Why India’s data protection regime needs a design framework, not just legal text
When Legal Compliance meets Design anarchy
DPDPA marks a watershed moment for data rights for 1.4 billion citizens with diverse background, education and understanding. For the first time, Indian citizens have a structured legal framework that governs how organizations collect, process, and use their personal data. Published rules mandates that consent notices be specific, clear, and itemized, a commendable legal standard. But there is a dangerous gap between what the law says and what is actually is appearing on screens across India.
A glimpse into major organization’s digital compliance rollout today, and you will witness what can only be described as design anarchy. Many organizations is spinning up its own interpretation of what a DPDPA consent notice should look, feel, and read like. Buttons are coloured arbitrarily; fonts are chosen without consideration for legibility or hierarchy. Agree and disagree options are weighted against each other in ways that nudge rather than inform and concerning part is language of consent varies wildly from organization to organization and vague. It is not aesthetic problem but, rights problem and it demands urgent attention from regulators, designers, and civil society alike.
The Cookie Notice Trap: Why Fatigue Is the Enemy of Consent
To understand why standardization of DPDPA notices matters, we must first understand the failure mode it is trying to avoid: cookie notice fatigue.
Since the advent of GDPR in Europe and its global influence, internet users have been bombarded with cookie consent banners. Every website, app, and accidental visit to website – result is well-documented in behavioural psychology, phenomenon called “decision fatigue” and “habituation”.
When users encounter the same type of disruptive prompt repeatedly, their brain stops processing it as meaningful. They click “Accept” not because they have made an informed decision, but because the banner has become cognitive noise.
Research from the University of Michigan and studies published in the Journal of Cybersecurity have consistently shown that users click through consent mechanisms in under two seconds on average, far too fast for any meaningful comprehension to occur thereby reducing consent action to ritual/action rather than a decision.
DPDPA notices are categorically different from cookie notices and they will not be triggered simply by visiting the website but moment when genuine data transaction – when you apply for loan, register a new account, create profile on matrimonial site, apply for job, submit a request on contact us page or share sensitive personal data with a financial institution. These are high-stakes moment where plan personal data is collected and information being shared is not browsing behavior – it is biometric data, financial records, health information, location history, and more.
If DPDPA notices look, feel, and behave like cookie notices, users will treat them the same way and will click through like “Cookie Zombie”, the legal consent will be captured but the informed consent – the kind of thing DPDPA envision will be entirely absent. Well, this is not hypothetical risk but design certainty and must be addressed before the pattern becomes entrenched.
What is Currently Happening with DPDPA Notice?
Organizations have started to rush towards DPDPA compliance are making a series of well-intentioned but deeply problematic design choices. Some of observations/trends have been highlighted below:
1/ Arbitrary Colour Coding of Consent Buttons – In a compliant design, the visual weight of the “I Consent” and “I Do Not Consent” buttons should be equal. Equal weight communicates equal choice, a foundational principle of informed decision-making. What is actually appearing across screens is deeply unequal.
2/ Font Selection That Undermines Legibility – Typography is not decoration and in consent context, it is a tool of comprehension or a barrier to it. Organizations are deploying fonts that are either too small to read comfortably on mobile devices, or inconsistent across different sections of the notice. When a data principal cannot easily read what they are being asked to consent to, the notice fails its fundamental purpose regardless of how well-written the legal text is.
3/ Inconsistent Terminology and Notice Structure – DPDPA requires that notices be itemized and specific. But without standardization, “itemized” means different things to different compliance teams. One organization lists seven categories of data and other was listing two. One uses plain language while other uses technical and legal boilerplate that requires a law degree to parse. A citizen moving between organizations, has no frame of reference to understand whether a notice is complete, partial, or misleading.
4/ Dark Patterns Embedded in Compliance Design – Dark pattern can have its own blog but for sake of brevity it must be named here first: many organizations are embedding dark patterns directly into their DPDPA compliance UI. Sometimes it is the product of UX designers working from conversion-optimization instincts applied to the wrong context. But intent is irrelevant when the outcome harms the data principal.
Why Design Is never Neutral?
