THAT IS THE (PRIVACY) QUESTION
What data are they collecting on me?
It describes the types and categories of personal and non-personal data that a company from you, which typically includes your name, contact details, payment information and real-time location. However, if we’re not cautious enough about what companies are putting in their privacy policies, we may be allowing companies to maintain records on our purchasing habits, political affiliations, sexual orientation, religious beliefs, and medical history. No, they’re not obsessed with you, put your main character syndrome aside. All this data is just extremely valuable and companies love to share it around.
How can I consent to this collection and am I supposed to be notified?
What purpose are they collecting my data for in the first place?
Source : https://www.spotify.com/in-en/legal/privacy-policy/
Where and with whom is my data being shared?
Source : https://www.zomato.com/policies/privacy/
What are my rights?
Yes, you have rights, not all companies are evil. Privacy Policies give you a say on when, how and for what can companies use and process your data. It includes the right to access, correct, or delete the information a company has on you, the right to withhold consent, the right to object to unlawful or illegitimate processing, the right to raise grievances, etc. It also provides the procedure and timelines in place for how these rights can be enforced and exercised.
Source : https://www.spotify.com/in-en/legal/privacy-policy/
Is the company exercising any reasonable security practices to protect my data?
Privacy Policies also address the steps a company takes to protect your personal information from any threats or risks your data faces, such as unauthorized access, loss, or misuse. This can include details about whether data is to be encrypted, how is it to be safely stored, who can access this data, and the procedure in case of a security breach.
What even are cookies and are they tracking my movements online?
Source : https://help.netflix.com/legal/privacy
How long will they retain my data and can I get it deleted?
Many companies retain your personal data on their servers even after using it for their purposes. As this may cause a serious risk to your privacy, companies create policies on how long they plan on keeping your data and for what purposes. Similarly, it also mentions how they automatically delete your data from their records after using it.
If I belong to a vulnerable or minority group, are there any special provisions for me?
Some people on the internet are at a higher risk of facing cyberattacks, online harassment, scams, etc. than others, such as minors, women, etc. If you belong to any of these groups, then the policy specifies how it’ll differently apply to you and what extra measures the company is taking to protect you. For example, when Club Penguin asked you for your parent/guardian’s permission before you signed up and you completely lied about it.
Source : https://www.apple.com/legal/privacy/en-ww/
Reading privacy policies allows you to determine if you’re comfortable with the intended uses of your data and exercise control over your personal information by deciding whether to consent to data collection and processing practices. Think about this: would you ever get into a contract with Joe Biden to speak one sentence coherently and comprehensibly? Would you ever get into a contract with matchmaker Seema Aunty to represent you as your divorce lawyer? Would you ever get into a contract with Queen Elizabeth II to safe-keep your family’s heirlooms? Since you answered no to all three, you understand how important it is to trust someone before you get into a contract with them. Similarly, as privacy policies are in effect a contract, you must go through the entire policy to clearly understand your end of the bargain and what exactly companies want from you.
You must be aware of the access and control you’re giving away to companies over your intimate and personal information. More often than not, privacy policies also require users to waive their rights, such as your right to raise a claim against the company or sue them for illegitimate processing. For this reason exactly, it’s essential that you read the policies as they contain what type of collection, processing and transfer/sale you can or cannot object to, and to what extent you are waiving your rights.
Lastly, privacy policies grant its users a set of rights they can enforce, which are, to name a few:
- Right to Withhold Consent
- Right to Object to Illegitimate or Unlawful Processing
- Right to Correction
Erasure or Deletion of Data
- Right to be Forgotten
- Right to Anonymity
- Right to Encryption
- Right to Raise Grievances and Seek Redressal
- Clear and easily accessible statements of its practices and policies;
- Type of personal or sensitive personal data or information collected;
- Purpose of collection and usage of such information;
- Disclosure of information including sensitive personal data or information;
- Reasonable security practices and procedures adopted.
These Rules were notified under Section 43 A of the Information Technology Act, 2000. This Section was repealed by the Digital Personal Data Protection Act of 2023 (‘DPDPA’). This legislation is the first expansive and comprehensive law on data protection and user privacy in India. However, it does not create any mandate on what privacy policies should contain. Hopefully, there will be more guidance when the Rules are notified.
This law is based on several basic and foundational principles of data privacy: such as providing users with a notice of processing their data; obtaining their free, informed, and revocable consent before processing; and granting them several enforceable rights. In addition to this, it provides for who can collect and process your data, how it is to be done, and the exemptions for both. The DPDPA fosters transparency and accountability measures in this process by imposing duties and obligations on companies to collect and process your data in a rightful manner and to ensure that the data they are processing is complete, accurate, and updated. Now, as per the law, companies also play a role in protecting your rights, such as your
- Right to Access Information about Personal Data;
- Right to Correction and Erasure of Personal Data;
- Right to Grievance Redressal; and
- Right to Nominate.
Even worse, privacy policies can be hollow without any water-tight protection or transparency conditions granted to users.
Several privacy experts worldwide believe that the way privacy policies are drafted is suited more to protect and indemnify companies, rather than informing users (*pretends to be shocked*), as they don’t adopt a consumer-centric approach. The language used in these policies is deliberately kept vague and elastic in order for the companies to avoid liability and risk. In fact, the New York Times even conducted a study on how inaccessible privacy policies are to a layperson, with no technical or legal background. On the basis of the Lexile test, which determines how readable or complex any text is, the majority of the privacy policies studied could only be understood by a person holding a professional degree. Tell that to my 10-year-old cousin who spends 4 hours a day on Fortnite.
Privacy policies are not drafted for a common user, but for a person with sufficient legal and technical knowledge and training to be able to understand what words like “non-personally identifiable attributes” or “performance and functionality cookies” even mean.