not be enough to shift platform behaviour at scale. It also raises questions about what the unpublished declarations contain and whether the missing submissions are similarly sparse or incomplete.
Notably, the CCPA has not clarified how it plans to verify the accuracy of any of the declarations, whether published or unpublished. If filings remain unverified for months, compliance risks turning into a box-ticking exercise rather than a meaningful regulatory process. Therefore, the next phase matters far more than the publication of select declarations, because the current approach raises more questions than it answers.
What’s the News
The CCPA has made 18 dark pattern self-declarations public, despite stating that 26 platforms have filed their compliance letters. The publication follows an RTI filed by MediaNama that revealed which companies had submitted their declarations, and pointed out that none of the filings had been available to the public at the time.
These declarations stem from the Ministry’s June 5 advisory, which required e-commerce and quick commerce companies to conduct internal audits under the 2023 Guidelines for Prevention and Regulation of Dark Patterns and submit compliance letters within 90 days.
For context, Moneycontrol reported that Amazon has still not filed its declaration and has asked for additional time. A senior government official told the publication that the government “has done what it had to” and does not plan further discussions.
The official also said that any punitive action would depend on consumer complaints routed through channels such as the national consumer helpline. This indicates that the enforcement approach continues to be reactive rather than compliance-driven.
What Did The CCPA Ask Platforms To Do?
The June 5 advisory set out a simple compliance framework for digital platforms. It asked every e-commerce and quick commerce company to complete a self-audit of its website and mobile app within 90 days and check their interfaces for the 13 dark patterns listed in the 2023 guidelines. Platforms were required to file a self-declaration confirming compliance once this internal review was complete.
However, the advisory did not specify how the audit should be conducted. Companies were free to choose any methodology, and the CCPA did not prescribe a standard format, a uniform checklist, or a minimum evidence requirement. Also, the advisory did not require independent audits or third-party validation.
Furthermore, there was no explanation of how the CCPA planned to verify whether the declarations were accurate or complete. In effect, the responsibility for defining the scope, depth, and rigour of the audit rested entirely with each platform.
What the CCPA Has Done With the Declarations
As mentioned before, the CCPA has now published 18 self-declarations on its website. The release confirms that companies submitted their compliance letters, but it does not indicate whether the authority evaluated the accuracy or depth of the filings.
Several platforms submitted very short statements that simply assert compliance without describing any checks or findings. BigBasket, Zomato, Blinkit and Swiggy were among the companies that filed especially minimal disclosures. The CCPA has not explained why these filings were accepted or whether any follow-up questions were asked. Therefore, asking for and disclosing self-declarations shows some administrative progress, but it does not reflect any regulatory scrutiny.
This lack of verification aligns with concerns raised by Devangshu Dutta, Founder of business consulting firm Third Eyesight. He told MediaNama that self-declarations “do not change things much” when regulators do not audit submissions or impose consequences.
Further, Dutta remarked that most companies comply at the minimum level required if their claims are not examined and are not made public in full. According to him, revenue-driving design choices such as forced add-ons, confusing checkout flows or misleading scarcity claims will not be voluntarily removed sans oversight.
What Independent Evidence Shows
LocalCircles’ latest audit presents a sharply different picture from the companies’ filings. The organisation found that 21 of the 26 platforms that submitted “dark pattern free” declarations still use one or more manipulative design practices. The assessment relied on feedback from more than 250,000 consumers across 392 districts along with AI-assisted testing.
The most common violations include forced action, subscription traps, bait and switch, basket sneaking, interface interference and disguised advertisements. In practice, these dark patterns respectively mean that users are pushed into steps they did not choose, face hidden or hard-to-cancel subscriptions, see offers change during checkout, encounter fees added at the last moment, get nudged toward platform-favoured choices, and come across ads that appear as regular listings.
LocalCircles also identified drip pricing (gradually adding mandatory fees during the checkout process) on 11 of the 26 companies, including Flipkart, Myntra, Cleartrip, MakeMyTrip, BigBasket, Zomato and Blinkit, among others. The organisation said that many platforms appear to misunderstand what qualifies as drip pricing, which has led to incomplete corrections.
Trust Can Erode Due To Gap Between Declarations And User Experience
Sachin Taparia, Founder of LocalCircles, said that the problem begins with the absence of any verification. “Our understanding is that CCPA is wanting that companies submit a self-declaration at the earliest. However, there is no cross checking of claims that is being done by the CCPA, and as a result the companies are not being as thorough with their dark-pattern detection and resolution,” he said.
Taparia added that discrepancies between declarations and user experience could harm trust. “LocalCircles has found dark patterns on 21 of the 26 platforms submitting self-declarations. If this exercise is not done with high accuracy, both platforms doing so and CCPA could see consumer trust being impacted,” he said.
Importantly, Dutta echoed this concern, saying that the absence of penalties or reputation-related consequences allows companies to self-declare compliance while keeping revenue-generating patterns intact. He described the current process as “more an administrative formality [rather] than a behaviour-changing regulatory tool”.
Why This Matters
The gap between self-declarations and independent audits in the true sense of the word brings the real enforcement question into focus. What should the next phase of regulation look like?
In this context, Dutta said that regulators need to move beyond self-certifications and mandate detailed user experience (UX) audit reports that map every user journey, including pop-ups, onboarding, search, checkout, cancellations and returns.
He explained that regulators should reinforce this by demanding substantive evidence instead of brief compliance letters. This evidence can include screenshots and screen recordings of key flows, version histories that show how an interface changed over time, and product design documents or A/B testing results that reveal why specific nudges were introduced. To explain, A/B testing is essentially a method for comparing two versions of something to see which one performs better.
Furthermore, Dutta noted that platforms already collect extensive data on user complaints and drop-off points, which can help identify harmful or confusing design choices. He also said that independent third-party attestations, similar to security or accessibility audits, can provide a credible external check and increase the cost of non-compliance.
Multiple Annual Audits For Apps that Change Interface Frequently
Notably, Dutta stressed that most dark pattern categories appear across e-commerce, quick commerce and Direct-to-Consumer (D2C) websites, which means regulators can create a baseline audit standard that works across sectors instead of relying on platform-specific interpretations. He also suggested that audits should occur at least once a year, and companies that frequently modify their interfaces may need to report two or three times annually.
The larger concern now is whether the CCPA plans to move toward such a structured framework. Without independent verification and clear audit expectations, companies can continue declaring compliance even when manipulative designs remain embedded in their interfaces.
(Published in Medianama)
