Consumer protection authority fines PhysicsWallah and McAfee for dark patterns

Tech News


  • CCPA’s McAfee order can be accessed here.
  • CCPA’s PhysicsWallah order can be accessed here.

The Central Consumer Protection Authority (CCPA) fined PhysicsWallah (PW) Limited Rs 5,00,000 on June 1, 2026 and McAfee Software India Private Limited Rs 1,00,000 on May 20, 2026 for deploying dark patterns prohibited under the 2023 dark patterns guidelines.

Dark patterns are interface designs that trick or nudge users into choices they did not intend to make. Both companies fixed their interfaces after receiving notices. The CCPA penalised them anyway.

What did McAfee do?

  • Its subscription renewal prompt offered only “Accept Risk” or “Renew Now,” with no neutral “Cancel” or “Skip” option.
  • “Accept Risk” appeared in subdued grey, while “Renew Now” was displayed with a prominent red background.
  • The close button did not appear in the screenshot of the interface placed on record.
  • Advocate Krishna Nigam triggered the case with a representation to the CCPA on September 1, 2025.
  • McAfee recorded 3,55,133 renewals during January to December 2025, substantially while the interface was live.

McAfee modified the interface on December 16, 2025, after the CCPA’s notice, replacing “Accept Risk” with “Skip” or “No, thanks.”

What did PhysicsWallah do?

The CCPA opened this case on its own (suo motu) after reviewing pw.live and the PW app, and found three problems:

  • A pre-ticked “Donate for PW Foundation” checkbox added Rs 10 to each transaction unless the user unticked it. It ran from February 14, 2024 to December 24, 2025 and collected roughly Rs 2.47 crore from over 21,36,962 users.
  • Clicking “Know More” beside the donation displayed messaging about funding marriages for needy people, children’s education, and healthcare for underserved communities, along with a claim of “58K+ beneficiaries”.
  • Courses advertised as “free” required users to disclose their mobile number and email address to gain access. This condition was not stated upfront, and some content remained locked even after enrolment.

The CCPA inspected the platform on December 22, 2025, after PW claimed it had already fixed the interface, and found that the donation remained pre-selected by default.

Which dark patterns do these fall under? The CCPA found that McAfee’s renewal prompt triggered four prohibited patterns, while PW’s checkout process triggered three.

McAfee:

  • Confirm shaming: Using words, video or audio to create fear, shame, ridicule or guilt to nudge a user into buying or continuing a subscription. “Accept Risk” framed declining renewal as accepting danger.
  • Interface interference: A design element that highlights some information while obscuring other relevant information to misdirect the user. “Renew Now” got a prominent red treatment, while the opt-out option appeared in subdued grey.
  • Trick question: Deliberately confusing or vague wording that misleads a user about what an option actually does. The CCPA held that “Accept Risk” distorted what declining renewal actually meant.
  • Forced action: Forcing a user to buy additional goods, subscribe, or share personal information to access the service they originally wanted. The prompt left no neutral exit.

PhysicsWallah:

  • Basket sneaking: Adding items, charges, charity contributions, or donations at checkout without consent, causing the total payable amount to exceed the price of what the user selected. The pre-ticked Rs 10 donation fell into this category.
  • Confirm shaming: The emotionally charged donation messaging shown during checkout pressured users to retain the donation through guilt.
  • Forced action: PW conditioned access to “free” courses on users providing their mobile number and email address, personal data they had to share to obtain the service they originally intended to access.

What was the CCPA’s reasoning?

McAfee:

  • The CCPA rejected McAfee’s claim that “Accept Risk” merely described the factual consequence of antivirus protection lapsing, holding that the wording manufactured fear rather than informed consumers.
  • It found that the visual asymmetry, a prominent red renewal button contrasted with a greyed-out opt-out option, steered consumers regardless of the literal wording. “Reliance upon the technological literacy of users cannot justify interface designs which are capable of nudging or manipulating consumer decision-making through visual prominence, fear-based wording or asymmetrical presentation of options,” the order said.
  • The authority distinguished the earlier InterGlobe Aviation (IndiGo) case, which McAfee relied upon, where no penalty followed similar corrective actions, citing the findings of its investigation and the scale of deployment in the present case.
  • It also rejected McAfee’s argument that the absence of consumer complaints during 2025 demonstrated a lack of harm. According to the authority, dark patterns work precisely by suppressing overt objection while steering behaviour, so silence cannot be interpreted as consent.

