ARTICLE
8 January 2025

Reading The Fineprint

I
Ikigai Law

Contributor

Ikigai Law is an award-winning law firm with a sharp focus on technology and innovation-led businesses. We advise clients from high impact startups to mature market-leading companies and are often at the forefront of policy and regulatory debates for emerging business models. Our TMT practice is ranked by Chambers and we were named Boutique Law Firm of the Year in 2019 by Asian Law Business.
At the heart of any fintech is its ability to use its customers' data well. Several sessions at this year's GFF centered around the power of data - its ability to drive inclusion, resilience, and innovation.
India Technology

At the heart of any fintech is its ability to use its customers' data well. Several sessions at this year's GFF centered around the power of data - its ability to drive inclusion, resilience, and innovation.

For several years, data was mildly regulated in India. The DPDP Act took several years to be passed. And the barely enforced SPDI Rules continued to govern the use of sensitive data. But in recent times, regulatory intent has been clear. DPDP aside, effective data governance is an RBI priority as well. Prominent RBI actions this year have involved concerns around data use. RBI's action against Kotak Mahindra Bank, cancellation of two NBFC licenses, the action against Paytm Payments Bank – all involved concerns around use/ sharing of data. RBI's regulations have also increasingly addressed data security and privacy. For instance, the Digital Lending Guidelines (DLG) set out dos and don'ts around data use and sharing by regulated entities. The master directions on cards barred co-branding partners from accessing transaction data. The draft outsourcing directions set out more details on what the RE-OSP outsourcing agreement must cover around data use.

So, to be resilient, fintechs must make data compliance and governance a priority.

A quick recap of where to start and what to do (and more writing here, here and here):

  • Know yourself: Identify if you control the data (i.e. you are a data fiduciary) or you process it for someone else (i.e. data processor).
  • Know your data: Identify what data you collect and why.
  • Share with care: Evaluate why you need to share your customers' data with third parties, and share with appropriate checks.
  • Tell it all: Disclose everything to your customers.

The first three steps are all about getting your house in order. We hope you've done these by now.

Today we focus our energies on the last step – telling your users about your data practices.

Isn't this just our privacy policy? you ask. We can see the dismissive head shakes. After all, for several years, the only people who cared about disclosures have been us lawyers.

But we think disclosures are more than a verbose treatise relegated to one webpage on your website. The DPDP Act might simply say give users a "notice". But we think it calls for lawyers to join hands with product/tech teams and get involved in product design.

A few ideas to start with:

Privacy by design on the UI/UX

Transparency means telling users relevant information at relevant times. Which means embedding disclosures within the user interface/ user experience (UI/UX) so they make informed choices.

This means reviewing the customer journey on your platform - from app download, to a user creating an account, signing in, using the platform, to account deletion - to see precisely when to tell users what, giving them choices on the UI itself, rather than expecting them to read a long-form privacy policy. At the same time, the more text users see on the UI, the more confused they may get. And so, one must not go overboard – and avoid inundating the user with too much text and more choices than they can grasp.

For instance, a lot of text and checkboxes in one go may overwhelm a user:

1565148a.jpg

Source

But snippets of information at the right time may be more impactful:

1565148b.jpg

Source

Or breaking up the text onto different screens:

1565148c.jpg

Source

A short-form notice

Several platforms still only provide a statement to the users seeking their agreement to the terms and privacy policy. While these documents are hyperlinked and a user could click on a link to read the policy - the chances of that happening are slim. Instead, a short notice with the big headlines could provide users meaningful information on the UI itself. For instance:

1565148d.jpg

For reference, fintechs would be familiar with the disclosure required to be displayed when accessing credit scores for a user on their behalf from credit bureaus, or the notice one gets while pulling an Aadhaar XML from digilocker.

Layered notices

A layered notice embedded on the platform rather than a web URL can make for better reading:

1565148e.jpg

Source

Beefing up the privacy policy

Of course, the long-form privacy policy is still a critical document. This is the only opportunity that a company gets to tell users in some detail about what data is collected, why, how it's used, who it's shared with, what are their choices around data, etc. And so, companies must get this right.

For instance, so far, we've been used to seeing separate sections that describe what information is being collected (usually categorized as information that the user provides, information that is automatically collected, and information that is collected from third parties) and how the information is being used (to provide the platform/services, for fraud prevention, customer support, etc.). But for better transparency - companies could consider mapping the data point collected against the purposes. Or describe in greater details what data is collected at which stage.

With DPDP rules around the corner, and RBI focussing increasingly on data use, fintechs that focus on a privacy conscious UI/UX and tech architecture will be better placed to absorb shocks.

It was originally published in the September 2024 edition of our monthly fintech newsletter FinTales

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More