Abstract
This research paper explores relationship between privacy, protection of privacy and dark patterns in the context of India’s dynamic digital landscape, in starting the foundational concept of the “Right to be left alone” is explained then the value of data is explained through the words of Pavel Durov, founder of VK and creator of Telegram Messenger.
This research paper underscores the pivotal roles of transparency and privacy in shaping digital experience of 21st century by acknowledging India’s stands as the second-largest internet market with 700 million users. DPDP Act has been introduced and certain key provisions such as Data principal, the significance of clear consent, and the roles of data fiduciaries and processors standards has been emphasized in this research paper with emergence of dark patterns and their potential threat in coercing users into unintended data disclosures.
DPDP Act has been critically analysed and its impact on user privacy dissecting its provisions and scrutinizing potential loopholes. Section 6 is explained attentively and its role in combating deceptive design practices known as dark patterns by establishing link between data protection and user experience contributing to ongoing discussions on ethical design and responsible data handling.
Furthermore, the paper addresses the criticisms surrounding the DPDP Act, highlighting potential challenges in implementation, especially concerning the expansive authority granted to the central government and the amendments affecting the Right to Information Act.
In conclusion, this article provides a comprehensive overview of the delicate balance between user privacy, data protection, and the prevalence of dark patterns in the digital realm. By shedding light on the intersection of legislation and user experience, it aims to contribute to the ongoing discourse on safeguarding privacy in an increasingly digitized world.
Keywords: Digital, Data Protection, DPDP Act, Dark pattern, Privacy,
Introduction
Legal scholars Samuel D. Warren and Louis Brandeis influenced and given then the concept that individual possess the inherent “Right to be left alone” as a fundamental facet of privacy in an article “Right to Privacy.[1]” The founder of Social media networking site VK and creator of telegram messenger, Pavel Durov, once shared his perspective, “Privacy is not for sale, and human rights should not be compromised out of fear or greed.”
In India there are 700 million users actively engaged on internet[2] and established as the second-largest internet market globally[3] that’s the reason transparency and privacy both plays pivotal roles in the digital world of 21st century in shaping our overall digital experiences and, to fulfil this objective, India’s legal system consistently strives to make progress.
Reasons why data protection is essential:
1. To maintain trust and confidence
2. To Prevent identity theft and fraud
3. To maintain business reputation
4. To Facilitate innovation and research
As we all know that innovation and invention contribute to society’s progress but same forces also fuel the criminals and with the rise in internet usage, dark patterns have emerged, many individuals, organizations, or entities are actively engaged in deliberative tactics aimed at coercing users into disclosing information contrary to their intentions and personal interests.[4]
In this research paper we are going to discuss about the recently enacted data protection law, examine its potential impact on safeguarding user privacy. Additionally, we scrutinize the use of dark patterns in digital world by exploring the intersection of data protection and user experience, we aim to contribute on the ongoing discourse on ethical design and responsible data handling further we are going to talk about criticism of this digital act.
Research Methodology
This paper employs a descriptive approach, by utilizing qualitative research methods such as literature review, document analysis, and case studies to conduct a comprehensive exploration of the subject matter.
- Extensive literature review: A thorough examination of scholarly articles, legal documents, publications, reports, and online resources concerning the Data protection in India.
- Case Studies: In-depth exploration of specific legal cases, including notable disputes regarding the privacy in k.s. puttaswamy and misleading consumers in LinkedIn case.
- Ethical Considerations: Throughout the research process, ethical principles will be upheld, ensuring confidentiality, respect for participants, and transparent reporting in all stages of data collection, analysis, and dissemination.
Review of Literature
The literature on Digital protection framework in India sheds light on serval critical issues, Chief among these concerns are the privacy of individuals, dark patterns, and the limited legal safeguards available. Scholars argue that the Dark pattern misleads consumers or citizens which ends in going contrary to their intentions. Moreover, the lack of how to use Internet knowledge harms the citizens and they get into the trap of dark pattern, legal scholars emphasize the imperative for legislative reforms designed to rectify these deficiencies, advocating for the establishment of a robust framework that ensures the digital protection for citizens in the evolving landscape.
