We often use terms like privacy policy and privacy notice interchangeably, but they can also be distinct documents serving different functions.
In essence, a privacy notice is for an external audience like customers and a privacy policy is for internal players like employees. However, it is common among businesses to address their privacy notice as a “privacy policy” or a “privacy statement”.
This blog considers both as distinct documents rather than interchangeable terms. To know better, let us dive deeper and navigate the differences.
What is a privacy notice?
A privacy notice is a public document that provides information to consumers/data subjects about how you handle their personal data. It acts as a tool to help them make informed decisions on determining whether to proceed with the business.
The California Consumer Privacy Act (CCPA) calls it a privacy policy, whereas, the General Data Protection Regulation (GDPR) does not assign a particular name and is commonly called a privacy notice/ privacy policy/ privacy statement. In all cases, it points toward the data subjects and how their personal data is going to be processed.
In simple terms, a privacy notice is a document that a company provides to its customers to explain how their personal data will be used by the business.
Terms that refer to a privacy notice
As we already discussed, privacy policy and privacy notices are used interchangeably. What matters the most is its content, understandability, and accessibility.
Below are some alternative terms that are used to refer to a privacy notice on websites:
- Privacy policy
- Privacy Statement
- Privacy Disclosure
- Personal Data and Privacy Policy Statement
- Privacy Information
- Data Privacy Statement
- Data Protection Policy
- Privacy Terms
- Privacy Practices
Although there are quite a few alternative terms to this customer-facing document, privacy policy is the most common term used by websites. Therefore you will come across the term “Privacy Policy” on websites more frequently than “Privacy Notice”.
What is a privacy policy?
A privacy policy is a document that lays down the data-handling practices of a business. This means it points toward internal management and describes how the employees within your organization must handle personal data. Unlike privacy notices, a privacy policy is for internal use.
For example, suppose your business collects personal data from consumers. In that case, you must also have internal rules regarding its processing, data types, guidelines on meeting consumer requests, data deletion, and correction procedures, security practices, etc. Composing these into a document gives you a privacy policy.
A privacy policy is all about how personal data is managed within your organization and acts like the face of your data practices.
However, “privacy policy” is now commonly used to refer to privacy notices, which is why you will often see it on many websites.
Key similarities between a privacy notice and a privacy policy
Though a privacy policy and privacy notice are not the same, both share some commonalities. Some of them are given below.
Information
Both documents contain information regarding how an organization collects and manages data.
Compliance
While a privacy notice serves the transparency requirements set out by privacy laws such as CCPA, GDPR, and PIPEDA, a privacy policy contains instructions and demonstrations on how they comply with these laws internally.
Content overlap
Both documents might contain similar information regarding data processing such as contact information of the data controller, data retention period, exercise of data subject requests, etc.
The main differences between a privacy notice and a privacy policy
Legal obligation
Data protection laws like CCPA/CPRA, GDPR, and PIPEDA provide privacy notice as a legal requirement. On the other hand, a privacy policy is not a mandatory requirement. However, it is a powerful document that can demonstrate your privacy compliance and is highly recommended.
Target audience
A privacy notice is directed toward data subjects whereas a privacy policy is directed toward internal players of an organization such as employees.
Priority
Most privacy laws expressly necessitate businesses to provide a privacy notice to individuals. On the other hand, a privacy policy is only a recommended practice.
Purpose
Both documents serve different purposes. The main goal of a privacy notice is to provide information to consumers/data subjects. This includes the data you collect, the specific purpose of processing, data subject rights, and how to exercise them.
A privacy policy is meant to create awareness about the information practices of an organization. If a privacy notice contains how a data subject can exercise their rights, a privacy policy also contains instructions to employees on fulfilling the requests.
Display
Privacy notices must be displayed conspicuously on the website such as on the header or footer of a website, sign-up forms, and settings menu.
Since privacy policies are internal documents, they are mostly uploaded to cloud drives or internal portals.
Length
Privacy notices are shorter than privacy policies. Laws like GDPR and CCPA require the privacy notice to be concise and easy to understand. There are no specific recommendations on privacy policies.
Infographics: Privacy notice vs privacy policy
What are the legal requirements for privacy notice and privacy policy?
Privacy regulations do not have uniform transparency requirements and vary across jurisdictions. However, let us analyze some of the essential requirements of a privacy policy and privacy notice.
Privacy notice
An ideal privacy notice must contain the following components:
- Types of personal data you collect and their sources
- Specific purpose/ legal basis/ legitimate interest of processing
- Whether personal data is sold/shared
- Categories of data shared/sold, if any
- Categories of third parties to whom the personal data is sold or shared
- Purposes of sale/sharing of personal data
- Data retention period
- Who has access to the personal data
- How to opt-out and opt-in
- Rights of data subjects and how to exercise them
- Contact details of the organization, and Data Protection Officer
- Whether there will be an international transfer of personal data and the security measures implemented
- Information on children’s data processing, sale or sharing
- Effective means to revoke consent
- Date of the last privacy policy update
Remember that it is significant to be aware of the laws that apply to your business to craft a compliant privacy policy. Solutions such as privacy policy generators come in handy in such scenarios.
Need a compliant Privacy Notice?
CookieYes can simplify the process
No signup required
Privacy policy
Privacy policies should contain the details of the internal management of the organization. Data privacy laws do not specifically define its components. When drafting a privacy policy for your company, you may consider the following information:
- Internal data management system and who has access to it
- How do you handle information of data subjects
- How do you fulfil data subject requests
- Information regarding data breach notifications and further proceedings
- Guidelines for password protections and prevention of unauthorized access
- How often and effective is your system penetration tests
- Whether you have employees designated for data security
- Point of contact for privacy-related queries
- Security breach response plan of your organization
If you have not noted yet, the privacy policy components are more about the organization than about data subjects.
