For years, Indian websites got away with a familiar pattern: a large, brightly coloured “Accept All” button, a ghosted link for “Manage Settings”, and no straightforward way to say “No”. Under India’s DPDP Act 2023, this design pattern violates the statutory requirement for free, specific, informed, and unambiguous consent, rendering it unlawful. 

The Digital Personal Data Protection Act, 2023 (DPDPA), has quietly transformed cookie banners from “UX flourishes” into legal consent interfaces. Simultaneously, India’s consumer authorities now treat dark patterns not as clever designs but as unfair trading practices. Your cookie banner is no longer just a design choice; it is evidence of your compliance posture. 
 

1. The Legal Baseline: Consent as a Design Problem 

The DPDPA does not mention “cookies” explicitly. Yet tracking mechanisms now fall squarely within its consent framework.  
1.1 What the DPDPA says about consent 

The core of the DPDPA is Section 6, which states that consent must be "free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action." This consent is limited to the data needed for the stated purpose. Additionally, consent can be withdrawn at any time, and the process for doing so must be as easy as the process for giving it. 
Any consent that violates "this Act or the rules made thereunder or any other law" is automatically nullified to the extent of that violation. This clause subtly links DPDPA consent to all other laws governing consent acquisition, encompassing regulations against dark patterns. Prior to obtaining consent, a data fiduciary is obligated to furnish a straightforward, easily understandable notice detailing the personal data being collected, the purpose of the collection, the rights afforded to individuals, and the process for exercising those rights. The DPDP Rules stress the importance of using plain language, ensuring the notice is independent of other information, and making it available in both English and scheduled Indian languages. Your cookie banner is not a decorative pop-up. It is, functionally, the DPDPA “notice-consent” interface. 
 
1.2 Why UX now defines the legality of consent 
The DPDPA's notion of consent hinges on a specific scenario: the user actually reading the notice, comprehending it, making a choice without coercion, and then easily changing their mind. 

The law doesn't dictate "Put an Accept All button in a 24px fill primary colour and bury Reject All in a faint hyperlink at the bottom. " Yet the requirement for "free", "unconditional" consent, along with "comparable ease" of withdrawal, directly impacts user interface design. 

• If it's more difficult to refuse than to accept, can consent truly be considered "free" and "unconditional"? 

  
  

• If withdrawing consent is buried several clicks deep while accepting it is a single tap, is the "ease" of withdrawal truly comparable? 

  
  

• If the information is vague ("we use cookies to improve your experience"), is it genuinely "informed"? 

Regulators are increasingly scrutinising design choices through these specific lenses. 
 
2. Dark Patterns in Indian Law: From Ethics to Enforcement 

India has explicitly legislated against dark patterns, and it has chosen UI/UX as the core battlefield. 

2.1 CCPA's Guidelines on Dark Patterns 

In November 2023, the Central Consumer Protection Authority (CCPA) issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023. This was done under Section 18 of the Consumer Protection Act, 2019. These guidelines offer a definition of dark patterns: deceptive user interface and user experience design practices. They mislead or manipulate users into making unintended decisions, thereby undermining their autonomy, ability to make choices, and overall decision-making. Such practices are considered misleading advertisements, unfair trade practices, or violations of consumer rights. The guidelines cast a wide net, encompassing "all platforms systematically offering goods or services in India, advertisers and sellers." This means cookie banners on e-commerce websites, content platforms, fintech applications, and SaaS products are all covered. 

Annexure 1 blacklists 13 specific dark patterns, including: 

• Interface Interference: involves visually emphasising one choice while obscuring others. 

  
  

• Forced Action: involves compelling a user to perform an unrelated action in order to proceed. 

  
  

• Nagging: repeated prompts that disrupt user experience to steer a particular choice. 

  
  

• Confirm Shaming: guilt-tripping users for refusing (“No thanks, I hate saving money”). 

  
  

• Trick wording: ambiguous phrasing designed to confuse. 
   

The CCPA has issued advisories directing all e‑commerce platforms to self‑audit for such patterns and eliminate them. Dark patterns are explicitly treated as “unfair trade practices” under the Consumer Protection Act. 

