Reading the fineprint

At the heart of any fintech is its ability to use its customers’ data well. Several sessions at this year’s GFF centered around the power of data - its ability to drive inclusion, resilience, and innovation. 

For several years, data was mildly regulated in India. The DPDP Act took several years to be passed. And the barely enforced SPDI Rules continued to govern the use of sensitive data. But in recent times, regulatory intent has been clear. DPDP aside, effective data governance is an RBI priority as well.  Prominent RBI actions this year have involved concerns around data use. RBI’s action against Kotak Mahindra Bank, cancellation of two NBFC licenses, the action against Paytm Payments Bank – all involved concerns around use/ sharing of data. RBI’s regulations have also increasingly addressed data security and privacy. For instance, the Digital Lending Guidelines (DLG) set out dos and don’ts around data use and sharing by regulated entities. The master directions on cards barred co-branding partners from accessing transaction data. The draft outsourcing directions set out more details on what the RE-OSP outsourcing agreement must cover around data use. 

So, to be resilient, fintechs must make data compliance and governance a priority. 

A quick recap of where to start and what to do (and more writing herehere and here): 

  •     Know yourself: Identify if you control the data (i.e. you are a data fiduciary) or you process it for someone else (i.e. data processor).
  •      Know your data: Identify what data you collect and why.
  •     Share with care: Evaluate why you need to share your customers’ data with third parties, and share with appropriate checks. 
  •      Tell it all: Disclose everything to your customers. 

 The first three steps are all about getting your house in order. We hope you’ve done these by now. 

Today we focus our energies on the last step – telling your users about your data practices. 

Isn’t this just our privacy policy? you ask. We can see the dismissive head shakes. After all, for several years, the only people who cared about disclosures have been us lawyers.

But we think disclosures are more than a verbose treatise relegated to one webpage on your website. The DPDP Act might simply say give users a “notice”. But we think it calls for lawyers to join hands with product/tech teams and get involved in product design. 

A few ideas to start with: 

Privacy by design on the UI/UX

Transparency means telling users relevant information at relevant times. Which means embedding disclosures within the user interface/ user experience (UI/UX) so they make informed choices.

This means reviewing the customer journey on your platform - from app download, to a user creating an account, signing in, using the platform, to account deletion - to see precisely when to tell users what, giving them choices on the UI itself, rather than expecting them to read a long-form privacy policy. At the same time, the more text users see on the UI, the more confused they may get. And so, one must not go overboard – and avoid inundating the user with too much text and more choices than they can grasp. 

For instance, a lot of text and checkboxes in one go may overwhelm a user: 

                                                                        Source

 But snippets of information at the right time may be more impactful:

                                                                  Source

Or breaking up the text onto different screens: