Can You Sue a Fintech App for Privacy Violation in India?

Data privacy is now a major problem due to the growth of fintech apps and digital lending businesses in India. Under the pretence of authorisation, several apps ask for access to private data, including contacts, messages, location information, and images.
Not all users, meanwhile, are aware of the legal restrictions on this kind of data collection. This article uses case law, regulatory frameworks, and statutory provisions to investigate whether it is possible to sue a fintech app for privacy infringement in India.

Understanding Digital Consent under Indian IT Law

Data privacy is fundamentally based on consent, which is often hidden in long and complex terms and conditions in the digital world. The Information Technology (IT) Act, 2000—especially after the 2008 amendment—mandates that personal data cannot be collected, stored, or disclosed without the informed consent of the individual. Consent must be meaningful and transparent, not merely a tick-box on a pop-up screen.
Unfortunately, this grey area is exploited by several fintech apps, which collect excessive personal information without clearly stating the purpose, scope, or potential risks to users.

How Unauthorised Access to Contacts Can Be Illegal

Access to the phone contacts of the borrower is probably one of the most popular criticisms of fintech apps. After accessing these details, they usually blackmail or embarrass the borrower (by calling and messaging their relatives, friends or colleagues), as the latter is pressured to repay. Privacy and Defamation may arise to a certain extent from such practices. The action can also be in breach of Article 21 of the Constitution of India that safeguards the right to privacy in the form of a fundamental right (Justice K.S. Puttaswamy vs. Union of India, 2017). Also, the Reserve Bank of India has cautioned NBFCs and digital lenders against the adoption of such extreme recovery practices.

Filing a Complaint Under Sections 43A and 72A of the IT Act

Any corporate body that fails to secure sensitive personal data and causes an individual’s loss or damage is obligated to pay compensation, according to Section 43A of the IT Act. Unauthorised sharing of personal information is addressed in Section 72A, which carries a maximum sentence of three years in prison, a maximum fine of ₹5 lakh, or both.
Aggrieved individuals can file complaints with the adjudicating officer under the IT Act or approach civil courts. In extreme circumstances, the local cyber police may also receive complaints under Section 72A.

RBI’s Data Protection Framework for NBFCs

The RBI’s Digital Lending Guidelines (August 2022) require explicit consent from borrowers before collecting personally identifiable information. Contact lists, messages, and call logs can only be accessed and stored if strictly necessary and agreed upon. Violating these norms may lead to penalties, withdrawal of licenses, or being listed as a defaulter. Borrowers may escalate complaints under the Integrated Ombudsman Scheme, 2021.

Case Study: Crossing the Line

Numerous unregulated digital lending apps harassed consumers in 2021–2022 by gaining unauthorised access to their contact lists. Threats, blackmail, and public humiliation via WhatsApp messaging were examples of forceful recovery techniques. Tragic outcomes, including borrower suicides, were documented in Telangana and Maharashtra FIRs. Stricter enforcement and more public awareness resulted from the delisting of hundreds of such apps from the Google Play Store.

Conclusion

It is not only feasible but also required to file a lawsuit against fintech apps for privacy violations. The Constitution, the IT Act, and RBI regulations all provide for accountability for these platforms. Both civil and criminal remedies are available to those whose data is exploited. Ensuring ethical standards in India’s fintech industry requires protecting consumer rights in digital lending.