Yesterday, I made a post on the need for “Auto Renewals” to stop as per DPDPA. This post elicited the following response on linked-in from one of the followers which has opened up further interesting discussions.
Quote:
RBI has/had guidelines that allowed banks to auto renew fixed deposits. Is that gone? Has RBI updated its guideline
Unquote
This was a good observation. I had made my comment in a different context but it did apply to the contracts such as FD renewal where also the “Auto renewal” without notice could have adverse consequences. I have personally experienced such inconvenience in the past when a joint account was auto renewed by a Bank without prior information locking the premature closure for a further period of renewal which I thought was unfair.
I therefore wanted to clarify the context of my earlier comment so that there is no misunderstanding of my post:
In this post I was referring to the privacy related consents where a service is provided with an auto renewal option and in particular to a situation involving online subscription of an information service. In such cases, when the service is due, the auto renewal triggers a financial debit which the consumer/data principal may not want. In such circumstances the data fiduciary/service provider falling back on the auto renewal clause is an unfair implementation of the consent requirement under DPDPA 2023.
Further DPDPA 2023 requires renewal of consent for all legacy data principals and hence auto renewal per-se is no longer valid.
DPDPA brings in two important changes to the system of obtaining an informed consent. First any consent should be capable of being withdrawn. If the withdrawal results in any adverse consequences to the data fiduciary it should be borne by the data principal. If cancellation genuinely requires a certain time, it should be allowed.
However the ease of placing the withdrawal request should be comparable to the granting of consent. If I can order a product or service at a single click, it should be withdrawable by a single click.
Cert-in guidelines under ita2000 has said privacy policy needs to be renewed once a year. Also, purpose oriented consent has to be clear and fairly obtained whereas in many cases it is deceptively obtained. This needs to stop.
The FD renewal also should ideally include a pre-auto renewal notification at least 24 hours prior to renewal stating to the effect
“Your FD would mature and fall due in next 24 hours. It would be renewed as per your current instructions unless you indicate new disposal instructions. You can indicate your disposal instructions by clicking the following button..” etc
In case of the FD it can be closed anytime even after renewal though with a interest reduction. The interest reduction can be justified under the reasonable adverse loss of the data fiduciary which should be borne by the depositor or the data principal. Hence it is compatible with DPDPA.
My comment was specifically made in respect of a subscription of Money control pro by e-eighteen.com which is refusing to stop annual subscription even when requested one day prior to due date and charging for the entire year ahead. This is unfair and violative of DPDPA 2023 for which e-eighteen.com could be penalized under DPDPA 2023.
While the stoppage of subscription does not impose any inconvenience on money control, their refusal is just greedy exploitation of an earlier consent. There is no inconvenience to Money Control and they want to postpone the decision by another one year. This is “Dark pattern” consent which is unethical and needs to be flagged.
This sort of privacy contracts need to stop.
I have served a notice on the DPO of e-eighteen.com and grievance redressal officer of nw.18 and no satisfactory resolution has been received so far. I reserve my right to raise this dispute at the appropriate time.
There are many such “Auto renewal” contracts that need to be re-set. While it is not the intention of naavi.org to inconvenience businesses, the need to take prior consent to use auto renewal clauses of an earlier era needs to be flagged and DPB will have to act in this regard.
Naavi