CCPA’s Action Against Zepto Signals Growing Enforcement Under India’s Dark Pattern Rules
CCPA’s Action Against Zepto Signals Growing Enforcement Under India’s Dark Pattern Rules
CCPA’s Action Against Zepto Signals Growing Enforcement Under India’s Dark Pattern Rules
Written by Hetal Desai
Written by Hetal Desai
Written by Hetal Desai
Written by Hetal Desai
7 min read
7 min read
The Central Consumer Protection Authority (‘CCPA’) has recently imposed a penalty on Zepto for use of dark patterns in its checkout flows, and that single action, modest in monetary value, signals a broader shift from guidance to enforcement that teams building digital products in India should not ignore.
The Central Consumer Protection Authority (‘CCPA’) has recently imposed a penalty on Zepto for use of dark patterns in its checkout flows, and that single action, modest in monetary value, signals a broader shift from guidance to enforcement that teams building digital products in India should not ignore.
The Central Consumer Protection Authority (‘CCPA’) has recently imposed a penalty on Zepto for use of dark patterns in its checkout flows, and that single action, modest in monetary value, signals a broader shift from guidance to enforcement that teams building digital products in India should not ignore.
The Central Consumer Protection Authority (‘CCPA’) has recently imposed a penalty on Zepto for use of dark patterns in its checkout flows, and that single action, modest in monetary value, signals a broader shift from guidance to enforcement that teams building digital products in India should not ignore.
Zepto case and the regulatory backdrop:
Zepto case and the regulatory backdrop:
Zepto case and the regulatory backdrop:
Zepto case and the regulatory backdrop:
On 6 December 2025, the CCPA issued an order finding that Zepto used drip pricing and pre-selected add-ons. In simpler terms, mandatory charges were surfaced only at final checkout and a paid membership appeared pre-selected without affirmative consent. The regulator directed Zepto to remove default opt-ins, redesign its checkout, and submit proof of compliance within a limited time window. This enforcement follows a set of Guidelines for Prevention and Regulation of Dark Patterns (‘Guidelines’) that the CCPA published in late 2023 under the Consumer Protection Act, 2019, which identify thirteen specified dark patterns such as drip pricing, basket sneaking and subscription traps. Taken together, the Guidelines plus recent orders show that the regulator is moving beyond advisory notes to enforcement and corrective directions.
On 6 December 2025, the CCPA issued an order finding that Zepto used drip pricing and pre-selected add-ons. In simpler terms, mandatory charges were surfaced only at final checkout and a paid membership appeared pre-selected without affirmative consent. The regulator directed Zepto to remove default opt-ins, redesign its checkout, and submit proof of compliance within a limited time window. This enforcement follows a set of Guidelines for Prevention and Regulation of Dark Patterns (‘Guidelines’) that the CCPA published in late 2023 under the Consumer Protection Act, 2019, which identify thirteen specified dark patterns such as drip pricing, basket sneaking and subscription traps. Taken together, the Guidelines plus recent orders show that the regulator is moving beyond advisory notes to enforcement and corrective directions.
On 6 December 2025, the CCPA issued an order finding that Zepto used drip pricing and pre-selected add-ons. In simpler terms, mandatory charges were surfaced only at final checkout and a paid membership appeared pre-selected without affirmative consent. The regulator directed Zepto to remove default opt-ins, redesign its checkout, and submit proof of compliance within a limited time window. This enforcement follows a set of Guidelines for Prevention and Regulation of Dark Patterns (‘Guidelines’) that the CCPA published in late 2023 under the Consumer Protection Act, 2019, which identify thirteen specified dark patterns such as drip pricing, basket sneaking and subscription traps. Taken together, the Guidelines plus recent orders show that the regulator is moving beyond advisory notes to enforcement and corrective directions.
