In the last one week, Naavi has been looking at the WebDTS prospects of some of the websites and it has revealed some challenges that throws light on the overall DPDPA 2023 compliance.
Many of the WebDTS Certification requests have failed because the way the website Privacy compliance is currently designed is generally faulty. There is a need for correction.
Yesterday, Naavi had an extensive discussion with some industry experts to understand why most of the Websites may not qualify for the FDPPI’s WebDTS tag. The reasons are many and there is a need for further education of the Website Owners to make them appreciate the compliance requirements drawn up by Naavi/FDPPI. A brief attempt is made here to explain the reasons for wide prevalence of non compliance and more information will be published from time to time as a part of DGPSI compliance framework.
For example, one of the basic principles of DGPSI is that “Purpose Oriented” collection and processing of personal data is the essence of Privacy Commitment. This requires that the personal data collected has to be minimized for the required purpose at the time of collection and retention.
A Company is a bundle of many personal data processing activities and the Website is one activity where the purpose of personal data processing is “Enabling a Visitor to receive the information published”. However, a Website can also be used for conducting E Commerce. It can also be used as an application interface. The “Information publication” itself may be at the primary level of “Read what is published” which can be extended to “Request for further information”.
In view of the different requirements of a website for different purposes, the collection, retention, disclosure, requirements for each purpose differs.
For example, if the purpose is “Enabling a visitor to receive information as published” (fundamental objective of a website), then there is no need to know the name or email address or the mobile number of the visitor. The technology may require knowing the IP address of the visiting device without which the basic IP handshake cannot occur. Then there is a requirement to know whether the device is a mobile or a computer so that the GUI can be dynamically modified based on the browser and device. For these purposes the name, email or mobile is not required. The information collected for such browsing can be through session cookies which some call as “Essential Cookies”. Such session cookies get automatically purged when the session ends.
However if a website decides that We will retain information about the BIOS identity of the device, and that will help me use the same display configurations when the visitor visits next time, then they may use “Persistent Cookies” which need to be retained and stored. If this information is not capable of identifying the human visiting the website, it does not constitute collection of “Personally Identifiable Information”.
Hence the DPDPA compliance is restricted to ensure that there is no persistent cookie and even if present, the cookie is not collecting personally identifiable information.
The Level 1 of WebDTS needs to enable just this data minimization requirement. We can discuss the higher levels of WebDTS compliance in subsequent articles.
It is an observation that even this Level 1 compliance of a website is not available with most websites. We may share some of the following observations in this regard so that we all can strive towards a better compliance eco system.
Some Observations
1.The lack of compliance could be because the hosting of the website is outsourced and the owner of the website may not have complete knowledge of what cookies are working on the website and what are their purposes. As a result the personal information may be collected by the hosting company and used for its own marketing efforts without a proper consent.
2.In the event a website works only with a basic functionality of company information being displayed and no personal identifiable information of the visitor is collected, then the website is compliant with DPDPA by default. But most websites have a purpose beyond presentation of information.
3.Since the website owner is dependent on the hosting provider for cookies used during hosting, it may be preferable to declare the identity of the hosting company and declare him as responsible for any undisclosed cookies collected by him.
4.It is also possible that the website may host cookies other than what the hosting company may install. This could normally come from data analytics companies including Google Analytic tools or associated Advertisements which are part of the Content monetization objective.
Such cookies may also be collecting only information which is not personally identifiable information but the cookies may be “Persistent” and may be stored and accessed beyond the session.
Further some information like Bios information and IP information may be used along with other information available with the analytics company and could lead to eventual identification of the individual. This is a consequential risk and the website owner may have to have some disclaimers in this regard.
5.The Base level of WebDTS (Level1) may therefore include such disclosures as may be necessary to declare that the possibility of undisclosed persistent cookies (beacons) hosted on the website by others exists and such companies will be considered as “Joint Data Fiduciaries” and are notified to identify themselves to the owner.
6. At the base level of WebDTS, some requirements of ITA 2000 compliance such as updation of declared privacy policy, provision of grievance redressal information, identifying the name and address of the website owner are considered essential.
7. A website is free to take a stand “We donot collect any personally identifiable information and hence this website is outside the scope of DPDPA 2023”.
8. If the website declares that it still wants to present a more detailed “Privacy Policy”, it has to declare if it is in compliance with the “Privacy Notice” under Section 5 of DPDPA 2023 which may include the 22 language criteria.
9. In a process wise compliance, the “Website Visitor Personal Information Process” may not constitute an activity that may qualify as an activity of a Significant Data Fiduciary. However, in view of the way Section 10 of the DPDPA is worded, the company may otherwise be considered as a “Significant Data Fiduciary”. If so, one interpretation could be that the name of the DPO should be displayed on the website. If however, there is a proper disclosure of the process, the identity of an organization as a “Significant Data Fiduciary” is also “Process Dependent” and need to be disclosed only when a consent to the related process is sought.
10. If the website opts to collect personally identifiable information through a secondary process such as “Request for Service” placed through the website, a separate Privacy Notice may be displayed in conformity with the DPDPA Section 5 and 6.
The scope of WebDTS certification is limited to “Compliance of DPDPA 2023 for the processing of applicable personal information collected from the visitors of the website”.
The most important compliance requirement is to ensure that the Objective of the website is declared as “Publishing of information to the public” and a separate Privacy policy declaring that there is no collection of personal information in the process .
Where the website wants to use the website as a gateway to further services, it is advised that the Privacy policies/Notices for each of such subsidiary services are separately displayed before requesting for the service which shall be of the “Consent Grade”.
If a company opts to use the website for not only information dissemination but also for other purposes (even if it is not e-commerce) as is the prevalent practice, the Privacy Policy becomes a Consent request for multiple purposes and it has to be appropriately written to meet the requirements of “Clear” and “Precise” standard along with “Consent” as per “Verifiable standard”.
Getting a WebDTS compliance tag (Level 1) is therefore possible with a proper revision of the Privacy Policy. However the expectation of FDPPI is that a website as a whole needs to be compliant with DPDPA 2023 and it appears that in India at present there are not many websites that will pass this test.
In the coming days, we shall discuss the different requirements to be met by a website if it has to get the WebDTS seal without the qualified seal of (Level 1). I suppose other experts in DPDPA 2023 may debate the compliance requirements that Naavi/FDPPI may consider as “Necessary”.
Naavi