Every design choice in a consent notice is a subtle behavioural intervention. There is no neutral design and the question is not whether design influences behavior because, it always does. But whether that influence serves the user’s autonomy or undermines it. Several well-established psychological principles explain why this matters so profoundly:
1/ Default Bias Research by Thaler and Sunstein, the foundational scholars of behavioural economics and nudge theory, demonstrates that people disproportionately stick with whatever option is presented as the default.
2/ Cognitive Load and Decision Quality When users are overwhelmed by complex, lengthy, or poorly organized information, they simplify their decision-making strategy. The most common simplification is to accept all and move on. Well-designed consent notices reduce cognitive load not by removing information but by organizing it clearly, using hierarchy, chunking, plain language, and visual cues that help users navigate complexity without being paralyzed by it.
3/ Anchoring and Framing – A notice that frames consent as “joining our data community” rather than “allowing collection of your personal data” is exploiting framing. DPDPA-compliant notices must use neutral, accurate framing by definition, but without design standards, this principle can be honoured in legal text while being violated in visual and structural design.
4/ Trust Signals and Consistency Humans are pattern-recognition machines. When a design element – a colour, a layout, a type of button or design, consistently appears in high-stakes, trustworthy contexts, it builds associations and that is reason why government notices use specific design conventions. Standardizing DPDP notice would function the same way and with time, citizens would learn to recognize the DPDPA notice pattern as a signal that a meaningful data transaction is occurring, one that deserves attention, not a reflexive click.
Why Standardization is the Right Solution?
Some will argue that standardization stifles organizational expression or imposes unnecessary regulatory burden but such argument misses fundamental nature of what consent UI is. A consent notice is not a marketing asset or brand expression but a legal mandated communication of purpose and rights. Standardization does not mean identical notices. It means a design framework that establishes:
Learning from Global Precedent
India is not starting from zero. Several jurisdictions have grappled with consent design standards and offer instructive precedent. The Norwegian Consumer Authority published guidance in 2021 that explicitly identified and prohibited specific dark patterns in cookie consent UI, going beyond GDPR text to prescribe visual and structural standards. The result was measurable improvement in the quality of consent obtained across Norwegian digital services.
Next, the UK’s Information Commissioner’s Office had published detailed guidance on what it calls “privacy design,” frameworks for building consent UI that serves users rather than organizations. France’s CNIL has gone further, publishing specific UI requirements including the requirement that the “Reject All” option be as accessible as the “Accept All” option in cookie notices.
India’s Data Protection Board has the opportunity and arguably the obligation also – to develop equivalent guidance for DPDPA consent notice standards but we don’t have to wait for government to do right thing. Consent Foundation has already worked out standards associated with DPDPA and at Concur – Consent Manager, we’re proactively supporting such initiatives.
Who must act and how?
For the Data Protection Board of India: Publish a DPDPA Notice Design Framework as an official guidance document. Engage UX researchers, behavioural economists, disability rights advocates, and digital literacy experts in its development. Make it a living document updated as design practices evolve. Consider a certification or audit mechanism for CMPs to verify their notice designs meet the framework’s standards.
For Organizations Implementing DPDPA Compliance: Audit your current consent UI against the dark pattern taxonomy described in this article. Commission independent UX reviews of your notice designs provided by CMP, not from your product team, whose instincts are shaped by conversion optimization, but from researchers whose mandate is user comprehension and autonomy. Test your notices with representative samples of your actual user base, including low-literacy and elderly users.
Design of Consent is the Substance of Consent
The DPDPA represents a genuine commitment by India’s legislature to protect the data rights of its citizens. But the law exists in the world of language and courts while rights exist in the world of experience and in this digital economy experience is designed.
If the design of DPDPA consent notices is left entirely to organizational discretion then it will be shaped by brand teams, conversion optimization habits, and the implicit pressure to maximize consent rates. Consent notice goals will exist on paper while being systematically undermined in practice and citizens will click through high-stakes data transactions with the same glazed indifference they bring to cookie banners. Notice will be shown, consent will be logged, rights will be waived and no one will have truly chosen anything.
Standardization of DPDPA notice design is not a bureaucratic formality but something that will be done sooner or later. It is the difference between a data protection regime that functions and one that is performed. India has the legal architecture, engineering guidelines and now design architecture to match.
The time to build standards it is before bad patterns become entrenched, not after a generation of citizens has been trained to click through their own rights.