Data protection
Right to Privacy is the part of the fundamental right ‘Right to Life’ enshrined under Article 21 of the Indian Constitution.[5] Hence, Data protection is not just necessary it is paramount in today’s digital world, as the growth advancement in technology, coupled with the widespread digitization of personal and organizational information, have underscored the critical need for robust data protection measures and to fulfil the objectives of data protection and maintain balance between transparency and privacy India has enacted Digital Personal Data Protection Act, 2023 which aims to protect the data of citizens ensuring their privacy and holding entities accountable for responsible data management.
Key provisions of the act-
1) Data Principal: The person whose data belongs to is known as the data principal, the person to whom the data pertains or related to. For example. A signs up for social networking site. In this scenario, A is the data principal because the personal data, such as his name, address etc. is directly related to him. [Sec. 2(j)]
2) Consent: Consent is defined in section 13 of Indian Contract act 1872, when two persons agree upon same thing in same sense that is “Consensus ad idem” and Section 4 of the DPDP Act, 2023 says that processing of personal data is permissible only after taking consent to whom the data belongs (data principal) and for explicitly stated purposes. In simple terms Data fiduciaries has to take consent from data principal and tell the specific purpose of demanding the data. The consent must be freely given means it is not caused by coercion, undue influence, fraud, misrepresentation or mistake,[6] specific, well-informed, without conditions, and expressed unambiguously through a clear affirmative action as per section 6 of the DPDP Act, 2023.
3) Data Fiduciary: Any person or group of persons, who collectively or independently decides the purpose and methods of data processing. In simpler terms, data fiduciary is someone who has control over why and how personal information is managed. For example, ABC Mart collects personal information from its customers data process orders and provide personalized services here, ABC Mart is Data fiduciary. [Sec. 2(i)]
4) Data Processor: Any individual or entity that manages personal data on behalf of data fiduciary are known as Data Processor, they process data as directed by the entity that is responsible for the data that is data fiduciary. For example XYZ Corporation decides to start cloud storage service to manage and store the data of their employees, Claud Vault possess the data on behalf of XYZ. In this case XYZ is data fiduciary, employees are data principal and Cloud Vault is data processor. [Sec. 2(k)]
Dark Pattern
In 2010, “Dark Pattern” a new term introduced by Harry Brignull who was London based UX designer, describing the deceptive tactics employed in websites and applications. These tactics manipulate users into unintended actions, such as making purchases or signing up for services without their intention,[7] Dark Patterns are also known as deceptive designs.[8] The essence of consent is undermine by dark patterns, deceiving users into “agreeing” or “accepting” the terms and conditions that they would not accept or significantly modify their preferences, this makes consent concept irrelevant.[9]
Dark patterns are presented here for an extensive period, we can say beyond online interfaces. As an illustration, certain credit card statements may highlight a 0% balance transfer, yet the fine print may not clearly convey that the percentage will escalate significantly unless the user commits to a lengthy agreement.
In past, there was classic pop-up ads were notorious ads were notorious for misleading users with claims of winning random sweepstakes, inundating them with spam. In the contemporary web landscape, Dark Patterns have evolved into more sophisticated and deceptive forms. Brownlee (2015) provides a notable example involving LinkedIn, where automated follow-up email reminders were sent on behalf of new users to contacts obtained from their webmail accounts. These emails were meticulously crafted to appear as if they originated directly from the user.
There was a time when LinkedIn was to be notorious for inundating inboxes with numerous follow-up emails through user contacts, ostensibly to “expand professional networks.” Escaping from this pattern proved challenging. Recognizing this deceptive practice, a class-action lawsuit was filed against LinkedIn in San Jose’s US District Court (Perkin v. LinkedIn, 2014)[10], with the primary issue being spam.
This legal action resulted in LinkedIn facing a class-action lawsuit and a penalty of $13 million. It not only held LinkedIn accountable but also sent a cautionary message to other companies employing similar tactics and dark UX patterns to artificially boost their product growth. This serves as a reminder of the legal consequences and ethical implications associated with deceptive practices in user experience design.
