Executive Summary
The privacy notice is the primary mechanism for informing Data Principals about data processing activities. Section 5 and Rule 5 prescribe notice requirements, but meeting these requirements while maintaining readability presents a drafting challenge. This guide addresses how to create notices that fulfil legal obligations while actually communicating to readers.
Key Takeaways
- 1Structure notices for readability with layered information architecture
- 2Include all mandated content without unnecessary elaboration
- 3Use clear language appropriate to your audience
- 4Keep notices current by establishing update procedures
- 5Make notices accessible through multiple channels
1Notice Requirements Under DPDPA
Section 5 requires that before or at the time of requesting consent, the Data Fiduciary provide notice containing specified information. Rule 5 elaborates on required content. The notice must enable informed consent decisions.
2Required Content Elements
Certain information must appear in every privacy notice to satisfy statutory requirements.
Personal Data Description
Identify the categories of personal data that will be collected and processed. Be specific enough to be meaningful without creating an exhaustive list that becomes incomprehensible.
Processing Purposes
Explain why each category of data is collected and how it will be used. Purposes should be specific, not generic statements like 'improving our services'.
Legal Basis
Indicate whether processing is based on consent or legitimate uses under Section 7. For consent-based processing, link to consent mechanisms.
Data Sharing
Disclose categories of third parties with whom data will be shared and the purposes of sharing.
Cross Border Transfers
If data will be transferred outside India, disclose this fact and the recipient countries or regions.
Retention Periods
State how long personal data will be retained for each purpose, or the criteria used to determine retention.
Data Principal Rights
Describe the rights available under DPDPA and how to exercise them.
Grievance Mechanism
Provide contact details for the grievance officer and explain the complaint process.
3Structuring for Readability
A notice that satisfies all legal requirements but cannot be understood fails its purpose. Structure enhances comprehension.
Layered Approach
Provide a concise summary of key points at the outset, with detailed sections below. Readers can grasp essentials quickly while detailed information remains available.
Clear Headings
Use descriptive headings that help readers find relevant sections. 'How We Use Your Data' communicates better than 'Section 4.2'.
Plain Language
Avoid legal jargon where simpler alternatives exist. Define necessary technical terms. Write for your audience, not for lawyers.
Visual Aids
Consider tables, icons, or infographics to present information accessibly. A data flow diagram may communicate more effectively than paragraphs of text.
Practical Tips
- •Test notice comprehension with actual users before finalising
- •Reading level analysis tools can identify overly complex language
4Contextual and Just In Time Notices
The comprehensive privacy notice need not be the only communication. Contextual notices at point of collection reinforce key information.
Collection Point Notices
When collecting specific data types, provide brief, relevant information about that collection. A form collecting phone numbers might note 'We will use this for account security and order updates'.
Feature Specific Notices
When users access features involving significant data processing, provide targeted information. A location sharing feature should explain location data use at activation.
Linking to Full Notice
Contextual notices should link to the comprehensive notice for complete information. They supplement rather than replace the main document.
5Keeping Notices Current
Privacy notices must reflect actual practices. Changes in processing require notice updates.
Version Control
Maintain version history with dates. Archive previous versions as they document what users were told at different times.
Change Detection Process
Establish procedures to identify when processing changes require notice updates. Include privacy review in product development processes.
Communicating Changes
When notices change materially, notify users through appropriate channels. For significant changes, fresh consent may be required.
Periodic Review
Schedule regular notice reviews independent of specific changes to ensure ongoing accuracy.
6Accessibility and Availability
Notices must be accessible to Data Principals across all touchpoints.
Website Placement
Publish the notice prominently on your website. Footer links are standard, but consider additional placement in account sections and data collection flows.
Mobile Accessibility
Ensure notices display properly on mobile devices. Long, desktop-formatted documents frustrate mobile readers.
Application Integration
Mobile apps should include in-app access to privacy notices, not just links to web versions.
Language Versions
Consider providing notices in languages your users understand. English-only notices may not satisfy the informed consent requirement for non-English speakers.
7Special Notice Requirements
Certain processing activities require enhanced notice.
Childrens Data
When processing data of children, notices should address the guardian providing consent. Explain verification procedures and parental controls.
Sensitive Data
Processing of sensitive personal data warrants prominent, specific notice given the heightened privacy implications.
Automated Decision Making
Where significant decisions are based on automated processing, explain the logic involved and how individuals can seek human review.