skip to Main Content

Elements of a Privacy Policy in India

Co-authored by Rahul Dwarkadas (Partner) | Rohini Jaiswal (Senior Associate) 

1. Legal background 

Data Privacy and Protection regime in India is presently regulated by the Information Technology Act, 2000 (“IT Act 2000”) in conjunction with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules“). 

2. Privacy Policy 

In compliance with the IT Act 2000 and SPDI Rules, an organization is mandated to demonstrate its intent to receive, collect, store, process, transmit, protect and utilize personal data (“PI”) or sensitive personal data (“SPDI”) provided by its users during the course of its commercial activities via a privacy policy[1]. The privacy policy must be easily accessible for such user via publication on the website.

3. Fundamental factors of a Privacy Policy

A few fundamental factors and pre-conditions to be kept in mind while drafting a privacy policy are as follows:

i. Consent, Notice and Transparency

A privacy policy must be clear, unambiguous and must contain comprehensible statements of practices and policies adopted by the organization. The organization must obtain consent before collecting or using such information. Consent includes notions of ‘notice’ and ‘choice’. ‘Notice’ denotes the manner in which the privacy policy is presented to the users whereas a ‘Choice’ is expressly provided to opt-in and/or opt-out of the information sharing requirements. 

ii. Definition Clause 

A privacy policy should have comprehensive and explicit definitions of the general terms (such as data, users, SPDI etc.) used in the policy. 

iii. User Information

A privacy policy should illustrate the type of PI or SPDI being collected. 

iv. Purpose

A privacy policy must clearly identify, in unambiguous terms, the purpose of data collection. Further, it should have a data minimization clause to limit collection and processing to that which is relevant and reasonably necessary to accomplish legitimate commercial purposes. A change in the purpose triggers the requirement of notifying the users of such change.

v. Sharing and storage of user data

An organization must obtain permission from users prior to disclosure of the collected PI / SPDI to third parties and/or its affiliates, except where such disclosure is mandated under law. Further, it should have data retention clauses governing the period of retention and the manner of disposal once the purpose is served.

vi. Data security

The privacy policy must inculcate reasonable security practices and procedures adopted by the organization, including electronic and physical safeguards to maintain security and confidentiality of data through authorized access, browser encryption etc.

vii. Notification of change 

Additionally, an announcement via email or website popups is required to reflect periodic reviews and updates in the policy. 

viii. Contact information

The privacy policy should contain email, postal and telephonic coordinates of the organization to address queries or exercise of the user’s data protection rights.

ix. Dispute Resolution

The SPDI Rules require appointment of a Grievance Officer[2] for users to report complaints or unsatisfactory reparation of the same by the organization.

4. Conclusion

With the growing digital transformations in the manner conducting businesses, organizations must be prudent while drafting, designing and reviewing their privacy policy and should have a policy tailored to its business requirements which is in compliance with the law.

[1] Section 43 A, IT Act 2000.

[2] Section 5(9), SPDI Rules.

Back To Top


The Bar Council of India does not permit soliciting work or advertising by advocates in any manner or form. By clicking on "AGREE" below, the user acknowledges and confirms that:

  1. There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  2. The website is a resource solely for the purpose of providing general information about Veritas Legal at the user’s own risk, cost and liability; 
  3. The information provided in this website shall not be construed as legal advice or create any lawyer-client relationship in any manner whatsoever; 
  4. The links provided on this website shall in no way be considered referrals, endorsements or affiliations with the linked entities and Veritas Legal shall not hold responsibility for the content of such links.

The user shall not hold Veritas Legal responsible for any action taken relying upon the content of the website. In cases where the user has any legal issues and requires assistance, he/she/it must seek independent legal advice.