Should you have a Privacy Policy on your website

Every website that collects any information from visitors or customers must have a Privacy Policy in place which must be displayed in a prominent place on the website. The Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 provide that every body corporate or person who on behalf of such corporate collects, receives, possesses, deals or handles information of the provider of information shall provide a privacy policy for handling or dealing in such information. Such policy is to be published on the website.

Hence, every website or blog that collects any information of its visitors or customers must have a Privacy Policy. Such information may be sensitive information viz. passwords, financial information like bank details or credit card or other payment details, sexual orientation, physical or physiological or mental health or medical or biometric information.

The Privacy Policy must be clear and must mention :

  1. Clear and easily accessible statements of its practices and policies
  2. The type of personal or sensitive personal information that is collected eg. name, email, mobile number, IP address, payment and
  3. billing information, demographic information, etc.
  4. How the information is collected eg. directly when the visitor fills in details or posts any comment, or Passively by use of tools like
  5. Google Analytics, Google Webmaster, browser cookies and web beacons, etc.
  6. Purpose of collection and usage of the personal information
  7. Whether it is shared with third-parties and the manner and purpose for sharing the information. Prior consent of the provider of such information must be obtained.
  8. The reasonable security practices and procedures it uses to protect the data.

The Law also provides that all grievances of the provider of information must be addressed in a timely manner. The website is legally required to designate some person as the Grievance Officer. Name and contact details of such officer must be mentioned on the website. The said officer is bound to address the grievance within a period of 1 month from the date of receipt of the grievance.

It is advisable to take the help of a competent lawyer while drafting the Privacy Policy.

Leave a Reply