The Murky World of Consents (#50)
Regulatory ambiguity and lack of innovation in User Consents add to Fintech challenges
Welcome to the 50th issue of Unit Economics. For today’s write-up, I share thoughts on the many challenges with User Consents in Fintech. Dive in!
The complexity of compliances makes the process of product development in Fintech a little different from that in other industries. Each new feature or user journey here requires that you search through the central bank circulars and notifications, and make room for legal review before going to production.
And fewer discussions between product and legal divide opinions more than that for user consents. You would have commonly come across such consents for terms & conditions, providing Bureau access, allowing KYC fetch, accepting loans from an NBFC, and the likes.
But what leads to conflicts between product and legal? Two things. One, the method of taking a consent directly impacts the funnel conversion for a journey. Two, the laws around data protection and user consent continue to be open to interpretation. And with the incentives at crossroads, the legal ask is often more risk-averse than the product team wishes.
The important question, however, here is – why do the regulations allow such gaps for user consents? An understanding of how consents are defined under the law will help answer the question.
User Consents
Across countries, there exist – in some form or the other – guidelines around user privacy and data protection. In India, for example, the IT Act, 2000 and the Sensitive Personal Data or Information (SPDI) rules often guide the thoughts. The existence of such frameworks is good. They make scoping of consents easier for teams.
For instance, across such data protection guidelines, you would find the consents bracketed into two categories:
Implicit Consents
Consents wherein participation in a certain situation is considered proof of consent itself. The consent here is inferred and passive, and a user is assumed to have consented by proceeding unless they have explicitly stated otherwise.
Explicit Consents
Consents that are active, direct and wherein users are supposed to be informed explicitly of the need to authorise the collection, use, and/or disclosure of their personal information. The guidelines for explicit consents, especially for GDPR in the EU, indicate the need for clearly stating the purpose and scope of data collection – which makes the consent more demanding.
This is, however, where the land starts getting grey. Take the Indian regulations, for instance. While the laws indicate that explicit consent must be informed, clear, and specific – there is no guidance on the form in which it must be sought, and how it should differ from a usual consent.
For example, some consider taking the consent on terms-of-service and privacy policy explicitly through a common checkbox consent, while others interpret a clickwrap consent as sufficient informed and clear consent.
You can be mistaken to consider the difference minimal, but at scale – the additional drop-off of even 1%, when compounded across months, can make a significant difference to your funnels. A terms-and-conditions consent is quite standard, but the lines diverge further for consents that are relatively infrequent.
Take another example of fetching a user’s financial information. The AA framework neatly defines the role of Account Aggregators as consent managers and requires that the consent be taken explicitly from the user with the scope (data being collected, frequency of data collection, etc.) specified as shown below.
Compare this to the simpler industry standard for consent on accessing SMS or E-mail data, wherein similar financial information may be collected but hardly anything is highlighted in the scope of data collection. This is not to say that one practice is better or worse, but the divergence obviously has implications.
Further, while the processing of personal or sensitive user information deems implicit consent insufficient – this only tells us what cannot be considered an implicit consent. The answer to what can be considered acceptable implicit consent is hardly concrete. As a result, most reasonable teams err on the side of caution by putting additional explicit consents in the user journey instead.
What compounds the issue is the lack of a consistent regulatory watchdog for data protection or consent guidelines that could be referred to in case of escalations or queries. The onus, as a result, for complying lies completely on the data processors. And to reduce the risk, this translates to teams following what-others-are-doing as the source of truth, rather than noting what-is-right.
An implication of the ambiguity here is that, over time, this either leads to more conservative consent-taking practices to save from regulators or complete ignorance. An example of the latter practice is where although the regulation expects that the users would be given an option to opt-out of any previously accepted implicit or explicit consent – there is little in terms of consent-withdrawal provided by the applications to their users. Try to remember, for instance, the last time you were allowed an option to opt-out of consent for sharing your data outside device permissions.
Implications of Insufficient Regulations
The direct implications of the above deficiencies are obvious and multiple.
One, the practical mechanics of obtaining consent are unclear, which leads to varying degrees of interpretation and implementation of the same consent type – hurting those that act more conservatively.
Two, a lack of common regulatory watchdog sometimes leads to complete ignorance of laws, which impacts the data collection and usage of unaware users the most. Best case, you are attacked with unwanted ads. Worst case, you are the target of endless spam calls and your data is free for public use. But in either case - before users realise, the damage is done.
Third, the onus on corporate bodies as data processors to comply with guidelines is filled with risk for inexperienced teams that must expand more on legal costs and tech bandwidth to comply with ambiguous data protection guidelines.
Way Forward
For those operating within the industry, the problems are consistent and part of a usual execution roadmap. But there must be ways to counter the issues. I will attempt to suggest how some of these gaps can be filled:
The types of consents in Fintech can be more granularly characterised, say for KYC, user communications, fetching of financial information, access to device-specific information, etc. The regulators can then further define reasonable practical methods for obtaining explicit consent for each categorised scenario. This will reduce overheads for teams and make for more consistent standards in the industry.
Secondly, the industry bodies must provide for singular watchdogs to raise queries or concerns to – allowing both corporate bodies and users a medium for grievance redressal. The data processing entities can also be asked to maintain audit trails for all such consents, including information on timestamp, IP/Device ID, and text language of the consent. This would also make arbitrations of any grievances easier.
Lastly, consents have been largely the same since the beginning of the internet age and there is potential to innovate by using mediums other than in-app. For example, for Android devices – the consents can perhaps be provided centrally on a user-level, without requiring each app to seek the same permissions or consents all over again. And, perhaps, teams can be encouraged to seek consents through other communication channels – including e-mails, WhatsApp, or third parties – similar to how account aggregators are expected to function. Bottomline: if the door is opened, I am sure there is room for smarter innovations in the consent management niche and we can only hope that the regulators take the right steps forward.
If you have any views or feedback to share on the topic, feel free to add a response below or to share your thoughts with me over Linkedin. In case you feel your friends or family would be interested in reading about payments, feel free to share the blog with them as well. See you in a couple of weeks!