Binding Guidelines or Just Soft Law? – Law School Policy Review

*Viraj Thakur

(Source: Dhyeya IAS)

The Central Consumer Protection Authority’s 2025 Advisory on dark patterns urges e-commerce platforms to conduct self-audits and submit self-declarations ensuring compliance with the 2023 Guidelines. However, ambiguity surrounds the binding nature of this advisory. This article investigates whether the advisory creates enforceable obligations under the Consumer Protection Act, 2019. Drawing on the Delhi High Court’s decision in NRAI v. Union of India, the piece argues that the advisory—though titled as such—derives binding force from its connection to the statutory 2023 Guidelines issued under §18(2)(l) of the Act. Nonetheless, a linguistic analysis suggests only the self-audit mandate is arguably binding, while the self-declaration requirement remains recommendatory. The article proposes structural and drafting reforms to avoid such interpretive confusion in future instruments. Ultimately, it attempts to show the need for regulatory clarity.

The Central Consumer Protection Authority (“CCPA”) issued the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (“2023 Guidelines”) to protect consumers from dark patterns.

In furtherance of these guidelines, on 5 June 2025, the CCPA issued an advisory on dark patterns, titled “Advisory in terms of Consumer Protection Act, 2019 on SelfAudit by E-Commerce Platforms for detecting the Dark Patterns on their platforms to create a fair, ethical, and consumer-centric digital ecosystem” (“2025 Advisory”).

However, a perusal of the 2025 Advisory leaves at least one question unclear: is it binding on e-commerce entities? In this article, I explore potential answers to this question. First, I briefly explain what dark patterns are. Second, I touch on the 2025 Advisory itself, considering what it says and why its binding nature (or lack thereof) is contentious. Third, I elucidate on the recent Delhi High Court (“DHC”) judgement in National Restaurant Association of India v Union of India (2025) [III.A], considering how this may be used to argue that the entirety of the 2025 Advisory is binding [III.B]. However, I then present a more tenable construction that considers part of the 2025 Advisory binding and part of it merely recommendatory by analysing its language [III.C]. Finally, I consider how this ambiguity could have been avoided through cleaner drafting.

1. What are Dark Patterns?

Dark Patterns are user interface designs that mislead, manipulate, or coerce users into making decisions that they may not have made freely. The term was first coined by UX specialist Harry Brignull in 2010 and has since become a subject of regulatory concern.

Guideline 2(1)(e) of the 2023 Guidelines defines them as follows:

“[Dark Patterns] shall mean any practices or deceptive design patterns using UI/UX (user interface/user experience) interactions on any platform; designed to mislead or trick users to do something they originally did not intend or want to do; by subverting or impairing the consumer autonomy, decision making or choice; amounting to misleading advertisement or unfair trade practice or violation of consumer rights.”

These patterns are ubiquitous across digital marketplaces, exploiting cognitive biases to serve commercial interests. The CCPA itself notes certain practices that qualify as dark patterns, in Annexure 1 to the 2023 Guidelines. For ease of reference, a few examples may be referred to as follows:

2. What Is the 2025 Advisory About?

The 2025 Advisory notes that the 2023 Guidelines are being flouted regularly, as dark patterns have often been observed on e-commerce websites, particularly noted in the form of pre-ticked checkboxes. This vitiates true freedom of choice and consumer consent, in contravention of Rule 4(9) of the Consumer Protection (E-Commerce) Rules, 2020. Therefore, under §18 of the Consumer Protection Act, 2019 (“CPA”), to ensure consumers are protected from unfair trade practices, the Advisory in ¶5 issues the following:

1. “…all e-commerce platforms are advised to take necessary steps to ensure that their platforms do not engage in such deceptive and unfair trade practice which are in the nature of Dark Patterns.
2. “Inter-alia, all e-commerce platforms are advised to conduct self-audits to identify dark patterns, within 3 months of the issue of this advisory, and take necessary steps to ensure that their platforms are free from such dark patterns.
3. The e commerce platforms, based on the self-audit reports, are also encouraged to give self-declarations that their platform is not indulging in any dark patterns.” (emphasis supplied)

The use of terms “advised”, “encouraged”, etc. throws up ambiguities as to the binding nature of this Advisory. In fact, the use of the term “Advisory” for the notification itself renders the question of mandatoriness (or lack thereof) contentious.

3. Is the Advisory Binding?
1. The DHC Ruling and History of the CCPA

To answer this question, it is necessary to advert to the structure and history of the CCPA.

