India: DPDP Act And Cross-selling By Fintechs

Continuing on the fintech and DPDP series, our partners Sreenidhi Srinivasan and Aparajita Srivastava speak about using data (collected for one purpose) to cross-sell/up-sell other products. For example, what if, as a platform, you'd like to use a customer's payments/transaction data to cross-sell an insurance product?

Cross-selling is a common platform strategy. Digital payment platforms, like UPI or PPI (e-wallets) providers, are a cash-burn business. Platforms dole out massive cashbacks, and incentives to acquire and maintain an active user base. So, you build a payments business which serves as a data mine. You gather large amounts of data about your users and merchants. And then use this data to cross-sell other more lucrative products. Like loans, investments, and insurance. Your entire payments business is 'customer acquisition cost' for another business – another product.

Till now, platforms could simply stuff this in their T&Cs. And take a kitchen-sink consent to use data whenever and however they pleased.

But this approach will no longer cut it. Under the DPDP Act, you can only use data for the purpose consented to by the user. To get their consent, you must ask your customer "Hi, I want to use your data, may I? Read this easy-peasy bullet-point notice, it will tell you about the data I want to collect and why; aka the 'purpose' for which I will use the data."

Now the consent must be clear and specific – if you took my data to facilitate a payment transaction, you can justify using it for chargeback, fraud, refund, and other disputes. All of this is connected to a single purpose. You need not get separate consent for each of these use cases. But if the purpose was too broad – kitchen sink-ish – it won't cut it. It all depends on whether you can show clear and specific consent for a defined purpose.

But what if you want to use the payment data for a completely different purpose? Like cross-selling an insurance product. Read on.

• If you take one consent from the customer, where the customer says – "You can use my data to give me this service and show me new products of yours or your partners'" – this bundled consent may not cut it. But if the user says, "You can use my data to give me this service" and through a different checkbox "You can use my data to send me new offers or new products" – this may work.
• If the new purpose is an afterthought, in that, you never mentioned it in your original notice (to the user), then no, you can't use it. You must again ask the customer some variation of – "Hey customer, we want to show you new product offers. Can we do that? Some of these products are sold by our partners. Can our partners contact you?"

Cross-selling also has two parts: First, showing the customer personalised ads/prompts/offers for the new product. Second, the user journey once a user discovers and engages with the prompt. In the latter, the user is already engaging with the platform – so you can give notice and take consent at this point. But in the former, the user has not yet engaged with the new product offering – you only want to show her a personalised prompt – so there is no opportunity to take consent or give notice. That's when things get tricky.

So, while data use for cross-selling is not prohibited, it must be supported through appropriate controls, UI/UX changes, consent forms or records. Some of these could introduce friction in the customer journey, carefully tailored design solutions could minimise such friction and at the same time provide relevant information for users to make meaningful choices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.