On 6 December 2025, the CCPA issued an order finding that Zepto used drip pricing and pre-selected add-ons. In simpler terms, mandatory charges were surfaced only at final checkout and a paid membership appeared pre-selected without affirmative consent. The regulator directed Zepto to remove default opt-ins, redesign its checkout, and submit proof of compliance within a limited time window. This enforcement follows a set of Guidelines for Prevention and Regulation of Dark Patterns (‘Guidelines’) that the CCPA published in late 2023 under the Consumer Protection Act, 2019, which identify thirteen specified dark patterns such as drip pricing, basket sneaking and subscription traps. Taken together, the Guidelines plus recent orders show that the regulator is moving beyond advisory notes to enforcement and corrective directions.
Those guidelines were notified in 2023, and enforcement has been incremental to date, but it is real: the CCPA has already issued notices and taken action against other platform practices this year, including a separate order against Rapido for misleading claims and penalties in the same regulatory universe.
Those guidelines were notified in 2023, and enforcement has been incremental to date, but it is real: the CCPA has already issued notices and taken action against other platform practices this year, including a separate order against Rapido for misleading claims and penalties in the same regulatory universe.
Those guidelines were notified in 2023, and enforcement has been incremental to date, but it is real: the CCPA has already issued notices and taken action against other platform practices this year, including a separate order against Rapido for misleading claims and penalties in the same regulatory universe.
Those guidelines were notified in 2023, and enforcement has been incremental to date, but it is real: the CCPA has already issued notices and taken action against other platform practices this year, including a separate order against Rapido for misleading claims and penalties in the same regulatory universe.
Legal Scope:
Legal Scope:
Legal Scope:
Legal Scope:
The CCPA is empowered by Section 18 of the Consumer Protection Act, 2019 to protect consumers as a class and to issue guidelines to prevent unfair trade practices, and it has complementary powers under Sections 20 and 21 to order discontinuation of unfair practices, require refunds or recalls, and to impose penalties for false or misleading advertisements and unfair trade practices. An aggrieved person or entity affected by a CCPA order can appeal to the National Consumer Disputes Redressal Commission under Section 24. These powers are broad: they apply to platforms, marketplaces, sellers and advertisers, meaning the legal net covers both large and small operators who use interfaces that shape consumer choices. In practice that means quick-commerce apps, travel aggregators, fintech onboarding flows, subscription services and niche marketplaces all fall within the CCPA’s reach as much as larger platforms.
The CCPA is empowered by Section 18 of the Consumer Protection Act, 2019 to protect consumers as a class and to issue guidelines to prevent unfair trade practices, and it has complementary powers under Sections 20 and 21 to order discontinuation of unfair practices, require refunds or recalls, and to impose penalties for false or misleading advertisements and unfair trade practices. An aggrieved person or entity affected by a CCPA order can appeal to the National Consumer Disputes Redressal Commission under Section 24. These powers are broad: they apply to platforms, marketplaces, sellers and advertisers, meaning the legal net covers both large and small operators who use interfaces that shape consumer choices. In practice that means quick-commerce apps, travel aggregators, fintech onboarding flows, subscription services and niche marketplaces all fall within the CCPA’s reach as much as larger platforms.
The CCPA is empowered by Section 18 of the Consumer Protection Act, 2019 to protect consumers as a class and to issue guidelines to prevent unfair trade practices, and it has complementary powers under Sections 20 and 21 to order discontinuation of unfair practices, require refunds or recalls, and to impose penalties for false or misleading advertisements and unfair trade practices. An aggrieved person or entity affected by a CCPA order can appeal to the National Consumer Disputes Redressal Commission under Section 24. These powers are broad: they apply to platforms, marketplaces, sellers and advertisers, meaning the legal net covers both large and small operators who use interfaces that shape consumer choices. In practice that means quick-commerce apps, travel aggregators, fintech onboarding flows, subscription services and niche marketplaces all fall within the CCPA’s reach as much as larger platforms.
The CCPA is empowered by Section 18 of the Consumer Protection Act, 2019 to protect consumers as a class and to issue guidelines to prevent unfair trade practices, and it has complementary powers under Sections 20 and 21 to order discontinuation of unfair practices, require refunds or recalls, and to impose penalties for false or misleading advertisements and unfair trade practices. An aggrieved person or entity affected by a CCPA order can appeal to the National Consumer Disputes Redressal Commission under Section 24. These powers are broad: they apply to platforms, marketplaces, sellers and advertisers, meaning the legal net covers both large and small operators who use interfaces that shape consumer choices. In practice that means quick-commerce apps, travel aggregators, fintech onboarding flows, subscription services and niche marketplaces all fall within the CCPA’s reach as much as larger platforms.
