Legal Implications of Manipulative Subscription Cancellation Flows – NUALS Law Journal

Meghna Jain

Introduction

The digital age has transformed our world, not just in terms of human connection but also accessibility. This fast-paced, consumer-driven environment has seen the rise of subscription models, free trials, and auto-pay services, often offered through mobile apps. While these services offer convenience, they also present opportunities for manipulative design practices, commonly known as ‘dark patterns’. This paper focuses specifically on ‘exit architecture’, referring to the design of cancellation processes for these subscription services. The author argues that manipulative exit architecture, often employing the ‘Roach Motel’ mechanism. Much like the Eagles warned us about the Hotel California, today’s digital landscape has created its own ‘places you can never leave’ – not through mystical forces, but through deliberately engineered user interfaces.

This blog explores the psychological underpinnings of dark patterns, analyses Western regulatory approaches, delves into the specific challenges of the Indian context, draws a comparative analysis, and lastly offers concrete recommendations for improving the regulatory framework.

Psychology of Dark Patterns

Dark patterns are manipulative user interface designs that benefit companies by coercing, steering, or deceiving users away from desired alternatives. These patterns exploit cognitive biases and decision-making tendencies, subtly influencing user behavior even when information is ‘technically disclosed’. They capitalize on predictable human responses, often without users even realizing they are being manipulated which undermines human agency. Several categories of dark patterns exist, including:

• Obstruction which involves  a process more difficult than it needs to be, such as requiring multiple steps or hiding cancellation buttons. This directly relates to exit architecture, making unsubscribing intentionally cumbersome.
• Preselection wherein Options to subscribe or agree to trial packs are pre-selected, often agreeing to promotional emails or recurring charges without explicit user consent. This can ‘lock-in’ users before they even realize they’ve subscribed.
• Forced Action which  requires users to perform an unwanted action, such as sharing personal data or agreeing to receive marketing emails, before they can complete a desired action, like unsubscribing.
• Interface Interference which disrupts the user experience with unexpected pop-ups, warnings, or other distractions, making it difficult to focus on the task at hand, such as canceling a subscription.
• Misdirection by using confusing language, visual cues, or layout to mislead users into making unintended choices. This is often used in exit architecture to make cancellation options less prominent or more difficult to find.

These activities exploit cognitive biases such as loss aversion by framing cancellation as a ‘loss’ thereby making users more hesitant to unsubscribe or status quo bias where users tend to stick with the default option, even if it is not in their best interest. Some examples of these include subscription renewals by default Another prominent cognitive bias is that of  inertia where users often procrastinate or forget about tasks, especially if they are perceived as difficult or unpleasant, making the user postpone cancellation indefinitely. These instances emphasize how dark patterns exploit these cognitive leanings subtly influencing consumer choices despite providing them choices at face value.  This necessitates creation of a regulatory framework beyond mere information disclosure, addressing the manipulative design elements themselves. Herein, an argument is made for a nuanced consumer protection approach that considers the ‘choice architecture’ within  which consumers make decisions.

Western Regulatory Approaches

Countries within the Global West are increasingly recognizing the problem of dark patterns, particularly after a document leak by a business insider which revealed that consumers were involuntarily enrolled in Amazon’s subscription services and paying for it. This however, is not limited to big tech companies but is prevalent within online discourse forums where consumers find it difficult to cancel their subscriptions and feel ‘locked in’. One of the entities, complaining against Amazon, specified how the process is made decidely cumbersome, at it takes six clicks to cancel an average subscription. T This disproportionately impacts older consumers and those suffering from memory problems, as they are the primary targets of these indefinite subscriptions.

