Bengaluru — When you sign up for an app in India, it’s often for life. Most Indian companies don’t let users delete their accounts — at the most, users can disable the account to prevent its misuse. Stockpiling sensitive personal data is a vital part of the business model of most companies, and they are not interested in letting go.
HuffPost reached out to some of India’s most popular apps: Paytm, Flipkart, Phone Pe, Zomato, Swiggy, Practo, Ola, Cleartrip, and BookMyShow to ask them if it was possible for users to delete personal information associated with their accounts. Only Cleartrip responded with a “yes”; Zomato did not respond but appears to let users delete their account.
The rest simply did not respond.
This is obviously a problem, and something that Raman Jit Singh Chima – Policy Director at digital rights advocacy group Access Now – says is required in most markets, and even in Indian law, “you should have the right to do this,” Chima adds.
“It’s a big concern and something that we have been talking about, and the other thing that almost no Indian tech company is doing is releasing transparency reports,” he says, “nearly no one gives this data of how many times the government asked for user data, or what data was given, while almost all the global companies do this. There are a few exceptions anecdotally, but this does not exist as an industry standard.”
The question of who has the right to archive personal user data gathered urgency earlier this month when a media exposé led some users to delete the Paytm app, only to find they couldn’t.
Finally, Paytm CEO Vijay Shekhar Sharma stepped up to clarify that anyone can delete their account from the help section of the app. Except, once again, this does not seem to have been the case – as plenty of tweets would show.
‘So which was it? Paytm has not officially responded to requests for comment, although one of the company’s employees we spoke to insisted that deleting an account was always possible. When we brought up the responses that Paytm had been giving on social media, they said they aren’t sure why the official handle had tweeted accounts could only be disabled, but reiterated that the feature was not something new.
The problem isn’t limited to Paytm. Almost no Indian company wants to talk about what it’s doing to your data.
Fellow wallet company PhonePe also drew attention for not letting users delete their accounts. Once this was brought up on Twitter, PhonePe CEO Sameer Nigam tweeted a clarification explaining that you can delete linked bank accounts yourself, while the PhonePe wallet can be deleted by contacting customer service. However, even if you do so, all transaction history is archived by PhonePe for 10 years, by an RBI directive.
PhonePe – and its parent company, the now Walmart-owned Flipkart – has also not officially responded to our questions about its data policy. A Flipkart employee who is not empowered to speak for the company did say that the company follows all legal requirements. On Flipkart’s website, you can deactivate your account (not delete it) and the page mentions: “Flipkart retains your account data for you to conveniently start off from where you left, if you decide to reactivate your account.”
Manjunath K., a B. Tech student in Bengaluru, said that he had a similar experience with Foodpanda, although after some back and forth in conversation with the customer service team, he was told that his account was deleted.\
Of course, with the lack of any transparency reports, or legal provisions to ensure that such actions are taken, end users have no way of knowing whether their accounts are actually deleted, or if their data is still being retained.
Popular food delivery service Swiggy did not respond either, but it’s app and website again don’t show any way to delete your information. Others whom we reached out to included Zomato, Practo, Ola, Cleartrip, and BookMyShow. Spanning food, health, transport, travel and entertainment, these are all companies that many of us will interact with on a daily bases. Out of all of these, only one responded, and only two appear to allow you to delete your data.
“We have had the account delete feature since 2014. It was built in response to customer requests where our customers wanted the ability to have greater control of their data,” says Suman De, Director of Products – Accommodation, Activities and Platforms, at Cleartrip. “When a user account is deleted, all personal information (like name, mobile number, frequent flyer numbers), saved travellers and saved cards are deleted from our system. All past and future trip information is also delinked from the user email.”
“The user can sign-up again with the same email id but she won’t be able to access her old trips anymore,” he added. “The booking history of the user though will continue to persist for audit requirements. Cleartrip has always been fanatic about protecting a user’s privacy and we built in mechanisms to give users the control of their information long before the current focus on privacy.”
The other company, which did not respond to an emailed query, but does allow users to delete their accounts, is Zomato. You don’t need to message customer service or take any roundabout steps. In both Zomato and Cleartrip, you can go to your profile, check the settings and delete your account.
However, apart from a few exceptions like these, the rule in Indian services is to let the user in, and then never let them go. We have written to the Internet and Mobile Association of India, a not-for-profit industry body, to ask for its comments on this issue as well, and will update the piece if we get a response.
It’s very different for international companies. Uber, Amazon, and others all allow you to delete your accounts. This is thanks to the European General Data Protection Regulation (GDPR), which came into effect recently. All international companies – at least ones who have users in Europe – have to comply to these regulations, which (very simply) say that users can access their data, get a copy of it, and delete it if they want.
Indian companies are under no such obligation unless they are serving customers in Europe, so most have not bothered. They’ve been collecting huge amounts of personal data, and using it to build their business models. This could change in the near future, as the Justice Srikrishna committee report on data protection is expected within about a week’s time by most, and it will help define what tech companies – and others, including the government – can and cannot do.