In the UPI application programme interface (API) framework, geo-tagged information of the payment is captured while initiating a transaction. NPCI guidelines state that location details along with other relevant customer data need to be captured within the app provider’s system in an encrypted format. “In extension to the stated guideline, since geo-tagging involves customer-centric information and such data points are used as per the defined norms and regulations, we are releasing the… directions,” NPCI said in the circular.
The apps cannot make location data collection mandatory and the option for enabling or revoking their consent must be provided by the app to the customer. Apps should continue to provide the UPI services even after the customer has revoked the consent for sharing the location or geographical details for the app, NPCI said.
The guidelines shall be applicable where the customer is a person initiating transactions and will apply to domestic UPI transactions only.
Payment industry executives said NPCI’s circular is in line with the enhanced level of transparency with respect to app permissions and user privacy being implemented by mobile device platforms such as iOS and Android.
Harish Prasad, MD, banking solutions (India), FIS, said while the new guidelines are good for users, they could pose some practical challenges. “Many of the UPI apps are not standalone UPI apps, and have a larger set of features which often need or use location data for optimised user experience or enabling enhanced security,” he said.
Apps which earlier had mandatorily required location permission will now have to make changes to deal with non-consenting customers and this could be a major change affecting not just UPI but many other features they offer, Prasad maintained.
The compliance timeline of five months could also be a tight one, industry players observed.