In 2023, the Federal Trade Commission (‘FTC’) amended the requirements for businesses by mandating disclosure regarding details about subscription, obtaining customers’ consent before charging them and specifying a simple method to cancel the subscriptions.  The ‘Automatic Renewal’ Act amended by California brought an online cancellation provision i.e. to allow for online cancellation if online subscription is allowed; this has been adopted by half of the states in the United States of America (‘USA’).  In Europe, the EU Data Act prevents businesses from incorporating practices that impair user autonomy or choices through dark pattern mechanisms.  The EU Digital Services Act (‘DSA’), defines dark patterns and explicitly prohibits its incorporation in business practices. While DSA broadly prohibits dark patterns across all user interactions with online services (e.g., signing up, content choices, ad settings). The Data Act specifically targets dark patterns that impair user autonomy or choices related to their data access and sharing rights. The UK, through the Competition and Markets Authority (‘CMA’) launched an investigation into subscription traps and loyalty penalties in 2019 and published guidelines to make auto-renewing contracts easy to understand and exit.  Post 2022, the CMA has been given more authority to deal with such companies that engage in such dark patterns. Meanwhile, the UK’s Digital Markets, Competition and Consumers Bill (DMCC Bill) that is currently submitted to the Legislature, empowers the CMA to tackle similar issues. It addresses dark patterns via its prohibition on ‘misleading actions,’ ‘misleading omissions,’ and ‘aggressive practices’ in consumer protection. Further, in regards to subscription contracts, the DMCC Bill mandates clear pre-contract information, regular reminder notices, easy cancellation processes, and cooling-off periods to combat ‘subscription traps’ and auto-renewal issues.

The Indian Context

Regulatory Framework in India

India’s approach to the evolving landscape of technology, while demonstrating commitment, has lacked a certain degree of radicalism. While digital data protection is addressed within the framework of the Information Technology Act, 2000, particularly concerning sensitive personal data, the subtle nuances of ‘dark patterns,’ and more specifically, exit architecture, remain largely unaddressed. The introduction of the Consumer Protection Act offers a foundation for mitigating unfair trade practices. Section 2(g), defines ‘deficiency’ as a fault or inadequacy, extends to the ‘manner of performance’ required by law. Furthermore, the objectives of the Central Consumer Protection Council under Section 6 encompass the right to seek redressal against restrictive trade practices, including those manipulating conditions of delivery. However, while the definition of restrictive trade practices includes conditions of delivery, it fails to adequately capture the psychological nuances of manipulative design employed in technological advancements, particularly concerning simplified exit processes. Although obligations exist regarding quality, the mandated cancellation process has not kept pace with the increasingly sophisticated techniques employed by websites.

Guidelines for Prevention and Regulation of Dark Patterns, 2023

The Central Consumer Protection Authority’s (‘CCPA’) Guidelines for Prevention and Regulation of Dark Patterns, 2023 represent a significant stride in addressing this issue, prohibiting thirteen specific dark patterns and outlining corresponding penalties. This is the most direct attempt to date to address this issue by specifically identifying dark patterns. It meticulously defines dark patterns as UI/UX deceptions undermining user autonomy, applying broadly to platforms, advertisers, and sellers in India. A key strength is Annexure 1, specifically detailing types like ‘False Urgency,’ ‘Basket Sneaking,’ ‘Confirm Shaming,’ ‘Forced Action,’ and ‘Subscription Trap,’ offering concrete examples for compliance and enforcement.

The ‘False Urgency’ dark pattern deceptively creates a sense of immediate scarcity or limited time, pressuring users into quick, often impulsive, purchases. ‘Basket Sneaking’ involves surreptitiously adding extra items, services, or donations to a user’s cart or final bill without their explicit consent during checkout. ‘Confirm Shaming’ manipulates users through language, visuals, or audio to instill guilt, fear, or shame, nudging them into a specific choice like opting in or purchasing. ‘Forced Action’ compels users to undertake additional or unrelated actions, such as subscribing to a newsletter or downloading an app, to complete their original desired task. Lastly, ‘Subscription Trap’ refers to practices that make cancelling a paid subscription unduly difficult, complex, or hidden, or deceptively collect payment details for supposedly free services.

Judicial Interpretations

The Delhi High Court’s ruling in Anil Kapoor v. Simply Life India on September 20, 2023, is a landmark decision concerning personality rights and online deception. Actor Anil Kapoor successfully sought an injunction against the unauthorized commercial exploitation of his image and persona, which were used for false endorsements, selling merchandise, and creating deep fakes, among other misleading practices. A key aspect was the plaintiff’s argument that these deceptive tactics constituted ‘dark patterns,’ designed to ‘mislead and trick consumers, and subvert or impair their decision-making skill.’ The Court, perusing India’s Draft Guidelines for Prevention and Regulation of Dark Patterns 2023, acknowledged this contention. While the injunction primarily rested on personality rights, the judgment’s reference to dark patterns highlighted the judiciary’s recognition of sophisticated online manipulative practices. Similarly, in Pankaj Chandgothia v. The Coffee Bean & Tea Leaf, requiring personal data as a precondition for service (in that case, adding a consumer to a coffee company’s database) was considered a violation.

