A large telecom operator (TSP) partners with a fintech to build a co-branded UPI app (TPAP). The app uses the TSP's customer verification API, accesses location, and ingests call frequency/top-up data to compute an alternative credit score. This score is sold to lending partners. The customer's original consent was at SIM activation for "service improvement and partner offers."

Does the SIM activation "partner offers" consent cover use of call metadata for credit scoring?

§6 of the DPDP Act requires consent to be "specific" and "informed." A SIM activation consent for "service improvement and partner offers" was not specific to credit scoring, sharing with a fintech, or use of call frequency for financial risk assessment. Fresh, granular consent must be obtained at app installation.

The fintech's credit score is sold to third-party lenders. Lawful, and does the customer need to consent to each lender?

A pure numerical score with no personal identifiers may qualify as anonymised data — not "personal data" sharing if the lender cannot link it to an identified individual. In practice, most credit score products sold to lenders are identity-linked, making it personal data sharing requiring: (a) original consent covering lending partners, and (b) each lender acting as its own Fiduciary.

Can a customer stop data sharing with the fintech while remaining a TSP subscriber?

Yes — and the TSP must honour this request. Under §6(4), withdrawal of consent cannot be conditional on surrendering a separate service. The right to withdraw TPAP data sharing must not be contingent on closing the telecom account.

The TSP must implement a granular consent management interface allowing customers to independently revoke UPI app data sharing, credit score sharing, and marketing use — without affecting core telecom service. The TSP's consent system must propagate withdrawal in near-real-time to the fintech's API access.