2.2 ASCI and empirical evidence from Indian apps 

The Advertising Standards Council of India added texture. Digital and dark patterns include drip pricing, bait and switch, phoney urgency, and camouflaged promotion, according to its 2023 Guidelines. A 2024 ASCI–Parallel research of 12,000 screens from 53 Indian apps found that approximately 80% employed “privacy deception” patterns to encourage data oversharing and over 45% exploited interface interference. Cookie banners use big accept buttons, pre-selected options, and hidden refusals. In its 2025 “Navigating Cookies” whitepaper, ASCI links cookie consent banners to DPDPA’s granular consent standards and warns against visually biased designs that encourage “accept all” consent. 

Regulators now see design. 

3. When Cookie Banners Become Dark Patterns 

The most common Indian cookie banner today combines several of the CCPA’s prohibited patterns and undermines DPDPA‑compliant consent in ways that are no longer defensible. 

3.1 Interface interference: the “Accept All” trap 

A classic banner has a full-width, high-contrast “Accept All” button and a tiny, low-contrast “Manage Preferences” or “X” in the corner. Accepting everything is easiest cognitively and visually. Interface interference is design that emphasises one option and hides or makes others difficult to access, directing the user, according to the CCPA Guidelines. Under the DPDPA, such design compromises “free” and “unambiguous” consent. Interface pressure contaminates “clear affirmative action” if a user clicks “Accept All” because the rejection path is unclear or difficult. 

3.2. Forced action and “consent walls” 

Many websites condition basic access on acceptance of non‑essential cookies, or force users to sign up before seeing content bundling extensive tracking and data sharing into those flows. The dark patterns Guidelines define “forced action” to include making users perform unrelated actions, such as sharing personal information or consenting to data use, to complete a transaction or use a service. DPDPA compounds this: consent must be “unconditional.”. If you condition access to a news article, price comparison, or basic browsing on agreeing to third‑party tracking or marketing cookies that are not strictly necessary, regulators can argue that consent was conditional and therefore invalid. 

3.3. Nagging and consent fatigue 

Repeated “We care about your privacy please accept cookies” prompts every time a user declines amount to nagging. The CCPA defines nagging as persistent, disruptive requests that push users towards a decision. In privacy terms, this weaponises fatigue: users eventually accept just to make the prompts stop. That erodes the voluntariness of consent, a concern that Indian commentators have linked directly to DPDPA obligations. 

3.4. Trick wording and privacy deception 

Language like “We only use cookies to improve your experience” without clearly disclosing profiling, cross‑site tracking, or targeted advertising is classic trick wording. The DPDPA notice obligation expects a clear explanation of what data is collected, for what purpose, and any relevant sharing. Vague euphemisms and buried disclosures risk both invalid consent (not “informed” or “specific”) and a finding of deceptive practice under the Consumer Protection Act. 

Converging Regulatory Risk: DPDPA and Dark Patterns Framework 

The real risk for organisations is not in any one statute, but in their intersection. 

4.1. Invalid consent under DPDPA

If consent is obtained via a dark pattern‑laden cookie banner, three things can go wrong under the DPDPA: 

• Consent fails the Section 6 test- because it is not free, informed, unconditional, or unambiguous; or withdrawal is not comparably easy. 
   

• The “design” infringes another law- for example, the CCPA dark patterns Guidelines, making that part of the consent invalid under Section 6(2), which voids consent to the extent it violates any other law. 

  
  

• Subsequent processing becomes unlawful- because the legal basis (consent) never existed in a valid form; activities such as behavioural advertising, advanced analytics, and cross‑site profiling lose their foundation. 

The DPDPA gives the Data Protection Board of India the authority to levy hefty financial penalties for violations. This includes failures related to consent and security protocols, with fines potentially reaching into the tens of crores for each instance. 

4.2. Unfair trade practice and CCPA enforcement 

In parallel, the same banner may expose the platform to proceedings under the Consumer Protection Act as an unfair trade practice, misleading advertisement, or violation of consumer rights. The CCPA’s 2025 advisory makes clear that it is actively scrutinising platforms for dark patterns and expects self-audits and remediation. Public tools like the Jagriti app and dashboard allow consumers and regulators to flag deceptive UIs at scale. Legal experts now refer to dark patterns that manipulate consent as a "dual exposure" risk: one cookie design decision could break both DPDPA rules and dark patterns guidelines, increasing the chances of damage to reputation and facing regulatory penalties. 

