What to mention in privacy policy of your business website?

Published On: Dec 7, 2020Last Updated: Oct 14, 20235.8 min read


Warren and Brandeis were the ones who envisioned the concept of privacy initially in 1890. In this age of information and post-globalization era, people are worried about surveillance and privacy. As advancement in technology has been used by state apparatus to keep close eyes on individuals’ activities, in reality, and virtually. It suggests that it is a contravention of an individual’s right to privacy. Collected data from the individual could be used to manipulate them. That’s why it becomes evident to put a check on the government’s surveillance. The state has a sole responsibility to protect its patrons with limited interference in an individual’s life. This can be done via effective policies and strategies.

Do you know your ecommerce website requires disclaimer policy?
Get your customized website disclaimer policy done with the help of LegalWiz.in experts

Definition of Privacy Policy as per Law

Privacy and data protection law is very straightforward and clear. As per the Section 43A of the Information technology act, 2000; along with information technology (sensible security practice and procedures and sensitive personal data or information) Rules, 2011 (SPDI rules) requires every business in India which gather, receive, owns, stores, transmits, processes or can link any other verb which relates with ‘personal information’ immediately falls under a contractual responsibility with the provider of information, to have such privacy policy.

Components of the privacy policy

What kind of data is being collected?

The policy clearly has to mention the data fields that are being collected. Such sensitive personal data (SPD) and personally identifiable information (PII) have to be stated clearly. 

According to the SPDI rules, any information that relates to a natural person can be identified as personal information, which can be directly or indirectly in collaboration with other information obtainable or likely to be obtainable with body corporate and can recognize such person.  

SPDI rules only restrict sensitive personal data or information and extent of protection to the following things; 

– Passwords 

– Bank account or credit card and debit card along with any other financial information and payment instrumental deets. 

– Mental, physiological, and physical health condition. 

– Medical history and records.

– Sexual orientation.

– Biometrics info.

– Any deets connected with the above clauses as given to body corporate for providing service.

– Any information received under the above clauses by body corporate for operating, storing, or processed under the legal agreement or otherwise. 

Other categorized data won’t need to be awarded data protection under the extent of the rules. 

Did you know? Website terms of use are also an integral part of an online business.

How is the data being collected?

Every privacy policy has to mention how data is being collected and the source of that data collection. Most often, people exclude or miss out on elements of data collection. For instance, when it is provided through email or when communicated through support email. If the business is using any third-party login via APIs, then the policy must mention what kind of data is being passed by APIs.

Notifying the purpose of data collection

The purpose of the collection of data information has to be mentioned in the privacy policy. Only such personal information must be garnered from data subjects, as required for the purposes recognized for such collection. And for doing the same, notice must be given and permission must be taken from the individual. Ambiguous purposes which state future commercial usage won’t be entertained by the Indian courts, especially when other privacy elements are not favorable. 

Any change of purpose needs to be notified to the individual. Information cannot be kept long after it has served the original purpose for which it was obtained. Once it serves the purpose, the data has to be destroyed by the controller/collector. The privacy policy also should mention the way personal information will be used. 

Is there any use of cookies or web beacons?

Many websites use the web beacon (transparent image pixel) and cookies (a special set of codes) to pursue users or give personalized services to them with these settings’ help. For example, enabling the cookies allow the website to remember you so that you do not have to login every time you visit the website. Here, it is possible to disallow cookies, but it is impossible to do so in web beacons. 

The privacy policy should mention how they will use the cookies and web beacons on the website along with the anonymized data such as browser type, IP address, OS type, etc.

Is there any use of third-party plugins and collection of data by third parties?  

Many websites use multiple plugins within their websites. Some websites mention using third-party plugins, they can be more transparent by letting users know about which plugin has been used, the reason for such use, and whether such plugins are collecting the data. For generating revenue, many websites allow the promotion of advertisements. The website clearly should mention the website is not accountable for data collection by a third-party website.

Know how law firms are leveraging technology in modern times
Check out latest technology that unlocks better reach with exceptional services.

Is there any way to get rid of the data collection process?

Organizations should offer individuals the chance to opt-out from providing such personal information before gathering information, including sensitive personal data. Moreover, there should be a modus operandi to do so. Withdrawn of consent has to be sent in written form to the organization. By doing so, the organization will not be responsible for providing any services from thereon. 

Whom to reach out to for grievance?

Body corporate must appoint a grievance officer and his/her name and contact details on the website to resolve any grievances from the user and its discrepancy. It is the grievance officer’s responsibility to resolve it promptly, within one month of the date of receipt of grievance submission to him/her. 

What are some of the judicious security measures and procedures followed by the organization?

SPDI rules require every data controller to possess a holistic documented information security program and information security policy that includes technical, managerial, physical, and operation security limitation measures that are in accordance with the information assets that are being safeguarded with the nature of business. 


As digital awareness and populace has been growing in India, the topic such as data protection and data privacy has been coming alive in the public domain. Every person leaves his/her digital footprints on the internet while surfing knowingly or unknowingly. This could leave every one of us to the vulnerability of cybercrimes like a contravention of privacy, identity theft, and financial crime by fraudsters. The central question is making a comprehensive privacy policy that can delicately balance users’ privacy and the requirements of the business as the coming decades are going to be revolved around the issues of privacy. 

Hence, the need of the hour is to make a privacy policy, which can balance the business’s information requirement with the privacy of netizens. Organizations should make an exceptional privacy policy rather than imitating someone else’s by considering it a mere formality. 

Share This Post:

Nischay Nagarwal
About the Author

Nischay Nagarwal

Nischay is a lawyer by profession, with substantial background in Contract Drafting & Vetting. She earned her B.Com LLB (Honours) from GNLU in 2015. Her day-to-day at LegalWiz.in remains to protect client interests by drafting, reviewing & advising on various contracts & legal documents.