What if your city no longer had to put up speed limit signs? The police would still know what the speed limit was on a given stretch of road, but drivers would just have to guess. If you got a ticket for speeding, you’d feel like you’d been taken advantage of, wouldn’t you?  

For consumers who discover their personal data has been collected, processed, sold, transferred, or otherwise mucked around with without their knowledge or consent, the feeling is similar. To increase trust and transparency, modern businesses are required to provide privacy notices to their audience. Consumers expect to be informed about the collection, use, sharing, and protection of their data—and a privacy notice is the number one way to deliver that information. 

This article will explore the concept of a privacy notice, its legal aspects, components, and its role in protecting your data. 

Understanding the Concept of a Privacy Notice 

Before delving into the details, let's start by defining what a privacy notice is, some best practices associated with their creation, and why they matter.  

Definition of a Privacy Notice 

A privacy notice, also known as a privacy policy or data protection notice, is a document that outlines an organization's practices concerning the collection, use, and safeguarding of personal data. It serves as a transparent communication channel between the organization and individuals whose data it processes. It succinctly describes:  

• The information collected. 
• The purpose of the collection. 
• How the data is used. 
• Whether it is shared with any third parties. 
• The measures taken to protect it from unauthorized access. 
• And more. 

Best Practices When Creating Privacy Notices 

When creating a privacy notice, organizations must ensure that it is written in clear and understandable language, avoiding complex legal jargon. The point of a privacy notice is to inform after all, and if it’s written in an overly technical fashion, it won’t do much informing.  

Furthermore, privacy notices should be easily accessible to individuals. They are commonly found on an organization's website or mobile application, often linked in the footer or navigation menu. This accessibility ensures that individuals can easily refer to the privacy notice whenever they have questions or concerns about their data. 

The Importance of Privacy Notices 

Privacy notices play a vital role in protecting individuals' privacy rights and enabling them to exercise those rights. First and foremost, they empower individuals by providing them with essential information about how their data will be used. Without this knowledge, individuals would be left in the dark, unaware of what happens to their personal information once it is shared. 

These rights, which may vary depending on the jurisdiction, often include the right to access, rectify, and delete personal information. By clearly outlining these rights in the privacy notice, organizations ensure that individuals are aware of their rights and can easily exercise them. 

Take Osano’s privacy policy for example. In it, we discuss: 

• Information regarding data collection, including what we collect, how we collect it, how we use it, and the legal basis for collection. 
• Information on data transfers. 
• Information on data retention and security. 
• Your rights and how you can exercise them. 
• And more important information. 

As a data privacy company, it’s pretty important to us that our customers and website visitors can easily understand our privacy policy. Not only is it the right thing for us to do, but it’s also key to winning trust. (After all, who’d trust a data privacy company with a garbled, obtuse privacy policy?) 

You don’t have to be a data privacy company to win customer trust with your privacy policy, though. According to research by the International Assocation of Privacy Professionals (IAPP), 64% of consumers place more trust in companies that provide clear information about their privacy policies.  

By being open and transparent about their data practices, organizations can foster a sense of trust and confidence among their users. This trust is essential in today's data-driven society, where people are increasingly concerned about how their data is being used and shared. In fact, the same IAPP research identified that 68% of consumers are either somewhat or very concerned about their online privacy.

The Legal Aspects of Privacy Notices 

Privacy notices also serve as a legal requirement in many jurisdictions. Data protection laws, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA), mandate that organizations provide individuals with clear and comprehensive information about their data processing activities. Failure to comply with these legal obligations can result in severe penalties and reputational damage for organizations. The first company to be fined under the CCPA, for example, was Sephora—they were ordered to pay $1.2 million due in part to inaccuracies in their privacy policy.  

The Role of the GDPR in Privacy Notices 

Article 13 of the GDPR lays out requirements for “information to be provided where personal data are collected from the data subject.” It doesn’t explicitly mention a privacy notice or policy, but notices are the easiest and most common way to provide the information required by the GDPR. 

The GDPR sets out specific requirements to ensure individuals are fully informed about how their personal data will be handled. In addition to providing information about data processing activities, privacy notices must also inform individuals about their rights under the GDPR, such as the right to access their data, the right to rectify inaccuracies, and the right to erasure. 

Furthermore, privacy notices must inform individuals about the legal basis for processing their data. The GDPR provides several legal bases for processing, including:  

• The necessity of processing for the performance of a contract. 
• Compliance with a legal obligation. 
• Protection of vital interests. 
• Consent, which is among the more commonly used legal bases.  
• The performance of a task carried out in the public interest or in the exercise of official authority
• Legitimate interests pursued by the data controller or a third party. 

Organizations must ensure that their privacy notices are up to date and reflect any changes in their data processing practices. If there are any material changes to how personal data is processed, organizations must inform individuals and obtain their consent if required. 

The Role of the CCPA/CPRA in Privacy Notices 

Among other state laws in the United States, the CCPA/CPRA grants California residents certain rights regarding their personal information, including the right to know what personal information is collected about them and the right to opt-out of the sale of their personal information. Organizations that fall under the scope of the CCPA/CPRA must provide privacy notices that comply with the requirements of the law. 

