'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

Privacy Policy vs. Privacy Notice

What should you know about it

Why do you need a Privacy Policy, and what is it exactly?

According to the International Association of Privacy Professionals (IAPP), a Privacy Policy is an internal statement that governs an organization’s handling practices of personal data. It is directed toward members who might handle or make decisions regarding users’ personal data, instructing them on collecting, using, storing, and destroying the data and any specific rights the data subjects (users) may have.

The language of the Privacy Policy must be straightforward and easy for the average user to understand. Privacy Policies are sometimes called Data Protection Policies.

According to major global privacy laws (GDPR, CCPA, LGPD, etc.), personal data may include but is not limited to:

An individual’s name, signature, address, phone number, or date of birth

Sensitive information (ethnic origin, political opinions, religious beliefs, health or genetic information, etc.)

An individual’s financial information.

Any employee record information.

Personally identifiable photographs.

Internet Protocol (IP) addresses of individuals.

The voiceprint and facial recognition biometrics of individuals (because they collect characteristics that make an individual’s voice or face unique).

The location information from a mobile device (because it can reveal user activity patterns and habits).

What is a Privacy Notice?

On the other hand, a Privacy Notice is externally focused. It tells customers, regulators, and other stakeholders what the organization does with personal information. It answers questions about the types of personal data processed, the lawful basis for processing personal data, and the data being transferred to third parties. A Privacy Notice must also tell users how long the organization will store their data, the user’s rights on collected data, and the privacy team’s contact information.

All modern Data Privacy Laws like CCPA, GDPR, and LGPD now require all businesses that collect personal data to have clear and discoverable privacy notices. Privacy notices are usually placed in website footers, side menus, and signup forms. Also, app developers that control users’ personal data must be transparent of their practices and inform users how they handle their users’ personal data through a clearly visible and sufficiently noticeable privacy notice. A privacy notice should be in clear and straightforward language in all cases, so it is understandable to an average person and not just to lawyers.

A privacy notice is sometimes referred to as a privacy statement or a fair processing statement. Special privacy notices are also mandated by specific laws such as GLBA and COPPA in the United States.


The critical differences between Privacy Policy and Privacy Notice

It is internally focused on telling employees what they may and may not do with data subjects’ personal information. Must include the following:
  • Scope, which is the type of information & the applicable stakeholders
  • Policy Statement, which is the expected behavior & consequences of non-compliance
  • Data Protection & Destruction standards
  • Contact person to answer questions or concerns
  • How to respond to data subjects’ requests
  • The effective date of the privacy policy
Core Audience: internal employees who will have access to or will be managing the data. A Privacy Policy will have more operational detail on how employees should handle personal data. Start with developing privacy policies and update them according to the latest privacy regulations.
vs
It is externally facing, informing customers, regulators, and other stakeholders what the organization does with the collected personal data. Must include the following:
  • When, what, and why the personal data is collected
  • The types of personal data collected and processed
  • How the personal data is protected
  • In what instances the organization shares data with third parties
  • The data subject’s rights on collected data,
  • Contact information
  • The effective date of the Privacy Notice
Core Audience: external users, customers, and regulators. A Privacy Notice has more information and descriptions about data, user rights, data sharing policies, etc. Privacy Notices are typically built on privacy policies.

Dynamic vs. Static Privacy Notice Strategy - It is time to upgrade

Traditionally, organizations have followed a static privacy notice strategy. The notices are updated whenever there is a change in privacy laws by regulators or when organizations change their data collection processes. Privacy officers responsible for formulating and maintaining privacy notices have to collaborate with various internal stakeholders, gather insights about all their data processing and cookie activities, and update privacy notices to ensure compliance.


Most privacy officers rely on manual processes such as assessments, documents, or emails to collect information from their assets & data processing activities. Tracking hundreds of these assessments (one per business entity) can be tedious & time-consuming. Also, as new data attributes are added, the surveys and assessments become out of date.

In large organizations, multiple departments collect and process personal data for different purposes. This also evolves as products and teams across the organization leverage the data for new or changed purposes. It can be very challenging and time-consuming to continually update static privacy policies in a dynamic, regulated environment.

Lastly, marketing teams regularly add new code to websites to track visitor engagement, product preferences, website performance metrics, etc. These tracking codes, or ‘cookies,’ are installed on website visitors’ machines when they first visit the website.

Organizations need to continuously scan their websites to discover any additional cookies and continually update these new cookies in their privacy notice.


For the reasons mentioned above, modern organizations need to have a Dynamic Privacy Policy strategy.

Solutions like Securiti’s Privacy Policy & Notice Management integrate with Cookie Consent, Data Mapping, Universal Preference Center, and Data Subject Rights to dynamically update privacy policies or notices and comply with the region’s governing regulation.

The solution also enables organizations to

Publish privacy notices in minutes using pre-built templates, simplifying the entire process and ensuring consistency.

Centralize management by tracking and monitoring privacy notices across multiple systems.

Accelerate the periodic review process by quickly scanning the websites, detecting new cookies, and dynamically updating the privacy policy or notice.

Native integration with Securiti’s privacy-ops platform keeps notices up-to-date.


The need for a solution that can automate scanning, discovery, and streamline privacy policies or notices across large organizations is growing. Increasingly, businesses need to collect personal data for personalized marketing campaigns and improve customer loyalty.

This necessitates adopting a dynamic privacy policy strategy to save time, resources and ensure compliance.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.