Companies use different names to describe the document that discloses their practices in relation to the collection, use, and disclosure of personal information including: “Privacy Notice,” “Privacy Policy,” “Information Notice,” “Privacy Statement,” and “Data Protection Notice.” 

From a legislative perspective, statutes have been equally inconsistent in their use of terms.  For example, the California Online Privacy Protection Act (“CalOPPA”) refers to the creation of a “privacy policy,” but acknowledges that the document can be described via a text link to consumers in any manner so long as the link “[i]ncludes the word ‘privacy.’”¹  The California Consumer Protection Act (“CCPA”) refers to the obligation to provide consumers with “notice” of privacy practices.² While the CCPA does not itself require it, the Act also refers to the fact that some businesses may have an “online privacy policy.”³ In comparison, the European GDPR refers only to the obligation of a controller to provide “information” to data subjects, and does not reference explicitly either a “policy” or a “notice.”  In its interpretation of the GDPR, the Article 29 Working Party typically referred to a website “privacy statement” or a “privacy notice,” but recognized that “commonly used terms” by organizations included “Privacy,” “Privacy Policy,” “Data Protection Notice,” and “Fair Processing Notice.”⁴  The United States Federal Trade Commission – which is often looked to as the primary federal data privacy regulator for most companies in the US – has used the term “privacy notice” and “privacy policy” interchangeably.⁵

The net result is that, from a legal standpoint, companies can choose how they want to label their disclosure of privacy practices, so long as their label would be understood by a reasonable person. 

From a practical perspective, many companies maintain internal policies that are not intended to fulfill the function of notifying data subjects of the company’s privacy practices.  For example, a company might have a “privacy policy” focused on the company’s commitment to comply with certain privacy laws, or that sets up an internal structure for managing privacy within an organization.  A company might also have a “privacy policy” that discusses whether, or how, the company monitors the email of its employees, or a “privacy policy” that discusses the type of information that will be shared between managers or supervisors.  It can be confusing to create a “privacy policy” focused on data subjects when other “privacy policies” exist concerning internal operations and procedures.  Using the term “Privacy Notice” typically avoids that confusion.  Arguably, “Privacy Notice” also is better aligned with the intent of privacy-related statutes – i.e., to have companies “notify” data subjects of their privacy practices.  

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Bus. & Prof. Code 22577(b)(3)(A).

2. Cal. Civil Code 1798.100(b).

3. Cal. Civil Code 1798.130(a)(5).

4. WP 260 Rev. 1 at 8, 14.

5. See FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers (Mar. 2012).

[View source.]