In a new report, the Consumer Financial Protection Bureau (CFPB) said consumers may be vulnerable to payment and lending apps that monetize users’ behavioral and spending data. The Bureau said it is planning to draft regulations to protect consumers’ financial data rights.

Why should we care?
The CFPB could look to India to understand financial data-privacy regulations—and push for the expansion of these rules beyond fintech. This morning, the Reserve Bank of India (RBI) released guidelines for digital lending apps (DLAs), most notably specifying what kind of data these firms can extract from borrowers. Digital lending apps will now have to seek explicit consent from consumers before taking any of their data; all data will be “need-based,” according to the RBI. “DLAs should desist from accessing mobile phone resources such as file and media, contact list, call logs, telephony functions, etc.,” the guidelines read. “A one-time access can be taken for camera, microphone, location or any other facility necessary for the purpose of on-boarding/KYC requirements only with the explicit consent of the borrower.” The RBI also suggests borrowers should be allowed to rescind access to certain types of data or delete data that’s already been collected. While a host of factors differentiate the US lending landscape from India’s—including the greater political power of data-selling tech companies in the US compared to India, which may weaken the CFPB’s arsenal—the CFPB may choose opt-in regulations as a keystone to its financial data protection rules. How DLAs in India respond to the RBI’s guidelines can further inform US regulations as well.