Following up on consent-less auto fetch privacy violations in BBPS

Srikanth @logic
Published in
2 min readMar 2, 2020


In October 2018, CashlessConsumer had brought to your attention about privacy breach in BBPS[1] related to non-consensual retrieval of bill data of consumers by various apps / bill payment services operated by several authorized agents.

We wrote a letter to BPSS, RBI and copied to CEOs of NPCI and entities violating consent.

Cashless Consumer letter to members of BPSS, RBI copied to NPCI, PayTM, PayUMoney, Google Pay, HDFC Bank

NPCI, on its part, issued a circular which is to be complied by BBPS ecosystem of BBPSOUs and their agent partners from 1.1.2019.

NPCI Circular to BBPS Operating Units on need for customer consent

However, even after a year, we still find several apps / services not taking consent for auto-fetch, provide option to opt-out and instead have only found that the incidents have only increased. This is further evident from the statistics published by NPCI.

Bill Fetch to Bill Payment Ratio increased to 5x of bill payments using BBPS in 2019

In this context, even as the Personal Data Protection Bill, 2019 has been sent to Select Committee of the parliament, we are urging RBI and NPCI to provide a detailed public report on the incident and take steps to prevent such unfettered data mining by private entities to build credit profiles of individuals using bill data.

CashlessConsumer followup letter to BPSS & CGM DPSS, RBI and CEO & Project Officer BBPS, NPCI