News

NPCI Makes User Consent Mandatory For Accessing Location Data On UPI Apps

NPCI Makes User Consent Mandatory For Accessing Location Data On UPI Apps
SUMMARY

UPI apps like Google Pay and PhonePe can no longer deny UPI services to users who don’t share location data

While the move is aimed at improving transparency, it is likely to create an infrastructure problem for many payment apps

Users, who had earlier given permission for location data, will also be allowed to revoke their permissions now

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Payment apps that use the UPI feature can collect users’ location data only with their consent, the National Payments Corporation of India (NPCI) stated in a circular on July 5. 

Previously, users who didn’t give location access were not allowed to make payments. The NPCI said that if the customer does not give consent to share location data, UPI apps cannot deny or disable the UPI services. 

Further, if a customer has already given consent to share the location with UPI apps, and then subsequently wants to revoke the consent, the same should be permitted without denying the UPI services to the customer, the circular read.

The UPI governing body also stated that if customers assent to sharing their location, it needs to be mandatorily and correctly passed onto UPI. Sharing incorrect location coordinates will attract strict action, the NPCI said. 

In the circular, NPCI notified UPI members to comply with the consent requirement by December 1. 

What Prompted The Move Now?

Location details along with other relevant customer data need to be captured within the app provider’s system in an encrypted format, the NPCI had previously said. 

The geotagging involves customer-centric information and such data points are used as per the defined norms and regulations.

In extension to the previous guidelines, the NPCI has announced the new guidelines to be followed by all the UPI apps.

Six years into the launch of NPCI-owned UPI, the move is touted as an act of better transparency and maintaining user privacy. 

While what prompted NPCI to make this ‘pro-privacy’ move is unclear, the original location data request meant holding users’ historic location to build a fraud and risk management profile. 

Google Pay and PhonePe will no longer be able to geotag transactions without user consent. It is noteworthy that these two platforms alone comprised over 83% of the nearly 6 Bn UPI transactions worth INR 10.14 Lakh Cr that happened in June 2021.

Many fintech platforms that serve first-time credit takers are working with such location data to build custom products with the data to build risk profiles based on geography and other demographic features. 

While the UPI’s role in such data sharing is unknown, the move is likely to also put a damper on the infrastructure of such fintech platforms building their target group using location data points.

The NPCI has made access to location data voluntary, but many apps that provide UPI are not standalone apps and their other features may require location data. The move is likely to pose an infrastructure problem to these apps.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Recommended Stories for You