Overview

A privacy policy is a legal document that outlines how a company or organization collects, uses, stores, and protects personal information collected from its users or customers. It typically includes information such as the types of data collected, how the data is used, who it is shared with, how it is secured, and users' rights regarding their personal data. A privacy policy is required by law in many countries, including India, and is important in building trust with users by demonstrating the company's commitment to protecting their privacy. Privacy policies usually cover a range of topics, including:

• Personal Information: The types of personal information collected, such as name, email address, phone number, and payment information.
• Collection: How personal information is collected, such as through website forms, cookies, or social media platforms.
• Use: How the personal information is used, such as to provide services, communicate with users or personalize the user experience.
• Sharing: Whether the personal information is shared with third parties, and if so, with whom and for what purposes.
• Storage: How personal information is stored and protected, including security measures to prevent unauthorized access, use, or disclosure.
• Access and Correction: Users' rights to access and correct their personal information.
• Opt-Out: Users' rights to opt out of certain uses of their personal information, such as marketing communications or data sharing.
• Legal Compliance: Compliance with applicable laws and regulations related to privacy and data protection.
• Changes to Policy: Notification and procedures for changes to the privacy policy.
• Contact Information: Contact information for users to request access or correction of their personal information or to make complaints about privacy practices.

Is it necessary for Indian websites to have a privacy policy?

Yes, it is necessary for Indian websites to have a privacy policy as per the provisions of the Indian Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000. Under the rules, any entity collecting, using, or storing sensitive personal data or information of individuals must provide a privacy policy that details the types of information collected, the purpose of collection, the intended recipients of the information, and the security practices and procedures in place to protect the information. Sensitive personal data or information includes information such as passwords, financial information, health information, biometric information, and other such information that is likely to cause harm if it is disclosed or used inappropriately. Therefore, if an Indian website collects or processes any sensitive personal data or information of individuals, it is mandatory to have a privacy policy in place to comply with the legal requirements and to build trust with the users.

What is GDPR and how does it affect Indian websites' privacy policies?

The General Data Protection Regulation (GDPR) is a privacy regulation that came into effect in the European Union (EU) in May 2018. It governs the processing of the personal data of EU & EEU residents, regardless of where the processing takes place. This policy has also been retained by UK as UKGDPR. The GDPR gives individuals greater control over their personal data and imposes obligations on businesses that collect, process, or store personal data. While Indian websites are not directly subject to the GDPR, they may still need to comply with its provisions if they process the personal data of individuals who are located in the EU, EEu & UK. This is because the GDPR applies extraterritorially, meaning that it applies to businesses outside the EU that offer goods or services to individuals in the EU, EEU & UK or monitor their behavior. If an Indian website collects, processes, or stores the personal data of individuals who are located in the EU, EEU & UK, it may be required to comply with certain GDPR provisions, such as providing certain disclosures in its privacy policy, obtaining consent for data processing, implementing appropriate security measures, and responding to data subject requests. Therefore, Indian websites that collect personal data of individuals in the EU, EEU & UK should consider reviewing their privacy policies to ensure compliance with the GDPR requirements to avoid any potential liability.

Applicable Law

India has a data protection law in place called the Personal Data Protection Bill, 2019. The bill was introduced in the Indian Parliament in December 2019 and is currently under review by a parliamentary committee. Once enacted, the bill will replace the current data protection framework in India, which is based on the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000. The bill seeks to provide a more comprehensive and robust framework for the protection of personal data in India. The key provisions of the bill include the establishment of a data protection authority, the imposition of penalties for non-compliance, the recognition of the right to be forgotten, the requirement for consent for data processing, and the restriction on cross-border transfer of personal data. The future prospects of the bill are promising, as it is expected to bring India's data protection framework in line with international standards such as the EU's General Data Protection Regulation (GDPR) and provide a more secure and predictable environment for businesses operating in India. However, there are still some concerns regarding the bill's scope, enforcement, and impact on businesses, and these will need to be addressed before the bill is enacted.

Why should you have a privacy policy for your website?

There are several reasons why you should have a privacy policy for your website, including:

• Legal compliance: In many countries, including India, having a privacy policy is a legal requirement if your website collects or processes any personal data of users.
• Transparency: A privacy policy provides transparency to your users by explaining what personal data is collected, how it is used, and who it is shared with. This can help to build trust with your users and establish credibility for your business.
• Protection against liability: A privacy policy can help to protect your business against liability in case of a data breach or misuse of personal data by providing a clear framework for how personal data is collected, processed, and secured.
• Competitive advantage: Having a comprehensive and user-friendly privacy policy can be a competitive advantage for your business, as it can demonstrate your commitment to protecting user privacy and differentiate your business from competitors.
• Marketing benefits: By providing users with the information they need to make informed decisions about sharing their personal data, a privacy policy can help to enhance the user experience on your website and improve conversion rates.

Governing Acts

The privacy policy on a website in India is governed by several laws and regulations, including:

• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These rules were issued under the Information Technology Act, 2000 and prescribe the minimum standards for the collection, use, storage, and transfer of sensitive personal data or information.
• The Indian Contract Act, 1872: This law governs the terms of the contract between the website owner and the user and requires that the terms of the contract be fair, reasonable, and not against public policy.
• The Consumer Protection Act, 2019: This law provides for the protection of consumers' rights and interests, including the right to privacy, and imposes obligations on businesses to provide clear and transparent information to consumers.
• The Personal Data Protection Bill, 2019: This is a proposed data protection law that seeks to provide a comprehensive and robust framework for the protection of personal data in India.

Why approach LAWYASA?

• Access to experienced lawyers: Lawyasa's platform allows you to connect with experienced lawyers who specialize in IT law services. Our lawyers have a deep understanding of the legal issues that businesses face in the digital world.
• Convenient: Lawyasa's platform allows you to access legal services from the comfort of your home or office. You can easily connect with a lawyer through our website or mobile app.
• Wide range of IT law services: Lawyasa's network of lawyers provides a wide range of IT law services, including drafting and reviewing website terms and conditions, privacy policies, data protection, e-commerce, and intellectual property rights.
• Customized solutions: Lawyasa's lawyers provide customized solutions tailored to your business needs. We take the time to understand your business and provide legal advice that is practical and actionable.

How can LAWYASA assist?

Lawyasa can assist you in drafting and delivering a privacy policy for your website in India in the following ways:

• Drafting a comprehensive privacy policy: Our team of experienced lawyers can help you draft a privacy policy that is tailored to your specific website and industry, and that complies with all applicable laws and regulations in India.
• Reviewing your existing privacy policy: If you already have a privacy policy, we can review it to ensure that it is up-to-date and complies with all applicable laws and regulations.
• Providing legal advice: Our team can provide you with legal advice on best practices for privacy policies, including how to obtain user consent, how to handle sensitive personal information, and how to ensure compliance with data protection laws.
• Updating your privacy policy: We can help you update your privacy policy in case of any changes to your website or data collection practices, or in case of changes to the legal and regulatory environment in India.
• Training your employees: Our team can conduct training sessions for your employees to ensure that they understand the importance of privacy policies and data protection, and are aware of their obligations under the law.

Frequently Asked Questions