The CCPA/CPRA does specifically mention privacy policies in Section 1798.130(a)(5), where it states that businesses must “Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California‐specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months.” The text of the law then goes on to enumerate its various privacy notice requirements. 

Other Relevant Privacy Laws and Regulations 

The GDPR and CCPA/CPRA are far from the only laws with privacy notice requirements, but they do cover two of the largest jurisdictions that a business might be operating within. Any modern data privacy law is going to have some sort of requirement around privacy notices, however. 

Besides the GDPR, many countries and regions have enacted their own privacy laws and regulations. These laws may impose additional requirements on organizations, such as mandatory data breach notification or specific consent mechanisms. It is essential for organizations to be aware of and comply with the relevant laws in the jurisdictions where they operate. 

Similarly, in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules for the collection, use, and disclosure of personal information by private sector organizations. Organizations subject to PIPEDA must have privacy policies that outline their information handling practices and provide individuals with information about their rights and how to exercise them. 

There are also numerous other U.S. state laws, like the Connecticut Data Privacy Act, Colorado Privacy Act, and many others; Brazil’s Lei Geral de Proteção de Dados Pessoais, or LGPD; China's Personal Information Protection Act; and many, many more laws each year. 

Components of a Privacy Notice 

A well-crafted privacy notice typically consists of several key components. Let's take a closer look at each of them. If you’re looking for a step-by-step guide on how to make your own privacy notice, consider checking out The Ultimate Privacy Policy Checklist. 

Information Collection and Use 

This section of the privacy notice explains what types of personal data are collected and how the organization uses that data. It should include details such as the purpose for collecting the data, the legal basis for processing it, and any specific uses that individuals should be aware of. 

For example, if you are signing up for a newsletter, the organization may collect your name, email address, and preferences. (By the way, have we mentioned Osano’s own excellent newsletter, The Privacy Insider?)  

This information is used to personalize the newsletters and send them to the right recipients. The legal basis for processing this data may be your consent, which you provide when you subscribe to the newsletter. 

In addition to personalizing newsletters, the organization may also use the collected data to analyze trends and improve their services. This helps them understand their audience better and tailor their content to meet their subscribers' needs. 

Data Sharing and Disclosure 

In this section, the organization should disclose whether it shares personal data with any third parties and the purpose of such sharing. It is essential to be transparent about any sharing practices and ensure that individuals understand the potential risks involved. 

Let’s consider this information in the context of the hypothetical scenario in which you signed up for an organization’s newsletter. The organization may share personal data with a third-party email marketing service to send out newsletters on their behalf. This ensures efficient delivery and tracking of emails. The purpose of sharing this data is solely for the distribution of newsletters and does not involve any other use or disclosure. 

Furthermore, the organization may also share personal data with law enforcement agencies or other authorities if required by law or to protect their legal rights. This is done in compliance with applicable regulations and ensures the safety and security of individuals' data. 

Data Retention and Protection 

Data retention and protection are critical considerations in any privacy notice. This section explains how long the organization retains personal data and the measures in place to protect it from unauthorized access, loss, or destruction. It may also outline individuals' rights regarding the deletion or correction of their data. 

Typically, the organization will retain personal data for as long as necessary to fulfill the purposes for which it was collected. So, in the context of the newsletter example, your email address and other personal data may be retained until you unsubscribe or request its deletion. 

To ensure the security of personal data, the organization will implement various technical and organizational measures. These may include encryption, access controls, regular backups, and staff training on data protection practices. By adopting these measures, the organization aims to minimize the risk of data breaches and unauthorized access to personal information. 

How Privacy Notices Protect Your Customers’ Data 

You may be legally required to provide a privacy notice, and it may improve your customers’ trust in your organization, but the real purpose of a privacy notice is to protect customer data—and, in turn, your brand reputation. Here’s how. 

Ensuring Transparency and Control 

Privacy notices provide individuals with the transparency they need to make informed decisions about their data. By clearly outlining data practices, individuals can exercise greater control over what information they share and how it is used. This transparency helps to mitigate the risk of data misuse and enables individuals to hold organizations accountable for their data practices. 

Protection Against Data Breaches 

Data breaches can have serious consequences for both individuals and organizations. A well-drafted privacy notice should include information on the security measures in place to protect personal data. By being aware of these measures, individuals can assess the level of risk associated with sharing their data and make informed decisions accordingly. 

What’s more, Osano research identified that companies whose privacy policies lacked detail into their privacy practices were nearly twice as likely to suffer a data breach than companies whose policies described excellent and robust practices. 

Prompting Data Privacy Protection Activities 

The most essential aspect of a privacy notice is that it has to actually describe what your organization does. Upon crafting their first privacy notice, many organizations become aware of compliance activities they need to complete in order to meet the standards their notice sets. Thus, the act of building a privacy notice can prompt you to consider and improve upon data privacy practices at your organization. 

Privacy notices are a critical document that plays a vital role in protecting your customers’ personal data. By understanding the concept, legal aspects, and components of a privacy notice, you will be better equipped to protect your customers’ data and stay compliant.  

Of course, it can be tough to know where to start, especially if you haven’t developed a privacy policy before. To help businesses put together a compliance data privacy policy, we’ve developed an interactive checklist you can work through step by step. Download a free copy of the Interactive Privacy Policy Checklist here.