How websites quietly defraud Indian users — and 5 checks every Data Principal should run

Under India's DPDP Act 2023 you are a Data Principal — the person whose personal data is being processed. The Act gives you specific rights (notice, consent, withdrawal, access, correction, erasure, grievance redressal) and a Data Protection Board to hear complaints. But rights only matter if you can tell when they are being violated. Most of the fraud happening on Indian websites today is not the dramatic kind — leaked databases on Telegram. It is the quiet, structural kind: small UI nudges, hidden third parties, and false-bottom consent flows that move your data somewhere you never asked it to go.

**Fraud pattern 1 — dark-pattern consent.** A banner pops up. 'Accept' is a bright green button. 'Reject' is grey text, hidden two clicks deep, or — worse — labelled 'More options' and never lets you actually reject. Under Section 6 of the DPDP Act, consent must be free, specific, informed, unambiguous, and as easy to withdraw as to give. A reject-by-link banner fails on the last two criteria. **What to look for:** if Accept and Reject are not the same kind of button — same size, same prominence — the consent is not DPDP-valid, and the site is already in violation.

**Fraud pattern 2 — ghost trackers.** Many Indian sites fire Google Analytics, Meta Pixel, Hotjar, and 8–12 other trackers the moment the page loads — before the consent banner even appears. Whatever you click on the banner afterwards is moot; your IP, device fingerprint and browsing path have already gone to advertisers. **What to look for:** open your browser's developer tools (right-click → Inspect → Network tab → filter by 'analytics' or 'pixel'), reload the page, and count requests fired before you touched the banner. If the count is more than zero, the site is leaking data without consent.

**Fraud pattern 3 — fake withdrawal.** Section 6(4) of the DPDP Act says you must be able to withdraw consent as easily as you gave it. In practice, many Indian sites either hide the withdrawal link, demand you log in to a separate portal, or open a support ticket that takes weeks. Some attach dark patterns to the withdrawal itself: 'Are you sure? You will lose your benefits.' That's coercion, and it's now illegal. **What to look for:** scroll to the footer. There must be a visible 'Manage cookie preferences' or 'Withdraw consent' link. If it doesn't exist, or it just throws you to a generic privacy policy, the site is not compliant.

**Fraud pattern 4 — silent profile sale.** This is the most damaging and the hardest to detect. The site collects your name, phone, age, city, transaction history — and shares it with 'partners' described only as 'trusted third parties' in a five-page privacy notice. Within days you get spam from lenders, insurance brokers, edtech salespeople you never gave your number to. The DPDP Act requires Section 5 notices to itemise these third parties by name. A privacy notice that says 'we share with affiliates and partners' without naming them is presumptively non-compliant. **What to look for:** open the site's privacy policy and Ctrl-F for 'third party'. Count how many partners are actually named. If the answer is 'none' or 'we may share with affiliates', assume your data is being sold.

**Fraud pattern 5 — missing Grievance Officer.** Section 8(10) of the DPDP Act requires every Data Fiduciary — every site collecting your data — to publish a Grievance Officer's name and email, and to respond to your complaints within a fixed window (the DPDP Rules 2025 prescribe specifics). Sites that bury this in a contact-form maze, or list a generic 'support@' address with no human owner, are betting you'll give up. **What to look for:** open the privacy policy or footer. There must be a Grievance Officer's name, role, email, and an SLA (the Rules give 30 days for grievance closure on average). If not, you cannot exercise your rights — and that's a violation.

**The 60-second safety routine.** Before you give any Indian site your phone number, email or payment details, run this in order: (1) Is the URL HTTPS? (2) Does the cookie banner give Reject equal weight to Accept? (3) Does the footer carry a working 'Manage cookies' link? (4) Does the privacy policy name the third parties data is shared with? (5) Is there a Grievance Officer with a name, email and SLA? Five checks, sixty seconds. A site that passes all five is one you can transact with. A site that fails any one of them is one you can — and under DPDP, should — complain about to the Data Protection Board.

You can also let our scanner run those checks for you. [Paste any Indian website URL into the scanner](/scan) and you'll see all ten DPDP categories scored in a 0–100 report, with the exact gaps and the fixes. The same scanner now powers the [public DPDP-verified directory](/certified-websites) — so if a site you frequent is missing, you can ask its operator (or us) to put them through the audit. Building a safer Indian internet is what the DPDP Act tries to legislate. The five checks above are how Data Principals enforce it in practice.