Startups, Why Care About a Privacy Policy?
A startup client we work with, one with a million and half users, is sitting on big data it has collected over the years. They are excited about emerging possibilities to finally monetize such data in ways that it never anticipated before. But can they?
Regulations made under the Information Technology Act, 2000 mandate the implementation of a privacy policy, and govern what data can be collected and how it can be put to use. The Regulations provide that any such data collection and usage should be pursuant to prior consent from the users.
Unfortunately, in the case of the startup we now advise, their privacy policy had not sought specific consent for the intended use case, since such use was not anticipated at the time of data collection. To avoid such situations, many companies take omnibus consent for all kinds of use cases in their privacy policy. That remains problematic as well.
The Regulations provide that only such ‘sensitive personal data’ may be collected when it is relevant to the function of the collection agency and is necessary for the purpose for which it is collected. Thus, an omnibus consent for a future use case that is hard to connect to current functions of the collection agency could be challenged. For example, a music app seeking a user’s location could be challenged unless collection of location data can be shown as necessary for the streaming of music. It is therefore important to apply thought when drafting a privacy policy - to think about what data may be collected, what possible uses the data could have in the short to mid to long term, how this needs to be disclosed in the privacy policy and what consent should be obtained and how.
The implementation of these Regulations is so lax, that most data collection entities are unaware of these provisions. However going forward, one should only expect more comprehensive regulations and more stringent implementation in the future, what with growing awareness and consequent claims of breach of privacy by users. Today a nine judge bench of the Supreme Court (a rare occurrence signifying utmost constitutional importance) is sitting in consideration on whether privacy is a fundamental right, in a milieu where a stricter regulatory regime for data collection and privacy is emerging globally. Take for example, the passage of the General Data Protection Regulation in the EU which comes into effect in 2018 and imposes some of the highest sanctions for non-compliance including revenue based fines which could go up to 4 per cent of annual worldwide turnover of the company in default of privacy and data protection related requirements set out thereunder.
These trends are likely to be mirrored in India. Accordingly, if one has to prepare for future monetization of data, it is essential to collect data and take consent for use today in a manner that will muster approval under future regulation and privacy concerns of users.