5. Designing Cookie Banners that Survive Scrutiny 

For UX designers, product managers, and privacy teams, the challenge is not simply avoiding “ugly” dark patterns. It is to design experiences that can be defended before a regulator who will ask: “Did the user really have a fair, informed, and reversible choice?” 

5.1. Map patterns to legal risk 

A useful way to operationalise this is to map common cookie banner patterns to the laws they touch. 

When teams view banners through this perspective, the truth becomes apparent: "conversion-optimized" designs frequently resemble a legal minefield. 

5.2. Design principles for a DPDP‑aligned cookie banner 

Indian and international guidance now converge on a set of best practices. For DPDPA‑aligned, dark‑pattern‑free banners, consider: 

• Symmetry in options is key – present "Accept All" and "Reject All" with equal visual prominence. If one button is a filled primary button, the other should be as well. Secondary choices, like "Manage preferences", can be placed nearby, but not in a way that conflicts. 

  
  

• Offer granular controls –  without making it difficult. Let users toggle categories (such as essential, analytics, and advertising) on or off, with all non-essential cookies turned off by default. Essential cookies should be clearly defined as absolutely necessary. 

  
  

• Plain-language explanations- Each category should be briefly summarised, detailing its function, the type of data it gathers, and whether it involves tracking by outside parties. Avoid legal jargon in the banner text; reserve it for the full policy. 

  
  

• No bundling, no coercion – don't require non-essential cookies for basic access unless you can prove they're essential to the service. If a paywall model is in use, such as "pay with money or pay with data", it must be clearly explained and adhere to "unconditional" consent standards. 

  
  

• Easy and comparable withdrawal- Include a persistent "Cookie settings" or "Privacy choices" link in the footer or menu. This lets users adjust their preferences easily, just like they did when they first agreed. Technically, this process involves saving and respecting those choices across different sessions. 

  
  

• Accessible, multilingual interfaces- reflect DPDPA’s emphasis on language and accessibility: offer banners in English and relevant Indian languages for your user base, with accessible contrast, font size, and screen-reader compatibility. 

  
  

• Auditability – Log what the user consented to, when, how (e.g., which button), and from which device or context. This is not just a back‑office concern; UX must ensure clear, discrete actions that can be meaningfully recorded (“Accepted analytics only”, not “Scrolled the page”). 

• 
  

5.3. Governance: bringing designers into compliance conversations 

Perhaps the most under‑appreciated shift is organisational. Under DPDPA and the dark patterns regime, compliance is no longer the sole domain of legal and privacy teams. UI/UX designers and growth teams now effectively control a portion of the legal risk surface. 

Emerging best practice includes: 

• UX design audits specifically against CCPA dark pattern categories and DPDPA consent standards. 

  
  

• Design guidelines that explicitly prohibit certain patterns (pre-ticked boxes, shaming texts, imbalanced CTAs). 

  
  

• Joint sign‑off on consent flows by product, UX, privacy, and legal, with documented rationale. 

  
  

• Training for designers on how legal concepts like “free”, “informed”, “unconditional” map to concrete interaction patterns. 

Conclusion  

Finally, cookie signs have turned into a way to see how seriously a company takes people, not just their data. They are not a conversion measure when they land on your homepage; they are a person who is being asked to trust you with a private part of their digital life. That respect is written into Indian law through the DPDPA. It asks every interface a simple question: did the person really have a choice? If not, can they change their mind without being punished by the design? This isn't just a compliance box for leadership teams; it's a choice about what kind of company you want to be. The wrong answer is being sent by your present cookie banner if it relies on confusion, friction, or fatigue to make people click "accept all." The fix is not vague, which is good news. It lives in the order of buttons, the language used, the way things move, and the rules that govern them. These are all things that the product, UX, and legal teams can work on together. There's more to getting this right than just following the DPDPA. It means that your design should let your customers know that their freedom is just as important as their attention. This is the kind of privacy story that users and lawmakers will remember for a long time. 

Want to Know More? 

Learn more about India's DPDPA compliance, dark patterns assessment frameworks, and consent flow design best practices at Tsaaro.com.