The CPA in 2019 introduced a structural shift from the older regime by specifically creating the CCPA under §10. As per §10(1), the goal of the CCPA is to “regulate matters relating to violation of rights of consumers, unfair trade practices and false or misleading advertisements which are prejudicial to the interests of public and consumers and to promote, protect and enforce the rights of consumers as a class.”

§18(1) then expands on this, listing enforcement responsibilities, such as to prevent consumer rights violations, stop misleading advertisements, and guard against unfair trade practices. Thus, the CCPA fills an institutional void by ensuring that some authority can intervene to protect consumer interests when necessary. As the Statement of Objects and Reasons behind the 2019 CPA notes, this was especially important given the rise of e-commerce and digital transactions in a globalising economy.

Of particular interest in the instant case, however, is §18(2)(l). This provision expressly empowers the CCPA to “issue necessary guidelines to prevent unfair trade practices and protect consumers’ interest.” Given that the word used herein is “guidelines,” there is some degree of ambiguity over whether guidelines issued pursuant to this section would be binding.

The DHC, in National Restaurant Association of India v. Union of India (“NRAI”) interpreted this provision in decisive terms. The impugned guidelines in that case, issued by the CCPA in 2022, sought to curb the practice of mandatory service charges levied by restaurants. The DHC in ¶55 observed that the CCPA is empowered to take two kinds of actions: soft measures as well as tough measures.

The DHC lists soft measures in ¶56, noting that these include power to review matters relating to consumer rights such as via research (§18(2)(d)), recommending adoption of international covenants and best practices (§18(2)(e)), spreading and promoting awareness (§18(2)(g)), encouraging NGOs and other such bodies to cooperate with consumer protection agencies (§18(2)(h)), advising the government and relevant ministries on matters relating to consumer welfare (§18(2)(k)), and issuing safety notices to consumers with respect hazardous goods or services (§18(2)(j)).

But where does this soft law end? As in ¶57, with the use of “Enforcement Powers.” This includes, inter alia, its right to file complaints before the consumer commissions to protect consumer interests (§18(2)(b)), intervene in proceedings before the commissions (§18(2)(c)), its power to issue guidelines under §18(2)(l), conducting a preliminary inquiry to ascertain if there has been a violation of consumer rights and if there is such a prima facie case then to cause an investigation to be undertaken by the Director General/District Collector (§19), etc. Under §20, the CCPA can cause any practice violating consumer rights to be ceased after affording a hearing. Under §88, non-compliance with the same can attract the punishment of imprisonment. The enforcement procedure under the CPA can be summarised as follows:

Step	Mandate of the Central Consumer Protection Authority
1	Ascertain whether a trade practice is an ‘unfair trade practice’ within the contours of §2(47) of the CPA.
2	Issue necessary guidelines under §18(2)(l) of the CPA to prevent such unfair trade practices.
3	Refer the matter for investigation by the Director General, District Collector, or any Regulator under §19 of the CPA.
4	On the basis of investigation, if satisfied that there is a violation of consumer rights, pass directions under §20 of the CPA.
5	Non-compliance with directions under §20 warrants punishment as specified under §88 of the CPA.

Thus, as the DHC observes:

“62. The CCPA is, thus, not merely a recommendatory or advisory body. Under Section 18(2)(l) of the CPA, 2019, it has the power to issue guidelines and such guidelines ought to be for preventing unfair trade practices and for protecting consumers’ interests.” (emphasis supplied)

     In ¶¶66-73, the Court disregarded contentions to the contrary that relied on precedents from before 2019, asserting that guidelines under §18(2)(l) have specific statutory backing under the new CPA (2019). Thus, CCPA Guidelines would be law within the meaning of Article 13 of the Constitution of India (¶73) and the nomenclature “guidelines” would not be sufficient to dilute the binding nature of the guidelines pertaining to service charge (¶75).

III.B. Why the 2025 Advisory May be Argued to be Binding in Its Entirety

Flowing directly from the dicta of the DHC in NRAI, it is clearer to argue that the 2025 Advisory is binding than not.

The 2025 Advisory is not a sui generis instrument issued in isolation. A plain reading of the 2025 Advisory clarifies that it is intended to be in furtherance of the 2023 Guidelines.

Issued in direct response to violations of the 2023 Guidelines, especially those involving pre-ticked checkboxes, it builds upon a framework already deemed binding under §18(2)(l). Therefore, it operationalises a pre-existing substantive prohibition. Ignoring it would render the CCPA powerless to ensure compliance even in the face of known systemic violations, frustrating both the legislative scheme and judicial guidance. Therefore, any reading of the 2025 Advisory cannot be divorced from this context.

