Data privacy in digital lending faces rising judicial pushback in India

By Vriti Gothi

The Delhi High Court has sought a response from the Reserve Bank of India (RBI) following allegations of borrower data misuse by certain digital lending platforms, bringing renewed focus to data protection and consent management in India’s rapidly expanding digital credit ecosystem.

The notice comes amid growing concerns over how lending apps collect, process, and retain personal and financial data, particularly as digital lending adoption accelerates across underserved and first-time borrower segments. Regulators have increasingly flagged opaque data practices as a systemic risk, both from a consumer protection and financial stability perspective.

Prakarsh Paritosh, Principal Product Manager at IDfy, said,  “The Delhi High Court seeking the RBI’s response on alleged violations by certain digital lending platforms highlights an important and timely issue — the need for clear, lawful, and transparent use of personal data in regulated financial ecosystems. At the heart of the matter is consent. Under India’s Digital Personal Data Protection (DPDP) Act, consent must be explicit, purpose-specific, and time-bound. Users should clearly understand what data is being collected, for what purpose, and for how long. Broad or bundled permissions undermine both regulatory intent and consumer trust. It is important to recognise that lending apps and NBFCs operate in complex environments where data plays a legitimate role in underwriting, fraud prevention, and servicing.”

The DPDP Act has raised the bar for data accountability across regulated financial services, including non-banking financial companies (NBFCs) and FinTech lenders. While data plays a legitimate role in credit underwriting, fraud prevention, and servicing, regulators have cautioned against broad or bundled permissions that dilute user control and transparency.

As regulatory oversight tightens, FinTechs and lenders are being pushed to operationalise compliance rather than treat it as a policy exercise. According to industry observers, institutions that embed transparency and auditability into their data workflows are likely to gain both regulatory confidence and long-term customer trust.

Paritosh added, “The goal should not be to restrict responsible innovation, but to ensure that data usage is proportionate, transparent, and well-governed. At IDfy, we believe the right mental model is to design systems around transparency and trust. Through Privy, our DPDP compliance platform, we help organisations implement clear consent frameworks, purpose limitation, and auditability — enabling compliance to be operational, not theoretical. As regulatory oversight strengthens, organisations that proactively embed transparency into their data practices will be best positioned to earn long-term user trust and regulatory confidence.”

The RBI’s response to the court notice is expected to provide further clarity on supervisory expectations for borrower data protection, potentially shaping the next phase of governance standards for India’s digital lending sector.