Types of Dark Pattern
Brignull further talks about the 10 types of dark patterns which are as follows:
1) Bair and Switch- This phenomenon occurs when intention of user is something and result is unexpected or unforeseen consequence. For example, in windows 10 upgrade, clicking X at the top right corner of an upgrade pop-up closes the window without additional additional repercussions.
2) Disguised Ads- This strategy is employed to create an blurry moment or illusion, It is a deceptive design pattern wherein advertisements are intentionally camouflaged within the page to mimic regular content or navigation elements, these ads seamlessly blend into the natural flow of the webpage, making users more likely to click on them inadvertently.
3) Forced Continuity- It is a prevalent dark pattern found on various subscription based websites which at first offers free trials, once the trials conclude users are automatically charged without any opt-out options, reminder, or straight forward cancellation process.
4) Friend Spam- When a product requests the user’s mail or social media permissions with the promise of a beneficial outcome, such as helping them find friends but the product subsequently abuses these permissions by sending spam messages to all of the user’s contacts, falsely appearing as if the messages were initiated by the user.
5) Hidden Costs- The concept of navigating through numerous steps only to encounter unforeseen charges at the final step in the checkout process, such as unexpected delivery charges or other taxes, is characterized as the phenomenon of ‘concealed expenses.’
6) Misdirection- This design strategy aims to strategically guide user’s attention, leading them to overlook certain elements or actions while emphasizing or highlighting others. It occurs when the focus of the user is intentionally directed to a particular area, diverting their attention away from another activity.
7) Price Comparison Prevention- This strategy is used create obstacles for the user when he attempts to compare the price, the objective is to impede the user’s ability to make an informed decision by introducing complexities or hindrances.
8) Price Zuckering- This deceptive strategy is related to privacy setting and information sharing on online platforms, It is derived from the name of Mark Zuckerberg, the co-founder of facebook, It involves designing user interface in such a way that encourages or tricks users to disclose their personal information more than they wants to.
9) Roach Motel- This dark pattern is used to create a user interface that facilitates effortless entry into a particular situation or commitment, only to complicate and impede the user’s ability to extricate themselves from that situation, this dark pattern is a frequently encountered and universally relatable design strategy.
10) Tricky Questions– This strategy involves the presentation of a question that, when quickly glanced at, appears to be asking one thing but, by looking closely, reveals a different intent.
Link between Dark Pattern and Digital protection Act
In this digital age where the data is recognized as valuable currency, the DPDP Act, 2023 stands as pivotal regulatory framework, aiming to safeguard user privacy, this framework for ethical data handling but also serves as a formidable defence against the pervasive threat of dark patterns let us understand how-
1) Clear Consent Standards:
- obtaining “consent” is mandatory, all entities must seek approval from the “Data Principal” before processing the data
- Section 6 sets clear standards for obtaining user consent, emphasizing that it must be free, specific, informed, unconditional, and unambiguous.
- This clarity directly addresses the deceptive nature of dark patterns that often rely on confusing or ambiguous language to manipulate users.
2) Affirmative Action Requirement:
- The requirement for a clear affirmative action ensures that users actively and knowingly agree to the processing of their personal data.
- Dark patterns often exploit passive or unclear consent mechanisms, and the affirmative action requirement serves as a barrier against such manipulative practices.
3) Transparency and Informed Decisions:
- By mandating informed consent, the DPDP Act ensures that users have access to necessary information about how their data will be used.
- This transparency is a direct countermeasure to dark patterns, which thrive on misleading users about the consequences of their actions.
4) Limiting Data Collection:
- Section 6 stipulates that consent should be limited to the personal data necessary for the specified purpose.
- Dark patterns may attempt to collect more data than necessary, and this limitation acts as a safeguard against overreaching data collection practices.
5) Legal Consequences for Violations:
- The DPDP Act likely includes penalties for non-compliance, creating a deterrent for entities engaging in dark pattern practices.
- Knowing the legal consequences reinforces the importance of obtaining consent in accordance with the act’s provisions.
In simple words, DPDP Act, 2023 directly addresses the tactics employed by dark patterns by establishing clear standards for Obtaing user consent, promoting transparency, and limiting data collection. This, contributes to the overall effectiveness of the act in combatting deceptive practices in this digital age.
