CCPA Penalises PhysicsWallah and McAfee for Deployment of Dark Patterns

The Ministry of Consumer Affairs, Food & Public Distribution, released a press release informing that the Central Consumer Protection Authority (CCPA) has imposed a penalty of ₹5 lakh on PhysicsWallah Limited (PW) and ₹1 lakh on McAfee for using dark patterns on their digital platforms, which were in violation of the Consumer Protection Act, 2019 (CPA), the Consumer Protection (E-Commerce) Rules, 2020 (E-Commerce Rules), and the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (Dark Patterns Guidelines).

On June 15, 2023, the Advertising Standards Council of India (ASCI) released guidelines to address the issue of online deceptive design patterns (Dark Patterns) in advertising. These Dark Patterns in advertising practices compel consumers to make decisions against their best interests.

Then, on November 30, 2023, CCPA released the Guidelines for Prevention and Regulation of Dark Patterns, 2023. The guidelines identified 3 additional dark patterns (trick questions, SaaS billing, and rogue malware) apart from the 10 dark patterns (false urgency, basket sneaking, confirm shaming, forced action, subscription trap, interface interference, bait and switch, drip pricing, disguised advertisement, and nagging) that were specified in the earlier draft guidelines.

Thereafter, CCPA had issued an advisory against increasing use of dark patterns, urging e-commerce platforms to identify and eliminate such practices through self-audits to be conducted within three months.

Proceedings Against Physics Wallah

The dispute arose from a suo-moto case initiated by CCPA against PW in relation to the use of dark patterns on its official platform and phone application, which led to unfair trade practices, misleading advertising, and violated consumer rights.

The practices under examination included Basket Sneaking (through a pre-selected ₹10 donation towards the PW Foundation during the checkout process), Confirm Sharing (emotional messaging that discouraged users from removing the donation option), and Forced Action (requiring users to share personal information before accessing courses advertised as free). The consumers were also required to sign up or log in to access content promoted as freely available.

The Authority noted that the donation-related messages referred to educational initiatives, healthcare support, financial assistance and other charitable activities undertaken through the PW Foundation. According to the CCPA, such messaging had the effect of encouraging consumers to retain the donation amount during the checkout process.

PW contended that the donation feature was voluntary, transparent and clearly visible to consumers throughout the checkout process. It submitted that users had the option to review, modify or opt out of the donation before completion of payment and that no educational content, whether free or paid, was made conditional upon making a donation.

With respect to the free courses, PW submitted that the courses were offered without any monetary consideration and that collection of basic information such as mobile numbers and email addresses was necessary for educational and operational purposes.

Thus, the CCPA concluded that the conduct violated Sections 2(9), 2(28) and 2(47) of the CPA, Rule 4(3) and Rule 4(9) of the E-Commerce Rules, and the Dark Patterns Guidelines.

Proceedings Against McAfee

The proceedings against McAfee arose from a representation alleging that the company’s subscription renewal interface presented consumers with only two visible options, namely “Renew Now” and “Accept Risk”, instead of providing a neutral opt-out mechanism.

The CCPA observed that the use of fear-based wording such as “Accept Risk” and the design of interface created fear and pressure on the consumers that if they did not choose the option to renew their subscription, they would be exposed to cybersecurity threats. It was further that the interface lacked a neutral opt-out mechanism and found elements of Forced Action under the Dark Patterns Guidelines.

McAfee submitted that the phrase “Accept Risk” merely reflected the consequence of expiry of cybersecurity protection and did not create any false or misleading impression. It further contended that consumers retained the ability to dismiss the interface, including through the “X” button, and that no complaints had been received regarding the renewal interface.

The company also informed the Authority that it had modified the interface by introducing neutral options such as “Skip” and “No Thanks”. However, the CCPA observed that post-facto corrective measures did not extinguish liability arising from the earlier deployment of the impugned interface

The Authority held such representation created an exaggerated impression regarding the necessity and usefulness of the service and constituted an unfair trade practice under Section 2(47) of the CPA.

The Authority further held that the renewal interface amounted to a misleading advertisement under Section 2(28) of the CPA, violated Rule 4(3) and Rule 4(9) of the E-Commerce Rules, and constituted multiple dark patterns under the Dark Patterns Guidelines, namely Confirm Shaming, Interface Interference, Trick Question and Forced Action.