When to use a privacy notice vs a privacy policy?
Though you need to implement both privacy documents, it is pertinent to understand the scenarios appropriate for each.
Scenarios where a privacy notice is appropriate
A privacy notice is appropriate to inform website visitors about how and why you collect data from them. This is necessary to fulfill the legal obligations of data protection laws like GDPR, CCPA, LGPD, and PIPEDA.
Scenarios where a privacy policy is appropriate
Although not a legal requirement, it is recommended to have a privacy policy within your organization. This is appropriate when informing your employees about your organization’s data collection and management. It also acts as a documentation of an organization’s accountability and responsibility towards data privacy.
Best practices for crafting a privacy notice and a privacy policy
Here are some of the best practices that you should keep in mind when crafting your privacy policy and privacy notice.
How to write an effective privacy notice?
A well-written privacy notice is an essential part of data privacy compliance. Follow these best practices to write an effective privacy notice.
Understand data practices
Before starting with a privacy notice, it is important to identify data collection practices, data retention period, and data usage of your organization.
Easy to understand
Make your privacy notice easy to understand. This includes avoiding legal or technical jargon and using plain language.
Concise
Ensure to keep your privacy notice simple and concise by not including unnecessary information, focusing on essentials, and prioritizing clarity.
Legal knowledge
You must be aware of legal requirements to craft a compliant privacy notice. Understanding the laws can be an overwhelming process, especially if you have no legal background. In that case, it is best to consult experts for legal advice.
Research
Analyze industry standards and user expectations to ensure your privacy notice is well-crafted. You can also rely on resources available on the web such as guides and privacy notice templates.
- What is a privacy notice?
- Learn about Privacy notice for ecommerce websites
- How can I create a GDPR-compliant privacy notice?
- How can I create a CCPA-compliant privacy notice?
How to write an effective privacy policy?
Just like you cannot draw without a canvas, you cannot create a privacy policy without a clear understanding of your data management. Gather information about how you manage data, fulfill consumer requests, delete and correct data, encryption methods, password protection, etc.
Make it understandable with definitions, examples, and best practices for employee awareness.
What are the best practices for posting a privacy notice (with examples)?
Privacy notices can be made available to your data subjects by providing its link under the name “privacy” or any similar names on the homepage of your website, landing pages, or menus of mobile applications.
You must also provide the notice before the collection of information or when someone is about to install your mobile application.
Web page footer
One way to post your privacy notice is to hyperlink it in the footer of webpages. This is the most popular way of displaying a privacy notice.
For instance, Horne’s website has its privacy notice displayed on the webpage footer under the title “privacy policy”. Don’t be confused, it is common to address a privacy notice as a privacy policy.
About us/organization description
Many websites also publish their privacy notices in their “about” section. For instance, the iapp website has provided its privacy notice towards the end in the “About the iapp” section of its website.
Settings of applications
Privacy notices are provided in the settings of many applications. For example, the LinkedIn application provides its privacy notice in the footer of its settings menu.
Menu of applications
Just like providing privacy notice in the settings, you may also make it available to the users through the application’s menu .
For example, the legal section in the Uber application’s menu contains the link to its privacy notice.
Create account forms
It is always recommended to provide privacy notice in the create account forms of websites or mobile applications.
For example, Slack provides their privacy notice to consumers under the title “privacy & terms” in their sign-up forms.
Forms collecting personal data
Privacy notices can also be provided in forms used to collect personal data. For example, CookieYes provides our privacy notice under the title “privacy policy” in the newsletter subscription form.
Apart from these methods, privacy notices can also be provided in the cookie consent banners or as a pop-up link to your users. Here is an example from CrowdStrike.
What are the best practices for posting a privacy policy?
Privacy policies represent the data practices of an organization and are mostly directed towards the employees or any other parties who are engaged in the data processing. Therefore, you must post it in in such a way that all of them have access to it.
Best practices for posting privacy policies:
Since a privacy policy is related to internal matters of an organization, make it availabe to the employees through:
- An email
- Internal portal for employees
- Cloud drives
- Employee training sessions
Make sure that they are easily accessible and leave no room for doubt.
FAQ on privacy notice vs privacy policy
A Privacy Notice is also known as a privacy policy, privacy statement, privacy disclosure, fair processing statement, etc. The purpose of both is to give information to consumers about the personal data you collect, the specific purpose for processing, the data retention period, consumer/data subject rights, the method of exercising such rights, etc to individuals.
To write a privacy notice, you can use our privacy policy generator tool, a privacy policy template, or even create one by yourself.
You must post privacy notices conspicuously on your website. It can be in the footer of the web pages, settings, menu of applications, etc. It should also be provided before collecting personal data, for example, in sign-up forms.
The purpose of a privacy policy is to provide information regarding the information practices of the organization. It is not an agreement and does not require consent from data subjects. However, it will be safer to implement mechanisms to obtain valid consent like an unticked checkbox. This will make it enforceable and act as proof of consumers’ consent.
There is no specific word limit for a privacy notice. However, it is recommended to be concise and easy to understand.
Yes. You can use CookieYes free privacy policy generator to create a privacy notice for your website.
No, a privacy policy and a cookie policy are different. A cookie policy describes the types of cookies used in a website along with related information, whereas a privacy policy is a detailed description of the data practices of an organization. Sometimes, a cookie policy is included in the privacy policy, under a dedicated section for it.