In the Flipkart case, a consumer received a defective mobile handset misrepresented as new, encountering significant difficulties resolving the issue. Flipkart initially dismissed refund/replacement requests by citing an ‘open-box delivery’ policy, attempting to evade responsibility. The consumer’s inability to easily exit this faulty transaction, despite receiving a misrepresented product, strongly aligns with ‘exit architecture’ issues, a facet of dark patterns. The Commission rejected Flipkart’s intermediary defense, finding the e-commerce giant liable for ‘deficiency in service’ and ‘unfair trade practice.’ Though the judgment didn’t explicitly use the term ‘dark pattern,’ its ruling implicitly interprets practices that obstruct a consumer’s right to dissatisfaction or hinder problem resolution as unfair. The court’s emphasis on platforms upholding consumer trust and ensuring effective grievance redressal highlights that difficult post-purchase processes—like frustrating returns or inadequate support—can constitute manipulative practices akin to ‘interface interference’ or ‘subscription traps,’ trapping consumers in unfavorable situations. This decision underscores the judiciary’s expanding view on manipulative designs throughout the entire consumer journey.

Challenges in Indian framework

The CCPA guidelines, while a welcome step, require a more granular examination, particularly concerning enforcement mechanisms. While the guidelines prohibit specific dark patterns, the efficacy of their enforcement hinges on several factors. Firstly, the capacity and resources of the CCPA to monitor and investigate potentially deceptive practices across the vast digital landscape of India must be considered. The sheer volume of online transactions and the rapid evolution of dark pattern techniques pose a significant challenge. This necessitates a strategic shift towards proactive collaboration and resource sharing with existing specialized regulatory bodies is crucial.

Instead of solely burdening the CCPA with exhaustive monitoring, agencies like the Reserve Bank of India (RBI) could take a lead on financial dark patterns (e.g., hidden charges in digital payments, deceptive loan interfaces), given their domain expertise. Similarly, the Ministry of Electronics and Information Technology (MeitY) could focus on broader platform-level design issues and data privacy aspects, while the Advertising Standards Council of India (ASCI), with its well-established self-regulatory mechanism, could enforce against disguised advertisements and misleading claims that manifest as dark patterns. This decentralized, yet coordinated, approach would leverage existing expertise and infrastructure, significantly broadening the regulatory footprint without overburdening a single entity.

Secondly, the guidelines rely heavily on consumer complaints as a trigger for investigation. This raises concerns about awareness among consumers, particularly those who are less digitally literate, regarding what constitutes a dark pattern. A proactive approach by the CCPA, involving regular audits and scrutiny of online platforms, is crucial.

Furthermore, the definition of some dark patterns within the guidelines could benefit from greater clarity. For instance, the prohibition of ‘forced continuity’ requires careful interpretation to distinguish it from legitimate subscription renewal practices. Vague definitions can lead to ambiguity in enforcement and potentially stifle legitimate business practices. The guidelines also lack specific provisions regarding the burden of proof in dark pattern cases. Clarifying whether the onus lies on the consumer to demonstrate manipulative intent or on the platform to prove the legitimacy of its design choices is essential for effective enforcement.

Comparative analysis of Western and Indian approaches

A key difference between Western and Indian legal frameworks lies in their approach, wherein Western legal systems often consider such activities as market failures affecting competition whereas Indian law, while focusing on preventing misinformation, does not ascribe such specificity to a particular industry or service. This emphasis on information asymmetry, though important, overlooks the psychological mechanisms at play. This focus, while crucial, does not fully capture the psychological manipulation inherent in many dark patterns as they exploit cognitive biases, influencing user behaviour even when information is technically disclosed.

This necessitates a shift in regulatory focus, moving beyond mere information disclosure to address the manipulative design elements themselves. For instance, the user – interface (‘UI’) manipulations that diminish the visibility of cancellation options, or the strategic placement of ‘confirm’ buttons to encourage unintended purchases, require specific regulatory attention. Teerling in his paper ‘The Multilevel Nature of Customer Experience Research’. argues that a more nuanced approach to consumer protection is needed, one that considers the ‘choice architecture‘ within which consumers make decisions. A ‘one-size-fits-all’ approach may not be effective in addressing the diverse challenges posed by dark patterns in India. The CCPA needs to engage with consumer advocacy groups, industry stakeholders, and behavioral economists to develop a comprehensive understanding of the specific dark patterns prevalent in the Indian market and their impact on different consumer segments.