According to the National Payments Corporation of India (NPCI), apps used for Unified Payment Interface (UPI) transactions can only collect users’ location information with their permission.
The rules will only apply to domestic UPI transactions when a customer is the person initiating the transaction.
Before, users who didn’t grant location access couldn’t make purchases. Now the NPCI has stated that UPI apps like Google Pay and PhonePe can no longer deny services to users who refuse to give access to their location data.
Users who were previously granted access to location data will also be able to revoke that permission anytime without losing access to UPI services.
However, the UPI regulating board ruled that if customers provide their permission to reveal their location, this information must be securely and mandatorily shared with UPI. Additionally, it can also record significant customer data within the app provider’s system in an encrypted way.
The NPCI warned that sharing inaccurate location coordinates might result in harsh punishments.
UPI members have been informed by NPCI to comply with the consent requirement by December 1 in a circular dated July 5.
The NPCI has released new standards that all UPI apps must abide by in addition to the prior ones. The action, which comes six years after the establishment of NPCI-owned UPI, is hailed as an effort to improve transparency and uphold user privacy.
The original location data request called for keeping users’ historical locations in order to create a fraud and risk management profile, albeit it is unclear what caused NPCI to change this ‘pro-privacy’ step.
However, without user permission, Google Pay and PhonePe will no longer be able to geotag transactions. The fact that these two platforms accounted for more than 83% of the roughly 6 Bn UPI transactions totaling INR 10.14 Lakh Cr in June 2020 is remarkable.
Such location data is being used by many fintech platforms that target first-time potential borrowers to create customised products that use the data to create risk profiles based on geography and other demographic characteristics.
In the UPI application programme interface (API) framework, geo-tagged payment information is gathered when a transaction is started. According to NPCI rules, the app provider’s system must store location information in an encrypted format together with other pertinent client data.
“In extension to the stated guideline, since geo-tagging involves customer-centric information and such data points are used as per the defined norms and regulations, we are releasing the… directions,” NPCI said in the circular.
Location data access has been made optional by the NPCI, although many apps that offer UPI are not stand-alone apps, and their additional functions could need location data. These apps can have infrastructure issues as a result of the relocation.
Although the UPI’s role in such data sharing is uncertain, the action is likely to have a negative impact on the infrastructure of fintech firms that use location data to identify their target audience.
Thus, the action intended to increase transparency, may likely cause infrastructure issues for many payment apps.