Criticism
The DPDP Act, 2023 intent to protect personal data, bit potential challenges in its implementations arises both technically and logically as Section 36 of this act gives expansive authority to central government to request such information from the board or any data fiduciary. Further, the exceptions delineated for consent significantly empower the state and elevate state imperatives above those of private entities and this can be justified by saying that in certain situations, such as disasters or emergencies, the law broadens the scope of such scenarios. For instance, Section 7(b) of the legislation allows the government to bypass consent requirements if a government service beneficiary has previously agreed to receive any other benefit from the state. While this facilitates smoother access to personal data for individuals receiving government services, it also empowers government to bypass the law, they can retain personal information after fulfilling intended use and exempt government from the purpose of limitations.
In case of processing of children’s data, Sections 9(1) to 9(3) outline particular requirements, including the necessity for parental consent and the prohibition of profiling. Here also, government gets authority to exempt any business or category of businesses from section Sections 9(1) to 9(3), “subject to such conditions, as may be prescribed.” Unfortunately, this provision lacks clarity on the criteria for granting exemptions and the process for determining conditions. The absence of clear guidance raises concerns about the potential misuse of this provision.
Moreover, Section 17(a) empowers the central government to exempt certain state facts from the stringent provision related to personal data processing. Furthermore section 8(1) (j) of the RTI is amended by this act through Section 44(3) disrupts the delicate balance between and informational rights by expanding the authority of PIO to potentially reject RTI applications citing personal data concerns.
Conclusion
Privacy is a Fundamental right and it is very precious in this digital age, despite the fact it’s all about privacy there is no legal definition of privacy is given under DPDP Act, 2023 or any other law in India. Its remain debatable and it’s meaning changes from person to person. Further, consent should be obtained by the data fiduciaries is mandatory before processing the data if a person disagrees to give consent then what will happen? Do he still will be beneficiary. Furthermore, it’s all about personal data and what about non-personal data there is nowhere defined in this act that what non-personal data, many provisions in this act exempts government which create dilemma, is it still about protecting data of citizens or just a surveillance system of government. Dark patterns can be combatted but to a limited extent because there is no provision in this act which directly talks about the Dark pattern. We need more laws related to the way data fiduciaries are going to obtain consent. Moreover, there is problem in structuring of DPB, It operates as an autonomous body with restricted scope, and the government will establish procedures for appointing its members. Although the law defines qualifications for board members, it does not specify the board’s composition in terms of the number of members, mandating only one of them to be a legal expert. This particular stipulation presents an issue, given that one of the board’s primary responsibilities is to levy penalties and provide directives for noncompliance.
Aman Tiwari
Babu Banarasi Das University.
[1] Samuel D. Warren & Louis D. Brandeis, Right to Privacy, 4 Harvard Law Review.193, 195 (1890).
[2] Economic Diplomacy Division, https://indbiz.gov.in/india-had-over-700-mn-active-internet-users-by-dec-22-report (last visited Nov. 13 2023).
[3] Invest India, https://www.investindia.gov.in/sector/retail-e-commerce (last visited Nov. 13 2023).
[4] Christoph Bosch, Benjamin Erb & Frank Kargl, Tales from the Dark Side: Privacy Dark Strategies and Privacy 2016 Dark Patterns, Proceedings on Privacy Enhancing Technologies.237, 242-249 (2016).
[5] K.S. Puttaswamy v. Union of India, AIR 2017 SC 4161.
[6] The Indian Contract Act, 1872, § 14, No. 9, Acts of parliament, 1872 (India).
[7] Deceptive pattern, https://www.deceptive.design (last visited on Nov. 14 2023).
[8] Narayanan A, Mathur A, Chetty M & Kshirsagar M, Dark patterns: past, present, and future: the evolution of tricky user interfaces.18 Queue. 67-92, (2020).
[9] Ari Ezra Waldman, 31 Cognitive biases, dark patterns, and the ‘privacy paradox’, 3 Current Opinion in psychology. 105, 106-109 (2020).
[10] Perkins v. Linkedin Corporation, 53 F. Supp. 3d 1222 (2014).