A recent report by IDfy, an integrated identity verification and digital onboarding platform, has shed light on data privacy practices among India’s top 10 banks. According to the report, Nine out of ten banks surveyed were found to have misleading or unclear privacy policies, with none providing policies in 22 languages.
Several banks in the country are failing to collect the user consent mandated by the Digital Personal Data Protection (DPDP) Act, it said.
The investigation revealed that eight out of ten banks surveyed do not specify the personally identifiable information (PII) data collected in their privacy policies. This includes crucial information such as account numbers, Permanent Account Numbers (PAN), and Aadhaar numbers. Furthermore, banks were found to be violating data minimisation provisions by collecting unnecessary data from customers, including details like employer’s name, work email ID, religion, and caste during the account opening process.
The report emphasised the importance of responsible use of PII to maintain customer trust, urging brands to reassess their data usage practices.
Banks were found to be collecting unnecessary data from customers, including details like employer’s name, work email ID, religion, and caste during the account opening process. |
Sensitive data
It also highlighted concerns regarding the vulnerability of sensitive PII data, particularly in the context of education loans, where 75% of the data collected was deemed sensitive. Additionally, it was found that nine out of ten banks lacked a cookie consent banner, and a mere 7% of the cookies identified were deemed necessary.
Furthermore, the report revealed lapses in obtaining parental consent for processing minors’ data, with none of the banks addressing this requirement. Additionally, five out of ten banks failed to specify the purpose when seeking consent to share data with third parties.
These findings underscore the urgent need for banks to reassess their data privacy practices and ensure compliance with the DPDP Act. As the government works on finalising the DPDP rules, greater clarity is expected to guide companies in implementing robust data protection measures.
Five out of ten banks failed to specify the purpose when seeking consent to share data with third parties. |