This site is under development, some of the functionalities may not work properly.
Post default

Legal Issue in Privacy Policy & Terms of Use that Every Web/App Developer Should Know

By Arunesh Bhardwaj July 29, 2016


In the age of internet and smart phones, every facility is just a click away on an app. You need a cab; it is just a click away. You are hungry and need food, the food is just a click away.

An application or app is a medium that helps in providing different facilities to its user and nowadays there is application for almost everything. A developer develops an application which on the basis of the information collected from the user gives the requisite information that is sought by the user. So, in the process of providing the information to the user; the app also collects information about the user.

As per section 2(1)(v) of the Information Technology Act, 2000; information includes data and data means representation of information, knowledge, facts. So, anything about the user that an application needs is information and without this information, the application won’t be able to provide service to the user. Now, in accordance with the legal provisions, there are 5 things that a developer must keep in mind while developing an app:


  1. Privacy policy must be clearly disclosed and mentioned.

Information that pertains to an individual and which is not available in the public domain is private information. By sharing a private information, the information provider or the user discloses certain facts that if shared will be breach of his privacy. The developer by way of privacy policy states and discloses the method in which this information will be used.

Rule 4 of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter IT Rules, 2011); says that if a body corporate or any person who on the behalf of any body corporate collects, receives, posses, or stores information of any user, the body corporate will have to provide a privacy policy which will disclose the handling of these information. Further, the body corporate will have to ensure that the information so collected is available for view by such information provider.

The body corporate will have to ensure that the privacy policy so disclosed must include the following:

  1. Clear and easily accessible statement of its practice and policies
  2. Type of information that will be collected
  3. Purpose of collection and its usage
  4. Security Practices and Procedures.


  1. The consent of the user must be there

The information about an individual comprises the privacy of the person and this information can be taken only if prior consent from the person is there. Now, if we take the information about the user without user’s consent it will be considered as a breach of privacy. To ensure that the user’s right to privacy is not breached, the consent of the user needs to be taken.

Sub-Rule 1 of Rule 5 of IT Rules, 2011; clearly mentions that a written consent of the information provider needs to be taken before collecting the information and this consent can be given through letter or fax or an email.


  1. The user must have knowledge that the information is being collected.

One can’t collect any information (which is not in public domain) about an individual without his knowledge. The person must be aware about the details and the fact that information about him is being collected. Apart from the knowledge that information is being collected, the user must have detailed information about why the information is being collected and to whom this information will be catered to.

Sub-Rule 4 of Rule 5 of IT Rules, 2011 directs the person or the body corporate collecting the information to ensure that while collecting the information, the information provider is having the knowledge that the information is being collected. Apart from the above, the person collecting information will also have to ensure that the information provider is having the knowledge of:

  1. The purpose for which the information is being collected.
  2. The intended recipients of the information.
  3. The detail of the agency collecting and retaining the information.


  1. The user must be provided with an option to not provide information

The main issue that needs to be taken care of while collecting any information is the privacy of the user. The person or the body collecting the information has to ensure that the privacy of the user is not breached.

As per Sub-Rule 7 of Rule 5 of IT Rules, 2011, the person or body collecting the information will have to provide the information provider with an option by way of which the information provider can opt to not provide the information that is being sought by the corporate body or any person. Also, the information provider must be provided with an option by way of which, at any time while availing the service of the body corporate, he can withdraw his consent given to the body corporate earlier.


  1. The information so collected when disclosed must be done with the permission of the user.

As per Sub-Rule 1 of Rule 6 of IT Rules, 2011, the information provided by the user can’t be shared to any third party without the consent of the user. This consent can be taken in any of the following ways:

  1. The permission to share the information to any third party can be mentioned in the contract signed between the user and the body corporate.
  2. The permission to share any information to any third party can be taken before doing so.

If the disclosure of such information is necessary for complying with any legal provision then the consent of the user is not required. Also, the consent of the user will not be required wherein the information has to be mandatorily shared with any government agencies.



The most important thing that a web developer needs to take care of is that while using the app, the privacy of the user is not violated in any way. The above mentioned points are in a way a checklist which will help the developer to ensure that the privacy of the user is not being breached in any way. The check list is not an exhaustive list but these are the important points that need to be taken care of.


Image Credits:

Tags: app , website , privacy policy , terms of use , terms and conditions , disclose , consent , user , information technology act

Default avatar
Licensed for 4 4 years

Comments 0

Please Login or Register to Submit Comment

You may also want to read

Post default

licenses ,   online ,   shopping ,   flipkart ,   amazon ,   e-commerce ,   website ,   rules ,   security online

Flipkart aims to double sales to $8 bn this year (March 2015-The Times of India)

Amazon India scores highest in user loyalty, says study (Forbes 2016)

The Shopping Malls Really Are Being Killed By Online Shopping (NDTV Times March 2016)

We come across headlines as above related to online...

By Bhavneet Vohra July 29, 2016
Post default

information technology act ,   privacy ,   mobile app ,   right to privacy ,   Article 21 of Indian Constitution ,   the Privacy Act (1974) ,   Open Democracy Act in South Africa (1996) ,   Data Protection Act in England ,   1980 the Guidelines for the Protection of Privacy and Trans border Flow of Personal Data ,   Edward Snowden ,   facebook and privacy ,   Viber ,   whatsapp

With the release of the first ever Smartphone in 1992[1] (the IBM ‘Simon’) to the launch of the iPhone in 2007 and that of the first ever android Smartphone in 2008[2] (the HTC ‘Dream’), smart phones have rapidly emerged to become our preferred method of communication. The advent of Smartphone...

By Atisha Sisodiya August 09, 2015
Post default

hacking ,   legal procedure to sue ,   information technology act ,   Email ,   Section 66 of the Information Technology Act ,   IT Act ,   Keylogging ,   web ,   internet

My email account was hacked. Can I take legal action against the hacker?

If you ask me what one of my worst fears is today, I would say it is “this username and password does not match.” Every time I misspell my password I have this latent fear that my account has been hacked. We have all had...

By Shweta Mohandas July 29, 2016