UPI Payments Expose User Phone Numbers
A privacy issue within India's Unified Payments Interface (UPI) has been highlighted, where every transaction shares the payer's phone number with the merchant by design. This practice adds user data to merchant databases without explicit consent, raising concerns about data privacy and trust, particularly in hyperlocal commerce environments.
The practice of sharing a user's phone number with a merchant is an inherent part of the UPI architecture, not a bug. This data is shared with all seven parties involved in a typical transaction, which can include the payer's app, the payer's bank, the merchant's bank, and the National Payments Corporation of India (NPCI). This design has been in place since the introduction of UPI 2.0 in 2018. This data-sharing model contributes to UPI's ability to operate without transaction fees, unlike card networks that have stringent data storage standards like PCI DSS. However, this has led to user data, including private phone numbers not intended for public sharing, being "leaked" to merchants and subsequently used for marketing or becoming targets for spam. In response to growing privacy concerns, some platforms like Paytm now allow users to create personalized UPI IDs that are not linked to their mobile numbers. This allows users to hide their phone number during transactions by using a custom handle instead of the default mobile-number-based ID. Users on other platforms can also manually change their Virtual Payment Address (VPA) to a more randomized option to avoid exposing their phone number. The National Payments Corporation of India (NPCI) has introduced new guidelines, effective March 31, 2025, that aim to enhance security and user control. These rules mandate that UPI apps must obtain explicit, opt-in user consent before assigning or updating a numeric UPI ID linked to a phone number. This prevents consent from being assumed or collected under pressure during a transaction. Furthermore, the updated directives require banks and payment apps to verify and update their mobile number records weekly using the Mobile Number Revocation List (MNRL). This is designed to reduce transaction errors and fraud risks associated with recycled or deactivated mobile numbers that get reassigned to new users. Despite these measures, the fundamental architecture that shares transaction data across multiple entities remains. The legal framework governing this data includes the Information Technology Act, 2000, and the forthcoming Digital Personal Data Protection Act, 2023, which aims to give users more control over their personal information. Within this framework, the NPCI is considered the "data fiduciary," determining the scope of data processing for all entities in the UPI ecosystem.