Indian landscape and comparable enforcement overseas:
Indian landscape and comparable enforcement overseas:
Indian landscape and comparable enforcement overseas:
Indian landscape and comparable enforcement overseas:
India’s 2023 Guidelines bring impairing UI/UX design choices into administrative law by listing specific categories of prohibited design practices and linking them to consumer rights under the Consumer Protection Act. Internationally as well, enforcement on this front is intensifying: the UK authorities have targeted opaque hotel booking practices and misleading availability claims, and the United States Federal Trade Commission has pursued subscription and enrolment flows it describes as subscription traps and dark patterns, including a high-profile action against a major platform in 2025. These cases demonstrate that regulators globally are converging on the notion that interface choices are not merely product experiments but may amount to unlawful conduct when they mislead users.
India’s 2023 Guidelines bring impairing UI/UX design choices into administrative law by listing specific categories of prohibited design practices and linking them to consumer rights under the Consumer Protection Act. Internationally as well, enforcement on this front is intensifying: the UK authorities have targeted opaque hotel booking practices and misleading availability claims, and the United States Federal Trade Commission has pursued subscription and enrolment flows it describes as subscription traps and dark patterns, including a high-profile action against a major platform in 2025. These cases demonstrate that regulators globally are converging on the notion that interface choices are not merely product experiments but may amount to unlawful conduct when they mislead users.
India’s 2023 Guidelines bring impairing UI/UX design choices into administrative law by listing specific categories of prohibited design practices and linking them to consumer rights under the Consumer Protection Act. Internationally as well, enforcement on this front is intensifying: the UK authorities have targeted opaque hotel booking practices and misleading availability claims, and the United States Federal Trade Commission has pursued subscription and enrolment flows it describes as subscription traps and dark patterns, including a high-profile action against a major platform in 2025. These cases demonstrate that regulators globally are converging on the notion that interface choices are not merely product experiments but may amount to unlawful conduct when they mislead users.
India’s 2023 Guidelines bring impairing UI/UX design choices into administrative law by listing specific categories of prohibited design practices and linking them to consumer rights under the Consumer Protection Act. Internationally as well, enforcement on this front is intensifying: the UK authorities have targeted opaque hotel booking practices and misleading availability claims, and the United States Federal Trade Commission has pursued subscription and enrolment flows it describes as subscription traps and dark patterns, including a high-profile action against a major platform in 2025. These cases demonstrate that regulators globally are converging on the notion that interface choices are not merely product experiments but may amount to unlawful conduct when they mislead users.
Below we analyse key technical and governance aspects that product, design and legal teams should prioritise.
Below we analyse key technical and governance aspects that product, design and legal teams should prioritise.
Below we analyse key technical and governance aspects that product, design and legal teams should prioritise.
Below we analyse key technical and governance aspects that product, design and legal teams should prioritise.
Price visibility and the problem of drip pricing
Price visibility and the problem of drip pricing
Price visibility and the problem of drip pricing
Price visibility and the problem of drip pricing
One of the clearest signals from the Guidelines is that consumers must be able to understand the full payable amount at the point where a purchasing decision is made. When mandatory fees are revealed only at the final step, regulators consider it a misleading trade practice because it obstructs the consumer’s ability to make an informed choice. That is precisely what the CCPA flagged in Zepto’s case, where platform and handling fees were surfaced very late in the checkout journey.
One of the clearest signals from the Guidelines is that consumers must be able to understand the full payable amount at the point where a purchasing decision is made. When mandatory fees are revealed only at the final step, regulators consider it a misleading trade practice because it obstructs the consumer’s ability to make an informed choice. That is precisely what the CCPA flagged in Zepto’s case, where platform and handling fees were surfaced very late in the checkout journey.
