IndiaFilings » Learn » Things to be mentioned in the privacy policy of your business website

Things to be mentioned in the privacy policy of your business website

Things to be considered while setting the privacy policy of the website.

Things to be mentioned in the privacy policy of your business website

In 1890, Warren and Brandeis were the first to envisage the concept of privacy. People are concerned about surveillance and privacy in this information age and post-globalization period. As technology advances, the state apparatus has used it to keep a close eye on people’s activities, both physically and virtually. It implies that it is a violation of a person’s right to privacy. Individually collected data could be used to modify them. As a result, it becomes clear that the government’s surveillance must be limited. The state’s main obligation is to protect its citizens while interfering minimally in their lives. This can be accomplished through the implementation of effective policies and tactics.

As per the law, a privacy policy is defined as follows:

The law on privacy and data protection is quite simple and basic. According to Section 43A of the Information Technology Act, 2000, and the Information Technology (Sensible Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules), every business in India that gathers, receives, owns, transmits, processes, or can link any other verb that relates to “personal information” falls completely under a contractual responsibility with the information provider to have such privacies.

The privacy policy’s components:

What kind of information is being gathered?

The data fields that are being gathered must be clearly stated in the policy. Personal identifiable information (PII) and sensitive personal data (SPD) must be mentioned properly.

According to the SPDI guidelines, any information relating to a natural person can be identified as private details, which can be used directly or indirectly in conjunction with other information available or anticipated to be available to the body corporate to identify that person.

The SPDI laws only limit sensitive personal data or information, as well as the scope of protection, to the following:

– Security Passwords

– The state of one’s mental, physiological, and physical health.

– Medical records and history

– Bank account, credit card, and debit card numbers, as well as any other financial or payment-related details.

– Sexual preference.

– Any information related to the preceding clauses that is given to the body corporate for the purpose of delivering service.

– Information on biometrics

– Any information received by a body corporate under the preceding paragraphs for the purposes of operating, storing, or processing the legal agreement or otherwise.

Under the terms of the guidelines, other types of data will not require data protection.

What method is being used to collect the data?

Every privacy policy must state how data is collected as well as the source of that data. The majority of the time, people overlook or ignore certain aspects of data collection. For example, when it is sent via email or when it is communicated via support email. If the company uses APIs for third-party login, the policy must specify what data is provided through the APIs.

Notifying the purpose of data collection

The reason for collecting data must be stated in the privacy policy. For the purposes for which the data is being collected, only the minimum amount of personal information on data subjects is required. And, in order to do so, the notification must be made and the individual’s permission must be obtained. Indian courts will not accept ambiguous intentions that state future commercial use, especially when other privacy features are not favourable.

Any shift in purpose must be communicated to the individual. Information cannot be maintained for very long once it has served its initial function. The controller/collector must discard the data once it has served its purpose. The use of personal information should also be mentioned in the privacy policy.

Is there any use of third-party plugins or third-party data collection?

Many websites make use of a number of different plugins. Some websites disclose the use of third-party plugins; however, they could be more transparent by informing consumers about which plugins were used, why they were used, and whether or not the plugins collected data. Many websites allow the marketing of advertisements as a means of generating cash. The website should make it clear that it is not responsible for data collected by a third-party website.

Is it possible to avoid the data collection process?

Before obtaining any information, especially sensitive personal data, organisations should give people the option to opt out of supplying such information. Furthermore, there should be a procedure for doing so. Withdrawal of consent must be communicated to the organisation in writing. As a result, the organisation will no longer be accountable for providing any services.

What are some of the organization’s well-considered security safeguards and procedures?

According to SPDI rules, every data controller must have a comprehensive, documented information security programme and policy that includes technical, managerial, physical, and operational security limitations that are appropriate for the information assets being safeguarded and the nature of the business.

Is the usage of cookies or web beacons permitted?

With the help of these settings, many websites employ web beacons (transparent image pixels) and cookies (a particular set of codes) to track users or provide customised services to them. Enabling cookies, for example, allows the website to remember you so you don’t have to log in every time you visit. It is possible to disable cookies in this case, but not in the case of web beacons.

The privacy policy should state how the website will use cookies and web beacons, as well as anonymized data such as browser type, IP address, OS type, and so on.

Whom should I contact if I have a complaint?

The body corporate must establish a grievance officer and post his or her name and contact information on the website to address any user complaints and discrepancies. It is the grievance officer’s job to settle the matter quickly, within one month of receiving the grievance submission.


As India’s digital knowledge and population has grown, issues like data protection and privacy have become more prominent in the public eye. Every person, consciously or not, leaves digital traces on the internet when surfing. As a result, we may all be vulnerable to cybercrime, such as data breaches, identity theft, and financial fraud. As the approaching decades revolve around issues of privacy, the primary question is how to develop a comprehensive privacy policy that can gently balance users’ privacy and corporate requirements.

As a result, creating a privacy policy that can balance the business’s information needs with netizen privacy is critical. Rather than copying someone else’s policy and treating it as a formality, businesses should create their own. As a result, if you have issues about your legal rights or how to register a copyright for your business website, consulting a company attorney or using an online legal agency for assistance and guidance may be beneficial. We, at IndiaFilings, provide this service at a reasonable cost and with excellent customer care. So, please contact us and we will gladly assist you.