This year, India's consumer-protection regulator did something quietly instructive. It had asked large e-commerce platforms to audit themselves for dark patterns, the nudges and traps that push people into choices they did not mean to make, and to file a signed declaration confirming they had cleaned them up. Many did. Then the regulator went and looked at the actual apps, and issued fresh notices to fifteen major platforms for continuing to use dark patterns, including ones whose declarations had already said they were compliant.
Read that sequence slowly, because its structure matters more than its headline. The platforms attested. The regulator checked. The two did not match.
This is not really a story about bad actors, and treating it as one misses the useful part. It is a story about a mechanism, and about a gap that anyone who has built systems will recognize on sight.
What actually happened
The scaffolding here is new. India's data-protection rules were finalized in late 2025, and enforcement is arriving in phases, with a dedicated board stood up and penalties still a year out. Alongside that, the consumer-protection authority has run a parallel campaign against dark patterns, working from a published list of named practices: false urgency, basket sneaking, drip pricing, subscription traps, and the rest.
The instrument it reached for is a familiar one. Rather than audit every platform itself, which no regulator has the capacity to do, it asked each platform to run its own audit and file a self-declaration of compliance. Audit yourself. Sign that you are clean.
Then it spot-checked, and the declarations did not survive contact with the apps. Fifteen platforms received fresh notices for continuing the exact practices they had certified they had removed. Around the same time, the banking regulator issued its own dark-pattern ban for the sector it oversees. The pattern across both is the same: the signed claim was not the end of the story. It was the beginning of one.
The claim and the fact
Here is the sentence the whole episode reduces to.
A self-declaration of compliance is a claim the declaring party makes about itself. It is not a measurement of what that party actually does.
Self-declaration is an appealing regulatory instrument, and it is worth being honest about why. It scales, because the regulator does not have to inspect everyone. It is cheap. And it puts the duty on the party that knows its own systems best. Those are real advantages, and they are the reason the mechanism keeps getting used.
But it carries a structural flaw that shows up everywhere it appears. The entity making the claim and the entity being judged are the same entity. A platform that is non-compliant in a way it has not looked at closely will file a clean declaration in complete good faith. The declaration reliably surfaces the violations the platform already acknowledges. It goes quiet on exactly the ones the platform benefits from not examining. The most confident attestations are not the safest ones. They are the ones written by the party with the least reason to look hard.
Why an engineer recognizes this immediately
None of this is peculiar to regulation. It is a property of any system in which a component reports on itself, and it is one of the oldest lessons in building reliable ones.
A component's account of its own state is a claim, not a measurement, and the only trustworthy account is one produced by observing what the component actually did, not by asking it how it is doing. A service can return a healthy status while failing to do its job. A process can report success on work it never completed. You do not learn the truth of a system by reading its self-description. You learn it by observing the effect it has on the world.
Compliance is the same shape. You find out whether a platform uses dark patterns by observing the actual checkout flow a real person hits, not by reading the platform's description of that flow. The regulator's spot-check is that observation. The declaration is the platform's self-portrait. When the two diverge, and they did, only one of them was ever evidence.
This is also why the phrase "the demo worked, production broke" is so familiar to anyone who ships software. It is almost always a story about trusting a self-report. The green light said ready. Nobody checked what the system actually did under real load. A national dark-patterns regime is now learning, at the scale of an economy, the lesson every on-call engineer learns in their first year: a passing self-check is not the same as a working system. It is the same gap that separates what a platform reports about its own behavior from what an outside look actually finds.
What self-declaration is still good for
It would be an overcorrection to conclude that attestation is worthless. It is not, and the regime is right to keep using it.
A self-declaration forces the party to look, which has value on its own. It creates a signed record you can hold them to later, which turns a vague expectation into an enforceable one. It is a cheap first filter that catches the honest and the careless before you spend scarce inspection capacity. The failure is not having attestation. The failure is treating it as the endpoint rather than the entry point, letting the signed claim stand in for the observed fact.
What the regulator is doing now, in real time, is discovering that distinction and building the second half. The enforcement sweeps and the sector-by-sector bans are stacking on top of the declarations, not replacing them. Trust the claim enough to demand it. Then go and check, because the claim will be silent exactly where it matters most.
The gap that does not close by asking nicely
The interesting question the regime is now sitting inside is not "were the platforms lying." Some may have been careless, some may have read compliance narrowly, and some genuinely had not looked. The mechanism cannot tell those apart, and that is precisely the point. A signed declaration compresses "I have verified I am clean" and "I believe I am clean" and "I would prefer you assume I am clean" into one identical signature.
The harder question is what you build when a signed claim and the observed reality routinely diverge, and the party holding the most information about the truth is the one with the least incentive to surface it. That gap does not close by asking the party to attest more sincerely. It closes only by looking, and looking is expensive, which is why everyone keeps hoping the signature will be enough.
It will not be. A signature is a promise. Behavior is a fact. A regime learning the difference the hard way is relearning something every reliable system already knows: you do not verify a thing by asking it to describe itself.
Attestation is not verification.
Sources
- India's Central Consumer Protection Authority: dark-patterns guidelines (2023) and the 2025 self-audit and self-declaration advisory; fresh notices to fifteen platforms for continued dark-pattern use despite self-declared compliance, as reported by IAPP, "India's regulatory heat wave hits privacy, AI, dark patterns" (Jun 4, 2026). https://iapp.org/news/a/notes-from-the-asia-pacific-region-india-s-regulatory-heat-wave-hits-privacy-ai-dark-patterns
- DPDP Rules 2025, notified Nov 13, 2025; MeitY rules page: https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa?pageTitle=Digital-Personal-Data-Protection-Rules-2025 . Context: IAPP, "With rules finalized, India's DPDPA takes force": https://iapp.org/news/a/with-rules-finalized-india-s-dpdpa-takes-force
- Reserve Bank of India directions on dark patterns for regulated entities (effective Jul 1, 2026): https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4865
The fifteen-platform enforcement figure is as reported by IAPP; the DPDP and RBI rules link to primary notifications.