The 2023 Guidelines were issued by the CCPA under §18(2)(l) of the CPA, and unequivocally classify certain design practices as “unfair trade practices” under §2(47), prohibiting them under ¶4. The ratio of the DHC in NRAI applies squarely to the 2023 Guidelines, leaving no doubt that they are binding.

Thus, when the 2025 Advisory instructs platforms to identify and eliminate dark patterns, it is not introducing a fresh set of obligations. Instead, it is reinforcing an existing statutory obligation already recognised as binding under the CPA. In other words, the 2025 Advisory is located within  the continuum of prior binding norms. The requirement to conduct self-audits, for instance, can be read as a step necessary to ensure the enforcement of the 2023 Guidelines.

Again, the mere nomenclature of the 2025 Advisory being labelled as such cannot override this. The nomenclature of an instrument is subordinate to its source of power and legislative intent. Just as the guidelines pertaining to mandatory service charge therein, though titled “guidelines,” were held binding, the 2023 Guidelines would also be binding – and similarly, the Advisory inherits the same force.

In sum, the 2025 Advisory supplements the 2023 Guidelines, therefore deriving statutory force from these guidelines and the CPA. It is binding not because it independently declares itself so, but because it is situated within a regime requiring compliance.

III.C. An Alternative Reading: Partial Binding Based on Language and Structure

While the above interpretation is doctrinally sound and arguably compelled by precedent, a narrower reading is not entirely without merit. I argue that a closer reading of the 2025 Advisory must be carried out.

Unlike the categorical language of the 2023 Guidelines of, the 2025 Advisory uses softer formulations. For instance, as opposed to the frequent usage of “shall” in the 2023 Guidelines and the contested guidelines in NRAI, the 2023 Advisory uses terms such as “advised” and “encouraged.”

Moreover, the fact that it is labelled as an “advisory” instead of a “guideline” means that the nomenclature is at least indicative, demonstrating that the CCPA intended to depart from earlier “guidelines.” One could argue, therefore, that while the CCPA acts under binding authority, it has chosen not to exercise that power to its full extent in this instance.

This aligns with the Supreme Court’s (“SC”) position in Shivam Chaudhary v. AICTE (2023). Therein, though the SC held that AICTE (All India Council for Technical Education) guidelines are generally only recommendatory (¶18), even if they were assumed to be generally directory, the language of the particular guidelines must be read (¶19). Therefore, the use of phrases like “can be considered” in the relevant Regulation was held to indicate the recommendatory nature of the particular guidelines, even assuming that the AICTE would have the power to generally issue binding guidelines. In essence, in Shivam Chaudhary, the Court has cautioned against treating all regulatory documents as binding simply by virtue of their source – the language and structure also matter. To put it even more succinctly, as held by the Karnataka HC in S.A. Ram Prakash v. State of Karnataka (2015), “merely because Guidelines have a statutory force, does not mean that the Guidelines are mandatory” (¶10).

Therefore, considering the respective ratio decidendi of NRAI and Shivam Chaudhury, with respect to the 2025 Advisory, it is clear that 3 directions emerge for consideration:

1. The directive to refrain from dark patterns, in the first sentence of ¶5.
2. The self-audit directive, specifying a three-month deadline for the same and advice to “take necessary steps” to ensure dark patterns are no longer present on their platforms, in the second sentence of ¶5.
3. The “encouragement” to file self-declaration forms that their platform is not indulging in dark patterns, in the third sentence of ¶5.

Preliminarily, it is submitted that the title of the 2025 Advisory as such is only an indicative factor. The holding in NRAI must not be read to mean that the nomenclature is irrelevant. Instead, as averred to above, it is an indicative factor – and there is a clear distinction between the use of the title “Guidelines” (as in NRAI) and “Advisory” (as here). Hence, in the present case, it is submitted that the use of the phrase “Advisory” holds some weight in tilting the balance between binding and non-binding, but is not a conclusive factor in and of itself. Therefore, if the intent is clear from the language of the relevant directions and the statutory framework, the nomenclature cannot dilute the binding nature of the directions (¶75, NRAI). However, if this is not the case and there is a degree of ambiguity, the nomenclature of the directions can be a relevant factor to assess the nature of the directions. 

Keeping this in mind, what does the language of the 2025 Advisory say? My ultimate submission is that of the three directions, only the third lacks any indicia of enforceability.

Of the three, the first is a plain reiteration of existing binding rules on Dark Patterns. The second direction is framed more softly. It uses the term “advised,” but clearly prescribes a timeline and a direction to conduct a self-audit. The CCPA saw fit to provide a clear timeline for a self-audit, and clearly sees this self-audit as a measure that can ensure that the 2023 Guidelines are sufficiently followed. Therefore, as submitted above in III.B, this direction must be seen as binding. There being little doubt at this stage, there is no need for a recourse to the nomenclature of the directions as an “Advisory.”

The third direction, however, uses the word “encouraged,” and imposes no deadline or consequence. Moreover, it merely provides for the submission of a self-declaration form. It is difficult to see how this may be construed as binding. In other words, this portion lacks the hallmarks of enforceability. Herein, the fact that the directions are collectively referred to as “Advisory” would be the final nail in the coffin, making it clear that the third direction is non-binding.

Thus, even within a binding framework, there may be room for partial flexibility. This construction respects the statutory mandate clarified in NRAI, while acknowledging that not all content within a guideline or advisory is necessarily coercive.

IV. How can you avoid such ambiguity?

However, before closing this piece, it is submitted that there should not be a necessity for entities to have to grapple with uncertainty and ambiguity in circulars and notifications. Such ambiguity hinders the ease of doing business, in the absence of clarifications. Therefore, in this section, I briefly consider potential steps the CCPA could have taken (or may still take!) to clarify the nature of the 2025 Advisory as binding or non-binding.

1. The consequences of non-compliance are not stated. The advisory makes no reference to §88 of the CPA or any other punitive provision. This is a significant omission.
2. Additionally, the language used is non-committal. Terms such as “encouraged” and “advised” reduce the clarity of obligations. In fact, the CCPA’s internal inconsistency in language – shifting between “advised,” “encouraged,” and “ensure” – impedes interpretive clarity.
3. The 2025 Advisory could have stated that non-compliance with the 2023 Guidelines may attract action under §§19 and 20. If certain directives are to be binding, they must be stated in categorical terms, preferably accompanied by a reference to the legal provision they are implementing or enforcing. Along these lines, the structure of the Advisory could have explicitly bifurcated its contents into two heads: (a) mandatory compliance steps under statutory authority; and (b) recommended best practices. This structural clarity would have allowed regulated entities, consumers, and enforcement bodies to clearly distinguish between what is required and what is merely aspirational.
4. Moreover, what follows the audit? To whom must platforms submit their declarations? What format should they use? No process for review, verification, or follow-up has been delineated. There are no annexures or templates prescribing a format for self-declaration, or even an indicative checklist.
5. Finally, the choice of the title “Advisory” may have seemed innocuous, but it introduces avoidable confusion. Given that the CCPA’s power under §18(2)(l) is binding in nature, any document seeking to operationalise it must avoid titles suggestive of soft law, unless the CCPA explicitly intends for the instrument to be non-binding.

In conclusion, the 2025 Advisory reflects a clear attempt to operationalise binding guidelines through internal mechanisms like audits and declarations. However, the absence of legislative discipline in language and structure risks diluting its enforceability in practice. For a body with statutorily backed powers, the CCPA must be held to a higher drafting standard, especially when the consequences of non-compliance engage statutory penalties.

V. Conclusion

The 2025 Advisory on dark patterns reflects a growing concern with deceptive online practices. It is framed as a continuation of the binding 2023 Guidelines. However, it lacks the formal rigour required of a directive that intends to enforce compliance.

While courts have held that guidelines issued under statutory authority carry binding force, the phrasing of the Advisory dilutes its effect. In the author’s view, the 2025 Advisory is binding to the extent it reiterates obligations under the 2023 Guidelines and requires a self-audit, but not to the extent it requires self-declaration forms.

However, the 2025 Advisory does not mention punitive consequences. Nor does it set out any enforcement framework. In the absence of such clarity, businesses are left guessing whether compliance is expected, encouraged, or optional. This is not a mere academic debate. If entities must guess whether “advisories” carry force, compliance weakens. Enforcement becomes selective. Consumer harm persists. To prevent numerous conflicting interpretations, it is submitted that the CCPA ought to ensure clearer drafting to ensure the ease of doing business and to further its own aim i.e. protect consumer interests by ensuring compliance.

---

*Viraj is a third year BA.LLB student at National Law School of India, Bangalore