Aligned with IRDAI directive · 2 April 2026

Audit your insurance journey for dark patterns.

Scan any policy website or digital journey against the 13 dark patterns notified by the CCPA and mandated for insurers by IRDAI. Get a compliance score, a per-pattern breakdown, and the fixes to make before your self-assessment is due.

Dark Pattern Auditor
13-point CCPA / IRDAI scan · live crawl & AI analysis
▸ Checks pre-ticked consent & basket sneaking▸ Flags forced data collection▸ Maps every finding to a fix▸ Exportable self-assessment report
The mandate

What IRDAI requires of you

On 2 April 2026, IRDAI directed insurers offering products on digital platforms to comply with the CCPA Guidelines for Prevention and Regulation of Dark Patterns, 2023. Insurers must run a self-assessment of their e-platforms, remove deceptive UI, and report to the regulator — which has engaged the Institute of Public Auditors of India for independent, nine-month monitoring.

15 days
to submit a self-assessment report
1 month
to submit a corrective action plan
Regulatory timeline
30 Nov 2023
CCPA notifies the guidelines
The Central Consumer Protection Authority issues the Guidelines for Prevention and Regulation of Dark Patterns, listing 13 practices.
2 Apr 2026
IRDAI directive to insurers
IRDAI directs regulated entities on digital platforms to comply with the CCPA guidelines.
+ 15 days
Self-assessment report due
Insurers must assess their e-platforms and report their compliance status to IRDAI.
+ 1 month
Corrective action plan due
Where non-compliance is found, an action plan with removal timelines must be submitted.
9 months
Independent monitoring
IRDAI engages the Institute of Public Auditors of India to independently track dark-pattern use across insurers.
The framework

The 13 dark patterns, for insurers

The CCPA guidelines name thirteen deceptive design practices. Here they are, framed for how they surface in a policy-buying journey. The three most relevant to insurance sales are marked.

01
False Urgency
Countdown timers and "only 2 policies left" banners manufacture pressure to buy immediately.
02Insurance-critical
Basket Sneaking
Add-on riders such as accidental cover are pre-added to the cart without the customer choosing them.
03
Confirm Shaming
Decline options are worded to guilt the user, e.g. "No, I don’t want to protect my family".
04Insurance-critical
Forced Action
The customer must hand over phone number or PAN before any premium quote is revealed.
05
Subscription Trap
Auto-renewal is one click to start but cancellation is buried behind multiple steps.
06
Interface Interference
Consent and marketing checkboxes are pre-ticked; the opt-out is visually hidden.
07
Bait & Switch
The premium advertised differs from the price shown at the point of purchase.
08
Drip Pricing
GST, service charges and fees are only revealed at the final payment step.
09
Disguised Advertisement
Sponsored or high-commission plans are presented as neutral "recommended" picks.
10Insurance-critical
Nagging
Repeated calls, SMS and emails continue — including after the customer has opted out.
11
Trick Questions
Confusing double-negative wording on consent nudges the customer toward an unintended option.
12
SaaS / Recurring Billing
Recurring premium deductions occur without a clear, repeated pre-debit notice.
13
Rogue Alerts
Fake "coverage expiring today" or security warnings pressure an immediate purchase.
Side by side

Deceptive vs. compliant

Real patterns from insurance journeys, and the transparent version IRDAI expects instead.

01Adding a rider at checkout
Deceptive
"Accidental cover has been added for your protection." The rider is pre-ticked and worth ₹299/yr; the deselect control is faint and easy to miss.
Compliant
"Add Critical Illness Cover for ₹299/year?" — an unchecked box with equal-weight Yes / No, so the customer actively chooses.
02Getting a term-plan quote
Deceptive
The price is hidden behind a form: name, mobile, email and consent to marketing calls are all mandatory before a single figure appears.
Compliant
An indicative premium is shown from age and cover amount alone. Contact details are requested only to issue the policy, and marketing consent stays optional.
03Cancelling auto-renewal
Deceptive
Auto-renew was enabled by default at purchase; turning it off requires calling a helpline during business hours.
Compliant
Auto-renew is off unless chosen, and can be toggled off anytime from the policy dashboard in one click.
Before you file

Self-assessment checklist

Work through these before submitting your report to IRDAI. Tick as you verify each on your live platform.

0/8
controls verified
No pre-selected riders or add-ons
Every optional cover starts unchecked and requires an explicit customer action to add.
Quote before personal data
An indicative premium is visible without forcing name, phone, PAN or marketing consent.
All-inclusive pricing shown upfront
Premium, GST and every fee appear at the first quote — no charges dripped in at payment.
Neutral decline language
Skip and decline options carry no guilt-tripping or shaming copy.
Easy, symmetric cancellation
Cancelling a policy or auto-renewal is as easy as the sign-up that started it.
Opt-outs honoured and logged
Marketing outreach stops on opt-out, with frequency caps and an auditable trail.
Sponsored placements labelled
Paid or high-commission plans are clearly marked and not disguised as neutral recommendations.
Third-party journeys reviewed
Plugins, payment gateways and aggregator/agent portals are assessed for imported dark patterns.
Questions

Frequently asked

What exactly did IRDAI mandate, and when?+
On 2 April 2026, IRDAI directed insurers offering products on digital platforms to comply with the CCPA’s Guidelines for Prevention and Regulation of Dark Patterns, 2023. Entities must run a self-assessment within 15 days and, where gaps are found, submit a corrective action plan with timelines within one month.
What counts as a dark pattern in insurance?+
Any UI or UX choice that manipulates a customer into a decision they wouldn’t otherwise make — pre-ticked riders, forcing personal data before showing a quote, guilt-worded declines, hidden fees, or nagging outreach after an opt-out. The CCPA guidelines name 13 such practices.
Who enforces this — IRDAI or CCPA?+
The CCPA notified the underlying guidelines under the Consumer Protection Act, 2019. IRDAI, as the sectoral regulator, is enforcing them specifically for insurers. The Reserve Bank of India has flagged the same concerns for banks, so the push spans the financial sector.
Is a self-declaration enough?+
Not on its own. After e-commerce platforms self-audited under an earlier CCPA advisory, an independent review still found dark patterns on most of them. IRDAI has therefore engaged the Institute of Public Auditors of India for independent, nine-month monitoring — so declarations should be backed by evidence.
Does this auditor actually crawl my website?+
No. This is a demonstration tool that simulates how a heuristic scan reports findings, so teams can see the format and language of an assessment. It is not a live crawler and should be paired with a manual review and your formal self-assessment.
How does this interact with the DPDP Act?+
They reinforce each other. Forcing customers to share personal data to see a product is a dark pattern under the CCPA guidelines and also strains the DPDP Act’s requirement that consent be free, informed and specific. A quote flow that demands data before showing a price tests both frameworks at once.