One of the clearest signals from the Guidelines is that consumers must be able to understand the full payable amount at the point where a purchasing decision is made. When mandatory fees are revealed only at the final step, regulators consider it a misleading trade practice because it obstructs the consumer’s ability to make an informed choice. That is precisely what the CCPA flagged in Zepto’s case, where platform and handling fees were surfaced very late in the checkout journey.
One of the clearest signals from the Guidelines is that consumers must be able to understand the full payable amount at the point where a purchasing decision is made. When mandatory fees are revealed only at the final step, regulators consider it a misleading trade practice because it obstructs the consumer’s ability to make an informed choice. That is precisely what the CCPA flagged in Zepto’s case, where platform and handling fees were surfaced very late in the checkout journey.
For product and engineering teams, this means pricing cannot reside solely as last-minute server-side calculations. Consistency across listing pages, cart previews, and checkout flows requires a single authoritative pricing model that breaks down each component explicitly and makes those components available to every UI surface. Organisations should version pricing rules, persist identifiers with order records, and ensure historical reproducibility when regulators ask how a price was constructed.
For product and engineering teams, this means pricing cannot reside solely as last-minute server-side calculations. Consistency across listing pages, cart previews, and checkout flows requires a single authoritative pricing model that breaks down each component explicitly and makes those components available to every UI surface. Organisations should version pricing rules, persist identifiers with order records, and ensure historical reproducibility when regulators ask how a price was constructed.
For product and engineering teams, this means pricing cannot reside solely as last-minute server-side calculations. Consistency across listing pages, cart previews, and checkout flows requires a single authoritative pricing model that breaks down each component explicitly and makes those components available to every UI surface. Organisations should version pricing rules, persist identifiers with order records, and ensure historical reproducibility when regulators ask how a price was constructed.
For product and engineering teams, this means pricing cannot reside solely as last-minute server-side calculations. Consistency across listing pages, cart previews, and checkout flows requires a single authoritative pricing model that breaks down each component explicitly and makes those components available to every UI surface. Organisations should version pricing rules, persist identifiers with order records, and ensure historical reproducibility when regulators ask how a price was constructed.
Various rulings from the UK Advertising Standards Authority required platforms to change fee disclosures well before a consumer clicked “buy”. These precedents mirror the reasoning behind the CCPA’s approach.
Various rulings from the UK Advertising Standards Authority required platforms to change fee disclosures well before a consumer clicked “buy”. These precedents mirror the reasoning behind the CCPA’s approach.
Various rulings from the UK Advertising Standards Authority required platforms to change fee disclosures well before a consumer clicked “buy”. These precedents mirror the reasoning behind the CCPA’s approach.
Various rulings from the UK Advertising Standards Authority required platforms to change fee disclosures well before a consumer clicked “buy”. These precedents mirror the reasoning behind the CCPA’s approach.
Consent flows, default selections and affirmative user action
Consent flows, default selections and affirmative user action
Consent flows, default selections and affirmative user action
Consent flows, default selections and affirmative user action
Pre-selected add-ons, memberships and optional fees fall under what the Guidelines classify as “basket sneaking.” This reflects a long-standing legal principle that consent must be both affirmative and informed. If users are opted into a paid feature by default, regulators view that as a violation of autonomy because silence or inaction cannot be treated as agreement.
Pre-selected add-ons, memberships and optional fees fall under what the Guidelines classify as “basket sneaking.” This reflects a long-standing legal principle that consent must be both affirmative and informed. If users are opted into a paid feature by default, regulators view that as a violation of autonomy because silence or inaction cannot be treated as agreement.
Pre-selected add-ons, memberships and optional fees fall under what the Guidelines classify as “basket sneaking.” This reflects a long-standing legal principle that consent must be both affirmative and informed. If users are opted into a paid feature by default, regulators view that as a violation of autonomy because silence or inaction cannot be treated as agreement.
Pre-selected add-ons, memberships and optional fees fall under what the Guidelines classify as “basket sneaking.” This reflects a long-standing legal principle that consent must be both affirmative and informed. If users are opted into a paid feature by default, regulators view that as a violation of autonomy because silence or inaction cannot be treated as agreement.
