Yesterday, I spent the better part of my day drafting a privacy policy for a popular Kenyan e-commerce company. While drafting the policy, I had to look at the generic policy that they had on their website and adapt it to Kenyan law to make sure that they are on the right side of the law. Before starting, the Client had doubts as to whether they needed their privacy policy done by a professional or not. I assume that they are not the only ones and this is why I am penning this article.
What is a Privacy Policy?
A privacy policy is a legal document that outlines how your company collects, processes and disposes of personal data belonging to its users or consumers. In my experience, specializing in developing privacy policies, I have learned that most Kenyan companies use generic privacy policies that they copy and pasted from the internet. They simply do not see the need to hire a professional to draft one, but is this a wise strategy?
What if you just copy-paste your Privacy Policy?
In September 2021, WhatsApp was fined a massive €225m fine for, among other things, failing to include certain information in its privacy policy. In the decision, the Court found that the privacy policies WhatsApp had did not adhere to the principle of transparency. This led to WhatsApp having to re-do its policy but it was too little too late.
Back home, late last year Oppo Kenya was fined 5 million shillings for violating the Data Protection Act. One of the reasons for this fine was that it did not have sufficient internal policy documents on protecting the privacy of its users. Because of weaknesses in its privacy policy, Oppo used images belonging to a third party without getting their express consent.
What do you need to do?
It is important to have a well-drafted and implemented privacy policy. What exactly does that look like? In my experience drafting privacy policies, I have noted 3 essential things that need to be in a Privacy Policy; (kindly note that this list is not exhaustive)
- Classification of Data
You need to properly classify the type of data you handle and how you will treat each type. For example, Contact Data refers to the contact information belonging to your users that you collect to communicate with them, while Transaction Data refers to the transaction details that you collect when a user is buying an item from your website. This is not exhaustive and with all types of data you collect your policy needs to detail how you process it, why you process it, and for how long you hold it.
2. Duration which you hold Data
You will also need to document how long you will hold on to the data you collect. The principle of storage limitation states that personal data should only be kept in a form that permits the identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. This means that your privacy policy will need to state how long you are planning to hold the data you are collecting.
3. Cookies
Your Privacy Policy will also need to document how you use cookies on your website and how your user can set their preferences on the cookies. Cookies are text files with small pieces of data — like a username and password — that are used to identify your computer as you use a computer network. Cookies enable websites to remember you, your website logins, shopping carts and more
Do you have a privacy policy that can stand the test of scrutiny or are you an inspection away from a fine?
The writer is a lawyer who specializes in offering legal services to people in technology. You can contact him through info@masibolaw.co.ke
MasiboLaw 