Data Privacy Newsletter: Privacy Policy Demystified – July 21
What is a privacy policy?
▪ A privacy policy, a.k.a a privacy notice, is an external facing document that reflects an organisation’s practices and compliances related to handling of any Personal Data (defined below) that they receive from any individual (electronically) through a website or any app.
▪ “Personal Data” is any information by virtue of which you can identify or relate an individual (natural person) such as names, phone numbers, email addresses, financial information, physical addresses, identity numbers, etc.
▪ A privacy policy achieves the following objectives,
(i) Informs an individual about how their Personal Data is treated by the recipient of such data (practices related to collection, use, transfer or data retention etc.),
(ii) Informs an individual about various rights in relation to their Personal Data,
(iii) Provides for a grievance redressal mechanism to report any issues,
(iv) Achieves compliance with the applicable data protection laws, and
(v) Acts as a tool to obtain consent from the providers of Personal Data.
HOW DO WEBSITES OR APPLICATIONS COLLECT PERSONAL DATA?
Common fields of collection are:
▪ “Contact-us” pages,
▪ Login or Sign-up pages,
▪ Chat-Bots fields,
▪ Cookies,
▪ Analytical tools such as Google Analytics, Facebook Custom Audience, Social Plugins, Bitly, etc.
IS IT MANDATORY UNDER THE LAW TO PUBLISH A PRIVACY POLICY ON THE WEBSITE OR APPLICATIONS?
▪ Yes, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 mandate an organisation to publish a “privacy policy” for providing information related to data handling to providers of such Personal Data.
▪ Under the upcoming Indian Personal Data Protection Bill, 2019, a privacy notice is mandatorily required as a prerequisite for taking consent and fulfilling the transparency compliance created by law. Non-compliance or violation of the law would lead to heavy penalties to the tune of up to INR 15 Crore or 4% of its total worldwide global turnover.
▪ Further, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 regulating online-market places (e-marketplaces), telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, or online auction sites also mandate publishing of a website privacy policy and terms of use, among other extensive obligations.
▪ Even the EU General Data Protection Regulation requires a party collecting EU personal data to publish a privacy notice.
WHAT ARE THE KEY ELEMENTS IN DRAFTING AND DESIGNING A PRIVACY POLICY?
1. Approachability: (i) The privacy policy must be user-friendly, interactive (ii) Should not have a jargonised legal language. (iii) Simple, crisp sentences should be used. (iv) Pop-up or mouse-over links must be used to explain terms and incidentals information.
2. Comprehensibility- Simplified and organised content should be provided with a dedicated space, tab or page for the privacy policy. The aim should be to make it widely accessible and easily understandable.
3. Helpfulness- (i) The user may be actively informed of their rights and obligations. (ii) The headings may be rephrased as questions.(iii) Icons, colour codes and visual aids may be explored to increase readability. (iv) Typography and layouts should be aimed to increase readability.
4. Conscientiousness-Granular control must be given to users to provide consent based on the information they have received.
1. Increase approachability by simplifying text
2. Simple, crisp sentences should be used.
3. Structure with intuitive navigation in the UI/UX
4. Create emphasis for (disclaimers, onerous clauses etc.)
5. Provide local language support
6. Optimise across devices (mobile, tablet, computers, etc. )
7. Provide for offline use 8. Present in other forms (audiovisual form)
IS DRAFTING A PRIVACY POLICY WORTH THE COST OF COMPLIANCE?
▪ Cutting costs and copying a competitor’s privacy policy may lead to undesired legal risk exposure, including a copyright infringement issue if the policy wordings are substantially replicated.
▪ A casual approach towards drafting a privacy policy may lead to consequences such as non-compliance, fines, or a loss of reputation.
▪ In a landmark case, the French Data Privacy Authority (CNIL), on December 10, 2020, fined Google a total of € 135 Million. One of the main grounds of violation by Google was ambiguity in their privacy policy around not providing clear, accessible and adequate information regarding the use of cookies. The criticisms were based on the UI/UX design of the pop-ups and banners and the vague language used in the privacy policy.
CONCLUSION
▪ The trend in various privacy regulations across the globe is to empower the individual with greater control over their personal data and require increased transparency from organisations accessing Personal Data.
▪ Privacy policy or privacy notices are the cornerstones in documenting and fulfilling the privacy obligations of any organisation.
▪ Organisations that are responsive to the current trend in privacy laws and have sound internal processes can, through their privacy policy: create goodwill, build trust and increase brand reputation.