From a systems perspective, this requires building infrastructure that generates reliable consent artefacts tied to transactions: timestamped records, versioning of consent text, identifiers for the flow in which consent was taken, and a stored or reproducible representation of how that choice was
From a systems perspective, this requires building infrastructure that generates reliable consent artefacts tied to transactions: timestamped records, versioning of consent text, identifiers for the flow in which consent was taken, and a stored or reproducible representation of how that choice was presented at the time. Analytics events alone are insufficient because they may be sampled, batched or lost.
From a systems perspective, this requires building infrastructure that generates reliable consent artefacts tied to transactions: timestamped records, versioning of consent text, identifiers for the flow in which consent was taken, and a stored or
From a systems perspective, this requires building infrastructure that generates reliable consent artefacts tied to transactions: timestamped records, versioning of consent text, identifiers for the flow in which consent was taken, and a stored or reproducible representation of how that choice was presented at the time. Analytics events alone are insufficient because they may be sampled, batched or lost.
In Zepto’s case, the regulator found that the Zepto Pass option appeared pre-selected in the flow and directed removal of default selections and affirmative user consent. Internationally, similar enforcement around subscription-enrolment flows has hinged on whether consent was explicit and reversible, as seen in recent FTC actions.
In Zepto’s case, the regulator found that the Zepto Pass option appeared pre-selected in the flow and directed removal of default selections and affirmative user consent. Internationally, similar enforcement around subscription-enrolment flows has hinged on whether consent was explicit and reversible, as seen in recent FTC actions.
reproducible representation of how that choice was presented at the time. Analytics events alone are insufficient because they may be sampled, batched or lost.
presented at the time. Analytics events alone are insufficient because they may be sampled, batched or lost.
In Zepto’s case, the regulator found that the Zepto Pass option appeared pre-selected in the flow and directed removal of default selections and affirmative user consent. Internationally, similar enforcement around subscription-enrolment flows has hinged on whether consent was explicit and reversible, as seen in recent FTC actions.
In Zepto’s case, the regulator found that the Zepto Pass option appeared pre-selected in the flow and directed removal of default selections and affirmative user consent. Internationally, similar enforcement around subscription-enrolment flows has hinged on whether consent was explicit and reversible, as seen in recent FTC actions.
How experimentation and behavioural nudges intersect with compliance
How experimentation and behavioural nudges intersect with compliance
How experimentation and behavioural nudges intersect with compliance
How experimentation and behavioural nudges intersect with compliance
Although A/B testing infrastructure is commonly viewed as a product optimisation tool, the moment an experiment alters pricing visibility, default states, or friction around cancellation, it enters a legally sensitive zone. The Guidelines combined with consumer protection law suggest that an experiment designed to increase conversions by increasing ambiguity or creating misleading urgency may be treated as unfair or deceptive, regardless of intent.
Although A/B testing infrastructure is commonly viewed as a product optimisation tool, the moment an experiment alters pricing visibility, default states, or friction around cancellation, it enters a legally sensitive zone. The Guidelines combined with consumer protection law suggest that an experiment designed to increase conversions by increasing ambiguity or creating misleading urgency may be treated as unfair or deceptive, regardless of intent.
Although A/B testing infrastructure is commonly viewed as a product optimisation tool, the moment an experiment alters pricing visibility, default states, or friction around cancellation, it enters a legally sensitive zone. The Guidelines combined with consumer protection law suggest that an experiment designed to increase conversions by increasing ambiguity or creating misleading urgency may be treated as unfair or deceptive, regardless of intent.
Although A/B testing infrastructure is commonly viewed as a product optimisation tool, the moment an experiment alters pricing visibility, default states, or friction around cancellation, it enters a legally sensitive zone. The Guidelines combined with consumer protection law suggest that an experiment designed to increase conversions by increasing ambiguity or creating misleading urgency may be treated as unfair or deceptive, regardless of intent.
For technical teams, this means experiments touching regulated surfaces must be governed strictly: variant assignments should be logged against orders and consent records; experiment metadata and risk assessments preserved in an immutable registry; experiments that influence pricing or consent should require documented legal and product sign-off; and rollback criteria should be clear. Experiment monitoring should link exposure to complaint rates and business metrics so that harmful variants can be rolled back quickly.
