Centre for Internet & Society

The study shows that privacy policies companies such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.

The blog post by Shilpa S. Ranipeta published by the News Minute on June 10, 2019, quotes the research done by Aayush Rathi and Shweta Mohandas of the Centre for Internet & Society.


A study by the Centre for Internet and Society on privacy and security policies of Fintech companies in India has shown that no company met every single requirements under the Section 43A Rules of the IT Act. A study of privacy policies of 48 companies has also shown that privacy policies of major entities such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website of the company.

The privacy policies were assessed based on the privacy policy requirements mandated by the Sensitive Personal Data or Information (SPD/I) Rules.

A fintech company is one that combines financial services and products with technology. The companies categorised as Fintech in this study are payment gateways, payment gateway aggregators, mobile and online wallets, digital payments banks, peer-to-peer lending platforms and miscellaneous entities that share features of the above categorisation.

Rule 4 of the SPD/I Rules mandates that a company that handles information should have a privacy policy that ensures it is dealing with the information provided by users as per the SPD/I Rules. It is also required that the privacy policy is published on the website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules doesn’t specify what would constitute a ‘clear and easily accessible’ privacy policy.

In this research, CIS has studied accessibility as how many times a person has to click to access the privacy policy, if it is readily available on the homepage, if the company states its practices for privacy in language that can be understood by someone fluent in English and does not require prior legal or technical knowledge to be understood.

Here are some observations from the research:

Accessibility:

The study found that 38 companies have a privacy policy accessible on the main website of the company, 38 also have the privacy policy included in terms and conditions of all documents of the company that collects personal information.

However, policies of only 20 companies can be understood by someone without legal and technical knowledge and 16 can be partially understood. Privacy policies of RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn’t be understood by someone without legal and technical knowledge.

“For some of the companies the privacy policy had to be located in the terms of service or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’, further making the privacy police more inaccessible. We anticipate that unless the user is specifically looking for the privacy policy, it is unlikely for the privacy policy to be perused in the usual course of a user’s usage of the services of the fintech provider,” the report states.

The study found that while most fintech companies in the sample explicitly specified personal information that was being collected, fewer privacy policies contained categorical provisions segregating the sensitive personal information that was being collected. However, it was unclear what each category specifically entailed.

“Another terminology that is often incorporated to broaden the ambit of information being collected is the definition of personal information as any information that may be provided by the user. This squarely places the onus of restricting information collection on the user, further compounding the handicaps users face in ascertaining the information that that firms are seeking to collect because of the illustrative nature of the listing of information,” the report states.

Option to not provide information and withdrawal of consent:

Interpretation Rule 5(7) states that the company should inform users even before collecting information that they have an option to not provide the data or information.

The rule also specifies that the individual must also be informed that he/she has an option to subsequently withdraw consent from the use of the data or information collected by the data controller.

However, Privacy Policies of 30 companies do not specify that the user has the option to not provide information. These include companies such as PayU, CitrusPay, Jio Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, etc.

Only 17 companies specify that the user has the option to subsequently withdraw consent.

Registering grievances

The study showed that only 16 of companies mention the existence of grievance officer in their privacy policies.

Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance redress mechanism in place vis-a-vis the user’s privacy practices.

“Thirty-two companies failed to not just provide a redressal mechanism but also failed to mention the existence of a grievance officer specific to the resolution of issues that users may encounter vis-à-vis the data controller’s privacy practices,” the report states.

Language barrier

All companies, except PhonePe, had a privacy policy only in one language – English. PhonePe provided a privacy policy in both English and Hindi.

“With the growth of the digital economy, a multitude of Indians are using online 46 services, and it is imperative that privacy policies be accessible and understandable to all users of the service. In the context of the fintech sector, accessibility to privacy policies takes on added significance given the fintech sector’s avowed promise of increasing access to financial products to hitherto underserved sections of the society,” the report states.

The research showed that few consumers, if any, read online privacy policies, despite expressing concern about their online privacy. And privacy policies are often very technical and not comprehensible by a regular user.