The Forbes article published on February 3, 2020 titled “Why Every Business Needs a Website”[1] highlights as the title suggest, why it is necessary to have a website for every business? Some of tahe benefits of having a website discussed in the article mentioned above are:
1. Credibility: Having a website for your business increases your credibility. Without a website, people may question the legitimacy of your business.
2. Brand: Having a website gives the impression of company brand, by clearly establishing who you are, what you represent and what you stand for.
3. Leads: Website also helps you in getting business leads, customer knows how to contact you (Thanks to the contact details given in the website!). It will help you in generating more sales.
So now you may know why it is important to have a website for your business. Now, you put your best efforts and build a very attractive website by hiring a good developer. You will give your time and effort perfecting the website and the content of your website. But many of the website owners forget to include privacy policy of the website, which is actually mandatory by Information Technology Act, 2000 (“IT Act”).
This article aims to give you all the knowledge you need and makes you understand why you should have privacy policy included in your website.
What is website privacy policy?
A website Privacy Policy is a notice or a legal document that discloses some or all of the ways a party through the website gathers, uses, discloses or manages a user’s data.
Which law mandates publication of a privacy policy?
Rule 4 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”) made it mandatory for body corporates to provide a privacy policy in website while handling or dealing in personal information including sensitive personal information of an individual.
On whom the Privacy Rules apply?
1. Company;
2. Firm;
3. Sole Proprietorship; and
4. Other association of individuals engaged in commercial or professional activities.
When it is mandatory to have a privacy policy?
If you are body corporate acting through your website are collecting, receiving, possessing, storing, dealing or handling personal information including sensitive personal data.
What is legally recognized as personal information or sensitive personal information?
Personal Information: personal information means any information that relates to a natural person which, either directly or indirectly, in combination with other available or likely available information, may identify that person.
Sensitive Personal Data or Information (“SPDI”): The Privacy Rules define SPDI to mean personal information relating to a person’s:
- passwords;
- financial information, including information relating to bank accounts, credit cards, debit cards, and other payment instrument details;
- physical, physiological, and mental health condition;
- sexual orientation;
- medical records and history; and
- biometric information
What should you include in a privacy policy?
Following items should mandatorily be incorporated in your website privacy policy:
1. clear and easily accessible statements of your practices and policies;
2. type of personal and sensitive personal data or information collected by you;
3. purpose of collection and usage of such information;
4. disclosure of information including sensitive personal data or information collected;
5. reasonable security practices and procedures adopted by you.
Conclusion: We have observed that many of the website owners do not posses such knowledge and do not incorporate privacy policy in their website. IT Act and rules made thereunder mandates that any body corporate which deals with personal information including SPDI through its website shall have visible privacy policy included in the website. If you do not have privacy policy, it may lead you to legal trouble.
[1] https://www.forbes.com/sites/theyec/2020/02/03/why-every-business-needs-a-website/?sh=59787c536e75