For technical teams, this means experiments touching regulated surfaces must be governed strictly: variant assignments should be logged against orders and consent records; experiment metadata and risk assessments preserved in an immutable registry; experiments that influence pricing or consent should require documented legal and product sign-off; and rollback criteria should be clear. Experiment monitoring should link exposure to complaint rates and business metrics so that harmful variants can be rolled back quickly.
For technical teams, this means experiments touching regulated surfaces must be governed strictly: variant assignments should be logged against orders and consent records; experiment metadata and risk assessments preserved in an immutable registry; experiments that influence pricing or consent should require documented legal and product sign-off; and rollback criteria should be clear. Experiment monitoring should link exposure to complaint rates and business metrics so that harmful variants can be rolled back quickly.
For technical teams, this means experiments touching regulated surfaces must be governed strictly: variant assignments should be logged against orders and consent records; experiment metadata and risk assessments preserved in an immutable registry; experiments that influence pricing or consent should require documented legal and product sign-off; and rollback criteria should be clear. Experiment monitoring should link exposure to complaint rates and business metrics so that harmful variants can be rolled back quickly.
Regulators increasingly request screenshots, sample flows, and independent verification. The CCPA’s posture suggests that any design variant deployed at scale may be inspected retrospectively and must therefore remain explainable and auditable
Regulators increasingly request screenshots, sample flows, and independent verification. The CCPA’s posture suggests that any design variant deployed at scale may be inspected retrospectively and must therefore remain explainable and auditable
Regulators increasingly request screenshots, sample flows, and independent verification. The CCPA’s posture suggests that any design variant deployed at scale may be inspected retrospectively and must therefore remain explainable and auditable
Regulators increasingly request screenshots, sample flows, and independent verification. The CCPA’s posture suggests that any design variant deployed at scale may be inspected retrospectively and must therefore remain explainable and auditable
Release discipline and the importance of evidence-ready audit trails
Release discipline and the importance of evidence-ready audit trails
Release discipline and the importance of evidence-ready audit trails
Release discipline and the importance of evidence-ready audit trails
When allegations of dark patterns arise, regulators are no longer satisfied with verbal assurances or internal declarations without verifiable methodology or artifacts; they expect evidence of remediation.
When allegations of dark patterns arise, regulators are no longer satisfied with verbal assurances or internal declarations without verifiable methodology or artifacts; they expect evidence of remediation.
When allegations of dark patterns arise, regulators are no longer satisfied with verbal assurances or internal declarations without verifiable methodology or artifacts; they expect evidence of remediation.
When allegations of dark patterns arise, regulators are no longer satisfied with verbal assurances or internal declarations without verifiable methodology or artifacts; they expect evidence of remediation.
Operationally, organisations should integrate compliance evidence into their release processes so that any change affecting checkout, pricing or consent automatically produces an evidence bundle: automated screen captures across device types and personas, test logs validating the pricing API, sampled consent records, and a change log linking commits to deployed UI versions. Storing these bundles in a retention store and making them exportable helps respond quickly when regulators request proof. Reporting on the Zepto order noted that a compliance report and supporting evidence were required within a short timeframe.
Operationally, organisations should integrate compliance evidence into their release processes so that any change affecting checkout, pricing or consent automatically produces an evidence bundle: automated screen captures across device types and personas, test logs validating the pricing API, sampled consent records, and a change log linking commits to deployed UI versions. Storing these bundles in a retention store and making them exportable helps respond quickly when regulators request proof. Reporting on the Zepto order noted that a compliance report and supporting evidence were required within a short timeframe.
Operationally, organisations should integrate compliance evidence into their release processes so that any change affecting checkout, pricing or consent automatically produces an evidence bundle: automated screen captures across device types and personas, test logs validating the pricing API, sampled consent records, and a change log linking commits to deployed UI versions. Storing these bundles in a retention store and making them exportable helps respond quickly when regulators request proof. Reporting on the Zepto order noted that a compliance report and supporting evidence were required within a short timeframe.
