“Privacy is not an option and it shouldn’t be the price we accept for just getting on the internet.”- Gary Kovacs


In today’s world, where the internet connects every part of the globe, the corporate world has also managed to keep up with the pace of change. The Internet has increased the opportunities for businesses to reach out to a larger number of people, both within and outside their own territory. No one wants to miss out on the opportunity to go beyond their current bounds and excel in their business by reaching an incalculable number of individuals. That is why, regardless of the size or nature of the organisation, every business entity now has a website. Without a doubt, it is appropriate for the entity’s company to some extent, but simply selling things on the internet is no longer sufficient.

The websites also collect client information, either through a ‘Login’ option or by having the client fill out a ‘Form,’ with the goal of analysing and understanding their client, their choices, tastes, interests, preferences, and so on. The corporate entity may also use such data and analysis to advertise or promote new or current products or services to existing clients as well as prospective clients who they contact by accessing information supplied, intentionally or unwittingly, by their clients or visitors to their websites.

Collecting such personal data from people and using it for business purposes is a good and successful approach to promote and expand a firm, but only if the people sharing the data are aware of it. It would be a serious infraction if the personal information provided by the people is utilised by the business entity for its benefit or otherwise, without the knowledge of the people, and if such information is shared.

As a result, it is always beneficial for a website to have a Privacy Policy to protect the company entity from any unsolicited and unintentional penalties and sanctions.[i]

What is a privacy policy?

A privacy policy is a legal document which describes how the startup/website intends to receive and utilize consumer data.

The startup’s privacy policy explains how they utilise and safeguard any personal information you supply while using their services. People want to know that employing your services won’t cost them their privacy. A well-defined privacy policy protects a startup/website against avoidable legal innuendos.

What is Sensitive Information?

Any data that is publicly obtainable with in public domain, or that is disclosed under the Right to Information Act of 2005 or any other existing law, cannot be classified sensitive personal data.

However, the information that is deemed sensitive personal data under the Information Technology Rules, and wherein the Information Technology Act applies, is as follows:Individual information, not entity information ;

– Financial information; Bank account, credit card, debit card, or other payment instrument details ;

– Biometric information;

– Medical history and records;

– State of physical, physiological, and mental health;

– Sexual preference

Essential ingredients of Privacy Policy

1. A privacy policy must be prominently disclosed on any website that collects, receives, possess, stores, deals with, or handles information, according to the Information Technology Rules. These should include:

2. Disclosure of information, including sensitive personal data or information, if applicable; clear and easily comprehensible explanations of its practises and policies;

3. Reasonable security methods and procedures used; and

4. The purpose of collecting and using such information.

5. The type of intimate or sensitive personal data or information gathered;

6. Ensure that the information is updated on a regular basis in order to stay current with changing standards.[ii]

Legal aspects

The ‘Information Technology Act 2000 (IT Act 2000)’ in India contains the privacy policy rules. The Act was revised to include some improvements to ensure that citizens’ “privacy” is protected and that those who take unfair advantage of such information are punished. Section 43A specifies the execution of reasonable security standards for sensitive personal data or information, as well as the compensation for those who have suffered unjust loss or gain.

A person who causes unjust damage or gain by disclosing personal information of another person while delivering services under the terms of a legitimate contract may face imprisonment for up to three years and/or a fine of up to Rs. 500,000, according to Section 72 A.

According to the law, having a privacy policy is required. Aside from Indian legislation, privacy laws all over the world require that if you gather personal information from your website users, you must put a Privacy Policy on your site.

Thus, it is advisable to have a privacy policy, not only to comply with Indian laws, but also to comply with the laws of other nations and to meet the requirements of third-party service providers, so that the organisation does not suffer uninvited loss, either as a result of legal penalties for non-compliance or by missing out on expert third-party services.[iii]

Points to be included while drafting the privacy policy[iv]

  • User information

Do you ask for personally identifiable information (Customer Data) from users? If so, what information does the user need to provide? How do you make use of user data?

Here are a few examples:

(a) To maintain, update, and defend your website and mobile app, as well as the services and products you provide.

b) In accordance with applicable law, legal process, or regulation.

(c) Responding to service requests, comments, and inquiries in order to engage with a user.

(d) To create and supply new features, such as tailored search/suggestions based on previous usage and predictive models.

e) To handle billing, account administration, and other administrative tasks.

(f) To investigate and assist in the prevention of security and abuse issues

  • Putting a Privacy Policy in Place

To get your users to accept to your conditions, always use the clickwrap method.

With clickwrap, a user is aware of the legal agreements and is required to take action that clearly displays their acceptance of the conditions.

  • Retention of Data

Do you sell user information?

Is data retention determined by the passage of time? For example, 3 months after a user’s account is deleted.

Is data retention tied to a specific event? For instance, as long as you need to pursue legitimate business interests, conduct audits, adhere to legal duties, resolve disputes, and enforce your agreements.

Is it possible for a user to change his data retention settings?

  • Security

While a security declaration in the privacy policy informs customers that their sensitive information is securely maintained, it’s essential to mention that no approach is completely secure.

Here’s an illustration of a disclosure: You put in a lot of effort to protect users’ personal data against loss, abuse, and unauthorised access or disclosure. Considering the nature of communications and information processing technologies, you cannot ensure that Information will be completely protected from unauthorised access while being transmitted over the internet, stored on your systems, or possession.

  • Data from the Logs

Do you collect data from users while they browse your site or use your mobile app?

User IP address, browser type and version, pages visited before using your website, browser configuration and plugins, language settings, time spent, referrer, buttons and links clicked, and so on are examples of user information that you may be logging.

  • Other Websites’ Links

Do you have any links to other websites? If this is the case, provide a disclaimer stating that you have no control over or responsibility for those sites.

  • Cookies

Do you install cookies on the user’s computer or phone? Cookies are used even if you use third-party programmes like Google Analytics or Facebook Pixels.

Cookies are text files that include information that allows you to identify a user.

You can ask a user to explicitly confirm that they want to use Cookie. If a user rejects, he may be prevented from using some of your services.

  • Getting in Touch With You

Mention your email and/or postal address in case a user has any queries about your privacy policy or wants to exercise any of his legal rights, such as having personal information deleted.

  • Privacy Policies Have Changed

Include a disclaimer that you may update your Privacy Policy when laws, regulations, and industry standards change, or as your firm evolves. A user should review your Privacy Policy to be informed, and if he disagrees with the changes, he should cancel his account and request that his personal data be removed.





Authored by: Aarsha Prem

Aarsha Prem is a Fourth year law student, pursuing B.B.A. LL.B (Hons.) from Centre for Legal
Studies Gitarattan International Business School ( Affiliated to GGSIPU).

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website,, you acknowledge and confirm that you are seeking information relating to Abbasi & Associates of your own accord and that there has been no form of solicitation, advertisement or inducement by Abbasi & Associates or its members.
I Agree