Contrary to popular belief, Privacy Notices and Privacy Policies are not interchangeable terms. They have fundamental differences and are thus separate obligations for organizations.
A Privacy Policy is an internal document that governs how the organization will collect, store, protect, and utilize personal data provided by its users and other internal stakeholders. It is an internal document meant for an internal audience i.e it lets employees know how to manage personal data collected by the organization.
On the other hand, a Privacy Notice is provided to customers, users and other interested external parties about an organization’s data collection and privacy practices. It is a representation from the organization to the user on what type of personal data they collect, why they need it, what they will do to it, who they will share it with and what rights the data subject retains.
Considered a best practice and adopted worldwide – privacy notices are found even where the law does not mandate an organization to provide one – many regulators consider privacy notices akin to contractual promises between the organization and the data subject. Thus, organizations need to ensure that the representations they provide within privacy notices are accurate, transparent, and accountable.
In general, a compliant privacy notice should at least include:
Many major global regulations such as the GDPR, CCPA, and LGPD have also imposed additional strict requirements for privacy notices by organizations collecting data within their jurisdictions.
These requirements include mentioning specificities of data collection, sale, retention, processing, data subjects’ and minors’ rights, and other vital metrics within the privacy notice.
With more countries promulgating new data privacy laws worldwide, organizations collecting personal data need to develop efficient mechanisms to ensure their user-facing privacy notices are updated and compliant.
[email protected]
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128