What You Need To Know: Drafting An Effective Privacy Policy


In the present-day scenario, most businesses connect with their customers or users through web-based applications giving details of its services / products offering, which becomes a medium to collect certain personal information and sensitive personal information from the users.

The general principle of the data privacy and protection regime across the globe is to obtain consent from its users for the collection, storage, processing, and utilisation of user information. In this regard most jurisdictions have an enactment governing the same. Some of which are General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), UK’s Data Protection Act, Australia’s Privacy Act, and India’s Information Technology Act. These legislations require businesses to publish a privacy policy on its website outlining to the users to understand the:

  • type of information collected;
  • purpose for which the information is collected;
  • way information is being used;
  • intended recipients of such information; and
  • manner the information is protected.

In this article, we cover the key aspects to be taken into account for framing an appropriate privacy policy for your business.

  • Effective Date– A privacy policy should contain a date on which the policy takes effect and the same should be updated from time-to-time, in case of any amendment made to the privacy policy.
  • Introduction of the business– The privacy policy should specify the details of the business, including, name and registered address of the business, and the products sold/ services rendered by it.
  • Compliance with applicable laws– The privacy policy should be published and construed to be in accordance with the provisions of the applicable data privacy and protection laws.
  • Definitions– The specific terms used in a privacy policy should be defined extensively in a manner that it can be comprehended by the users.
  • Personal Information– It is critical for the business to clearly define the term ‘personal information” in the privacy policy and also list out the categories of such personal information collected from its users.
  • Collection – The privacy policy should specify an exhaustive list of information that business intend to collect from its users and how such information is collected.
  • Usage of Information– The privacy policy should define how the collected information would be used. Further, the policy should also assure that the user information is not used for any other purposes, and in case such information is being used by the business for any other purposes, then the same shall be intimated in prior to the user.
  • Sharing, Storage, and Protection of Information– The privacy policy should make the user aware of any transfer of his/her information to other jurisdiction along with the reasonable security standards, practices, and procedures in relation to protection of the user information in such jurisdiction. Further, the policy should also state details of with whom the User information is shared, how it will be shared, and why it is shared. It is important to indicate in the privacy policy, how the user information is stored and processed in the relevant jurisdiction and how long should such information be retained by the business.
  • Objective– A privacy policy should clearly state the purpose for which the user’s personal information is collected, processed, stored, transferred, and utilised. However, the business should ensure that the aforesaid actions are limited to legitimate commercial purposes.
  • Users’ rights– The privacy policy should include certain rights of the Users regarding his/her information shared with the business, such as access, rectification, updation or deletion of personal information, etc.
  • Opt-out– It is essential to have a clause in the privacy policy stating the User’s right to remove or withdraw the information given to the business and therefore, the User should have complete freedom to decide what kind of information be retained by the Business Entity.
  • Notification of change– This clause states that an intimation or announcement by an email, message or popups should be made to notify the users regarding the change or amendment in the privacy policy.
  • Disclaimer to minor’s personal information– The privacy policy should mention that the personal information pertaining to a minor should not be retained by the business unless the same is provided under the supervision of a minor’s parents or guardians.
  • Grievances– The contact details of the grievance officer should be laid down in the privacy policy, by the business to its users for effective resolution of any query or request regarding their personal information.

In compliance with applicable data privacy and protection laws, by including the aforesaid essential elements, the business should create a clear and comprehensive privacy policy that protects personal information and demonstrating its commitment to privacy of its users and thereby, ensuring trust and transparency in business.