Operationally, organisations should integrate compliance evidence into their release processes so that any change affecting checkout, pricing or consent automatically produces an evidence bundle: automated screen captures across device types and personas, test logs validating the pricing API, sampled consent records, and a change log linking commits to deployed UI versions. Storing these bundles in a retention store and making them exportable helps respond quickly when regulators request proof. Reporting on the Zepto order noted that a compliance report and supporting evidence were required within a short timeframe.
This model is echoed in other jurisdictions, where consumer regulators frequently request historical artefacts and companies unable to provide them often face stricter remedial obligations because they cannot demonstrate past behaviour.
This model is echoed in other jurisdictions, where consumer regulators frequently request historical artefacts and companies unable to provide them often face stricter remedial obligations because they cannot demonstrate past behaviour.
This model is echoed in other jurisdictions, where consumer regulators frequently request historical artefacts and companies unable to provide them often face stricter remedial obligations because they cannot demonstrate past behaviour.
This model is echoed in other jurisdictions, where consumer regulators frequently request historical artefacts and companies unable to provide them often face stricter remedial obligations because they cannot demonstrate past behaviour.
Third-party components and inherited dark patterns
Third-party components and inherited dark patterns
Third-party components and inherited dark patterns
Third-party components and inherited dark patterns
Many smaller platforms rely on template-driven checkout flows from SaaS vendors or third-party plugins. However, under Indian consumer law, the platform presenting the UI to the user remains responsible for the fairness of that interface; the origin of the UI does not absolve the operator from liability under the Consumer Protection Act or the Guidelines.
Many smaller platforms rely on template-driven checkout flows from SaaS vendors or third-party plugins. However, under Indian consumer law, the platform presenting the UI to the user remains responsible for the fairness of that interface; the origin of the UI does not absolve the operator from liability under the Consumer Protection Act or the Guidelines.
Many smaller platforms rely on template-driven checkout flows from SaaS vendors or third-party plugins. However, under Indian consumer law, the platform presenting the UI to the user remains responsible for the fairness of that interface; the origin of the UI does not absolve the operator from liability under the Consumer Protection Act or the Guidelines.
Many smaller platforms rely on template-driven checkout flows from SaaS vendors or third-party plugins. However, under Indian consumer law, the platform presenting the UI to the user remains responsible for the fairness of that interface; the origin of the UI does not absolve the operator from liability under the Consumer Protection Act or the Guidelines.
Practically, this means vendor SDKs, templates and plugins that affect price presentation or consent should be treated as high-risk integrations. Teams should run such modules in controlled sandboxes, perform automated UI snapshot tests, and insist on contractual warranties and indemnities against non-compliant defaults. Even if a vendor supplies a prebuilt flow, the obligation to ensure transparency and opt-in behaviour lies with the platform operator.
Practically, this means vendor SDKs, templates and plugins that affect price presentation or consent should be treated as high-risk integrations. Teams should run such modules in controlled sandboxes, perform automated UI snapshot tests, and insist on contractual warranties and indemnities against non-compliant defaults. Even if a vendor supplies a prebuilt flow, the obligation to ensure transparency and opt-in behaviour lies with the platform operator.
Practically, this means vendor SDKs, templates and plugins that affect price presentation or consent should be treated as high-risk integrations. Teams should run such modules in controlled sandboxes, perform automated UI snapshot tests, and insist on contractual warranties and indemnities against non-compliant defaults. Even if a vendor supplies a prebuilt flow, the obligation to ensure transparency and opt-in behaviour lies with the platform operator.
Practically, this means vendor SDKs, templates and plugins that affect price presentation or consent should be treated as high-risk integrations. Teams should run such modules in controlled sandboxes, perform automated UI snapshot tests, and insist on contractual warranties and indemnities against non-compliant defaults. Even if a vendor supplies a prebuilt flow, the obligation to ensure transparency and opt-in behaviour lies with the platform operator.
The CCPA’s pattern of issuing notices across several platforms along with the Zepto order itself shows vendor origin will not be a valid defence when consumer harm is found.
The CCPA’s pattern of issuing notices across several platforms along with the Zepto order itself shows vendor origin will not be a valid defence when consumer harm is found.
