Privacy Policy is a legal document that business owners in India are legally required to publish on their websites or mobile apps to mainly notify its users about (i) the information that they collect whether directly or indirectly; (ii) the purpose for which it is collected; (iii) how do they process, protect, use, and share that information; and (iv) how can the users update, manage, and delete that information.
Generally speaking, the drafting of a privacy policy depends upon the data and privacy laws applicable to the region or territory where the users reside irrespective of the presence of business in that region. Hence, it is crucial to first list down the territories where the services are targeted or made accessible to ascertain the requirements across geographical boundaries and legal jurisdictions. Currently in India, the privacy policy needs to be drafted in compliance with the Information Technology Act, 2000 and the Rules made thereunder.
These are the most basic checklist points that every privacy policy must include:
Who owns and operates the Website or App?
Who does the Privacy Policy apply to? Online users or even the entities/ individuals engaged through email or other means?
What information is being collected? Do you have expressed consent of the user to collect his personal information?
How is that information collected? What are the types of backend technology or cookies used?
How is the information used? Marketing purposes? Audit, billing, and compliance purposes?
Which third Party(ies) will have access to the information? Does the privacy policy provide links to other sites? If yes, do you have a disclaimer for use of information by such a third party?
What are the security measures adopted to protect the users’ information?
What is the information retention policy or period?
Mention the effective date of the Privacy Policy and how and when will the revisions made to the Policy become applicable to existing users.
Does it mention the name and contact details of the Grievance officer? Is the grievance redressal mechanism formulated?
It is advisable that the clickwrap method is used to enforce the privacy policy. Under this method, the users are informed of the legal and binding nature of the Privacy Policy and requested to click a checkbox or linked button to show their acceptance of the terms contained herein. Also, it is important that the link to the Privacy Policy is displayed at a conspicuous place on the website or mobile app where the users can easily access or see it like at the footer, subscription pages, and pop-ups.