Asking for consent is a morally correct way of living peacefully and lovingly in a civilization. Today, when everyone is on the internet, businesses either do not bother or are unaware of the fact that they are legally bound to explain to their website users that their personal and/or sensitive data is being collected through their website and stored at the business's backend. Keeping this in mind, nations have developed their own set of privacy rules and regulations to protect user data from being exploited.
The Right to Privacy is defined under Article 21 of the Indian Constitution. In the landmark case of K.S. Puttaswamy v. Union of India, 2017, the Hon’able Supreme Court, upholding the constitutional validity of the Aadhar project, declared the Right to Privacy as a fundamental right. Most countries worldwide consider data privacy a serious issue; hence they have formulated a set of guidelines for data protection.
Privacy Policy is a legal webpage on a website that determines why and how you are collecting user data. It is a legally binding agreement. It is a sheet of transparency and choice between the user and the website. Having a Privacy Policy webpage is not a formality but a legal requirement under the guidelines of the Information Technology Act 2000. It is a compulsion for all sorts of businesses, traders, e-commerce, and bloggers to have a detailed Privacy Policy on their websites.
The primary need for a Privacy Policy is to comply with the legal provisions. Since websites are used worldwide, the privacy policy must comply with the country where the website consumers are. USA has the Children Online Privacy Protection Act (COPPA) and California Consumer Protection Act (CCPA) to set strict guidelines regarding the minimum required age of the user to access the website, cookie policy, option to opt-out, etc. Europe and, to some extent, India follow the General Data Protection Regulation (GDPR), which describes the rights of the users, like the type of user data a website is collecting and how they are using and securing the information.
Drafting a privacy policy is not just about copy-pasting the drafts and samples. It is a blend of research, writing, editing, and proofreading. While drafting the Privacy Policy, the following are the key heads that must be included with clear descriptions such that a layman can understand what the business is trying to convey:
Post the judgment in re Puttuswamy, Justice AP Shah Committee was organized in 2012 to discuss privacy issues in India and frame regulations. The following nine privacy principles were set out:
Till 2018, personal data was governed by the rules of Sensitive Personal Data and Information of IT Rules, 2011. The Indian government introduced the Personal Data Protection Bill in 2018 to have a stringent hold on data privacy. The bill applies to Indians, businesses operated in India, and the government. Chapter VI - Data Principal Rights, mentions the following rights of the data principal:
Under PDPA, there are 3 types of data: sensitive data (health details, sexual orientation, caste, religion), critical data (such as military or national security data), and general data. Penalties for a data breach or minor violations of PDPA could reach 5 crore rupees or 2% of a company’s global revenues. While the penalties would triple or reach 4% of revenues in case of major violations.
There are some challenges that a company might suffer because of the unclear Privacy Policy:
Leave a comment