Location data collection by UPI apps must have user authorization, according to NPCI

The National Payments Corporation of India (NPCI) has stated that apps used for Unified Payment Interface (UPI) transactions must only collect users’ location data with their consent. In a circular dated July 5, NPCI informed UPI members that the consent requirement must be met by December 1.While initiating a transaction, the UPI application programme interface (API) framework captures geo-tagged payment information. According to NPCI guidelines, location details and other relevant customer data must be captured in an encrypted format within the app provider’s system. “In addition to the stated guidelines, we are releasing the… directions because geo-tagging involves customer-centric information and such data points are used in accordance with the defined norms and regulations,” NPCI stated in the circular.

The apps cannot make location data collection mandatory, and the customer must be given the option of enabling or revoking their consent. According to NPCI, apps should continue to provide UPI services even after the customer has revoked consent to share the app’s location or geographical details.

The guidelines will apply only to domestic UPI transactions where the customer is a person initiating transactions.

According to payment industry executives, NPCI’s circular is in line with the increased transparency regarding app permissions and user privacy implemented by mobile device platforms such as iOS and Android.

While the new guidelines are beneficial to users, Harish Prasad, MD, banking solutions (India), FIS, believes they may pose some practical challenges. “Many of the UPI apps are not standalone UPI apps, and have a broader set of features that frequently require or use location data for enhanced user experience or security,” he explained.

Apps that previously required location permission will now have to make changes to deal with non-consenting customers, which could be a significant change affecting not only UPI but many other features they provide, according to Prasad.

According to industry participants, the five-month compliance timeline may be too short.