The CCPA’s pattern of issuing notices across several platforms along with the Zepto order itself shows vendor origin will not be a valid defence when consumer harm is found.
The CCPA’s pattern of issuing notices across several platforms along with the Zepto order itself shows vendor origin will not be a valid defence when consumer harm is found.
Penalties, enforcement powers and available recourse
Penalties, enforcement powers and available recourse
Penalties, enforcement powers and available recourse
Penalties, enforcement powers and available recourse
Under the Consumer Protection Act, the CCPA has the authority to order discontinuation of misleading or unfair practices, mandate refunds or corrective actions, and impose penalties for false or misleading advertisements or repeat contraventions. Where appropriate, the authority may publish orders that carry reputational consequences, require redesigned flows, or ask for third-party verification of compliance.
Under the Consumer Protection Act, the CCPA has the authority to order discontinuation of misleading or unfair practices, mandate refunds or corrective actions, and impose penalties for false or misleading advertisements or repeat contraventions. Where appropriate, the authority may publish orders that carry reputational consequences, require redesigned flows, or ask for third-party verification of compliance.
Under the Consumer Protection Act, the CCPA has the authority to order discontinuation of misleading or unfair practices, mandate refunds or corrective actions, and impose penalties for false or misleading advertisements or repeat contraventions. Where appropriate, the authority may publish orders that carry reputational consequences, require redesigned flows, or ask for third-party verification of compliance.
Under the Consumer Protection Act, the CCPA has the authority to order discontinuation of misleading or unfair practices, mandate refunds or corrective actions, and impose penalties for false or misleading advertisements or repeat contraventions. Where appropriate, the authority may publish orders that carry reputational consequences, require redesigned flows, or ask for third-party verification of compliance.
Entities receiving an adverse order can appeal before the National Consumer Disputes Redressal Commission under Section 24, but the timelines are strict and the standard of review depends heavily on the evidence presented. That is why maintaining audit trails and documentation is not only good compliance practice but also a legal safeguard.
Entities receiving an adverse order can appeal before the National Consumer Disputes Redressal Commission under Section 24, but the timelines are strict and the standard of review depends heavily on the evidence presented. That is why maintaining audit trails and documentation is not only good compliance practice but also a legal safeguard.
Entities receiving an adverse order can appeal before the National Consumer Disputes Redressal Commission under Section 24, but the timelines are strict and the standard of review depends heavily on the evidence presented. That is why maintaining audit trails and documentation is not only good compliance practice but also a legal safeguard.
Entities receiving an adverse order can appeal before the National Consumer Disputes Redressal Commission under Section 24, but the timelines are strict and the standard of review depends heavily on the evidence presented. That is why maintaining audit trails and documentation is not only good compliance practice but also a legal safeguard.
If no action has been initiated yet but an internal review flags potential issues, the advisable route is to document the findings, remediate quickly, capture before-and-after evidence, review vendor contracts, and seek legal counsel to consider voluntary disclosure. Proactive remediation does not guarantee immunity, but it significantly reduces enforcement risk and helps frame a credible compliance narrative should regulators later ask for proof.
If no action has been initiated yet but an internal review flags potential issues, the advisable route is to document the findings, remediate quickly, capture before-and-after evidence, review vendor contracts, and seek legal counsel to consider voluntary disclosure. Proactive remediation does not guarantee immunity, but it significantly reduces enforcement risk and helps frame a credible compliance narrative should regulators later ask for proof.
If no action has been initiated yet but an internal review flags potential issues, the advisable route is to document the findings, remediate quickly, capture before-and-after evidence, review vendor contracts, and seek legal counsel to consider voluntary disclosure. Proactive remediation does not guarantee immunity, but it significantly reduces enforcement risk and helps frame a credible compliance narrative should regulators later ask for proof.
If no action has been initiated yet but an internal review flags potential issues, the advisable route is to document the findings, remediate quickly, capture before-and-after evidence, review vendor contracts, and seek legal counsel to consider voluntary disclosure. Proactive remediation does not guarantee immunity, but it significantly reduces enforcement risk and helps frame a credible compliance narrative should regulators later ask for proof.