The CCPA held that McAfee violated Sections 2(28) (misleading advertisement) and 2(47) (unfair trade practice) of the Consumer Protection Act, 2019, as well as the E-Commerce Rules, 2020, and the Dark Patterns Guidelines.

PhysicsWallah:

  • On the donation feature, the authority held that visibility is not consent. Rule 4(9) of the Consumer Protection (E-Commerce) Rules, 2020, requires explicit and affirmative consumer action. A pre-ticked box that a user must actively remove therefore fails that standard, regardless of how clearly the charge is displayed.
  • On the data collection requirement, the CCPA created multiple test accounts, found that the “free” course content remained identical across all of them, and concluded that the mobile number and email address served no personalisation purpose.
  • It rejected PW’s comparison with government platforms DIKSHA (Digital Infrastructure for Knowledge Sharing, a national school education platform) and SWAYAM (Study Webs of Active Learning for Young Aspiring Minds, a government platform for online courses). The authority found that DIKSHA does not advertise courses as “free” in the same manner as PW, while SWAYAM requires login credentials for assessment and certification purposes, not for unrestricted access to course content.
  • The CCPA also rejected PW’s argument that a 63.9% opt-out rate demonstrated transparency and free choice. It held that an opt-out rate cannot validate a design that required users to take active steps to undo a charge they never chose in the first place.

The authority found that PW violated Sections 2(9) (consumer’s right to be informed and protected against unfair trade practices), 2(28) (misleading advertisement), and 2(47) (unfair trade practice) of the Consumer Protection Act, 2019, along with the E-Commerce Rules, 2020, and the Dark Patterns Guidelines.

So what counts as consent now? Taken together, the two orders draw a clear line:

  • A pre-ticked box that the user must actively remove does not amount to consent, regardless of how visible the charge is.
  • A supposedly neutral opt-out option displayed less prominently than the preferred option does not constitute a fair choice.
  • A high opt-out rate does not validate a manipulative default design.
  • Mandatory data collection as a condition for accessing a “free” service is not legitimate unless the platform can demonstrate that the data is genuinely necessary for providing that service.

What should platform teams take away?

  • A post-notice fix does not erase liability. Both companies modified their interfaces during the proceedings and claimed good faith, yet both were penalised.
  • A pre-selected charge, however small or charitable, requires affirmative opt-in consent rather than opt-out consent.

Is the penalty big enough to deter?

  • These orders follow Zepto’s Rs 7 lakh fine in December 2025 and signal that the CCPA is now imposing monetary penalties rather than settling for voluntary fixes, as it did in earlier cases involving IndiGo and BookMyShow.
  • The orders come against the backdrop of a LocalCircles audit that found 97% of India’s 290 major online platforms still use dark patterns despite the guidelines.
  • Section 21 of the Consumer Protection Act allows penalties of up to Rs 10 lakh for a first violation and up to Rs 50 lakh for each subsequent violation. Both fines remain well below those limits. PW reported revenue of Rs 2,495.61 crore in FY 2024–25, making its Rs 5 lakh penalty roughly 0.002% of annual revenue.

Whether penalties this far below the statutory ceiling can effectively deter platforms operating at such scale is a question that the CCPA’s own enforcement approach now raises.

Both orders direct the companies to stop all dark patterns across their platforms, websites, and apps; pay the penalty; and submit a compliance report within 15 days.

Also read:



Source link

Recent Articles

spot_imgspot_imgspot_imgspot_img

Related Stories

Tech News

AI boom creates connectivity challenge for integrators

BuzzingTechNews.com -
Tech News

UK mandates Google to attribute publishers in AI search results

BuzzingTechNews.com -
Tech News

Sam Altman and Dario Amodei Agree for Once, Sign Letter Against AI-Assisted Bioweapons

BuzzingTechNews.com -
Tech News

SpaceX’s IPO Could Make Some Trump Administration Officials Even Richer

BuzzingTechNews.com -
Tech News

Shokz upgraded its open earbuds with better sound and a lighter design

BuzzingTechNews.com -
Tech News

‘Evil Dead Burn’ Director on How His Franchise Entry Will Blaze Its Own Trail

BuzzingTechNews.com -

@2026 – All Right Reserved. Designed and Developed by BuzzingTechNews.com