Close Sidebar
COPYRIGHT © PROFESSIONAL EVALUATION AND CERTIFICATION BOARD 2021 ALL RIGHTS RESERVED
Now Reading
Privacy Notices and Policies – Why Should You Differentiate?
Search for content, post, videos
Search for content, post, videos

Privacy Notices and Policies – Why Should You Differentiate?

April 25, 2025

Every now and then, a debate comes back to my LinkedIn feed; that of whether the term to use is privacy notice or privacy policy. This debate can get fairly opinionated but in the interest of making sense of what we do as security and privacy practitioners, I’ll attempt to clear the question once and for all from the perspective of semantics, purpose, and regulatory requirements.

From a pragmatic standpoint, it ought to come down to what the organization decides its documents should be called. Normatively, your documentation system creates its own reference points, and as long as: 1) it serves your purposes and 2) both staff and auditors can navigate the structure, you’re good. But years of consulting on privacy program management and compliance as external data protection officer for a variety of US and EU-based organizations, have confirmed that long term ownership, (a term I like to define by an individual or group’s ability to identify issues and carry out structural changes to reduce risk lastingly), only emerges if staff develop the same sense of purpose in their security and compliance efforts.

In essence, what starts off with the freedom to name a document, ultimately leads to the necessity to instill purposeful, self-explanatory, and future-proof meaning in what your documentation is designed to achieve in the first place: structural clarity of use. The flimsiest implementations I have seen in quality, security, and privacy management rely on documentation that was established to only serve auditing purposes rather than actually support objectives and operations.

So by the end of this article, you’ll understand why, as a European data protection professional, I feel strongly about this debate and why you should too, regardless of the legal frameworks and the jurisdiction you practice in.

Let us begin by distinguishing notices from policies.

The Purpose of Policies

Policies, as referred to ISO/IEC management norms, are intended to outline and specify staff conduct within a company. They help clarify overarching company objectives and set out the best practices that staff should observe to reach those objectives. They are helpful, but not efficient on their own, in helping shape practices. 

Policies are also meant, and often used, to hold staff accountable. For instance, if an employee is found to repeatedly violate prescriptions around password sharing, this can trigger disciplinary action. Companies make use of policies to prescribe best practices and create a line of legal defense against human error and rogue behavior that does not comply with a given policy. This effectively allows management to argue a mistake was caused by a member of staff’s inability to follow the policy rather than a systemic or process error that could incriminate lack of management or control.

Policies are, thus, to be seen as rule books created within an organization and aimed at internal audiences only. As such, under an information classification scheme, they tend to be classified as internal, i.e. not to be shared externally. Policies are internal documents by nature; but at times do extend to externally-sourced staff (consultants and contractors) to hold their actions accountable to the same standard as staff on payroll. They may be requested in due diligence questionnaires by partners, customers, and investors, providing a peek into your management system but they are never provided publicly by default.

Policies can be all-encompassing (recommended if their content applies to all audiences) or granular (recommended for readability and purpose-specificity in large management systems), e.g.: 

  • Information classification, handling, and labeling policy
  • Incident response and breach notification policy
  • Remote access and access control policy
  • Acceptable use of ITC / internet policy
  • Bring-your-own device policy
  • Secure logon policy
  • Password policy

The points above all have in common the support of goals and the prescription of steps, actions, and behaviors expected of operators, executors, and decision-makers. As such, they can be minted to reference process descriptions, guidance, quality objectives, KPIs or OKRs, standard operating procedures, or job aids. They serve accountability purposes whilst supporting staff in increasing their ability to understand what to do, how to do it, and why it needs to be done. 

The Purpose of the Privacy Notice

The Duty to Inform

Privacy notices are neither defined nor termed as such by the GDPR, but they have become the de facto vehicle for data controllers to fulfill their duty to inform data subjects. Articles 12-14 of the GDPR outline what information a data controller must provide data subjects with regards to what data is processed (data points), why data is needed (purposes), how their use is legitimized (lawful basis), as well as what control subjects can exercise over that processing (rights).

Notices and Policies in the Physical World

A notice is a disclaimer. It is purely one way communication that transparently informs its reader. Think of a notice of payment, a warning label, a notice of eviction. They are pinned memos that inform a visitor or reader of what needs to happen, what is happening, or is likely to happen. Picture the obligation to display the name of the manufacturer and the power consumption at the back of an electronic device to allow the user to know how to power it and where to get more information or claim compensation for safety issues. While there is a health-and-safety obligation to warn visitors of risk (wet floor, falling objects, risk of electric shock, etc.) there is no obligation to have the visitor agree to that information. Put simply, they are provided to the intended target audience and supported by efforts to make them conspicuous. 

If you were to come across a radioactive area while hiking in the desert, you’d expect to find clear information about whether to trespass or not. That information would allow you to make an informed decision, to walk around it or to take a risk to cut across it. The obligation there falls on the company that owns the concession to provide relevant information on trespassing and health risks.

Whether you choose to call it a shield, a poster, a sign, or a notice, calling it a policy makes no sense. Demanding the reader accept the information is senseless. In that context, the policy may be to report trespassers, lead them out of the area, or report them to authorities. That policy will trickle down to a standard operation procedure instructing guards on their prescribed reaction and tasks.

Clear Information Provides User Control

In data protection, information provides the first layer of user control. Knowing what you are engaging in allows you to understand what purposes and service features the data you are providing will serve. That gives you a chance to back away from using an application, look for a more ethical provider who really ‘does take your privacy seriously’. Based on the crucial information afforded by the privacy notice, users can choose not to use a service. More importantly, they can object to certain activities, among other rights available to them, and engage supervisory authorities to mediate where they believe the processing is excessive or unfair. They can even get courts to intercede should supervisory authorities fail to support. Remember, the obligation to maintain the fence, and put a warning sign belongs to the organization awarded the concession. 

Why Do Notices Keep Getting Called Policies?

Perhaps because policy sounds more threatening and coercive. If there is coercion, it is not on the reader but on the drafter. There is a statutory duty to inform which converts into a right of the data subject to be informed. A careful look at the structure of the GDPR confirms this. Chapter III: Rights of the data subjects, opens on Section 1: Transparency and modalities and introduces Article 12: Transparent information, communication […]. Enforcement cases involving violations of articles 12-14 always come down to the failure to inform with the required insight in a manner that is accessible. There is no requirement to demonstrate information has been read, so you will find no enforcement for such failure. Instead, the demonstration is on having ensured accessibility, accuracy, and readability. Yet many organizations turn this regulatory obligation of the controller into a contractual obligation onto the data subject. 

Organizations that force service users to accept their privacy notice distinguish themselves as failing to understand requirements and their underpinning principles. As a user, visitor, or reader, ask yourself: if the service provider is forcing me to do something I don’t have to, where else in the use of my data are they unintentionally or purposely deceiving me? A more likely reason for this widespread practice is that organizations tend to conflate the statutory requirement to provide essential data protection notice, an exercise in transparency, with establishing terms or use, an agreement with a user delineating the limits of acceptable use. This, users have to agree to. 

A Closer Look at the Deception of Consenting to Privacy Notices

In many instances, one cannot proceed with using a service unless they have ticked the box labeled “I consent to the privacy policy”. Now that we have established there is no need to have someone agree to or accept notices, let us focus on the reasons that consenting to them is even more concerning.

In the Data Misconceptions article from the 49th edition of the PECB Magazine, emphasis was made to ensure that each processing activity had to be mapped to a defined purpose, itself grounded in legitimacy by an appropriate legal base. The GDPR provides six legal bases but in practice only three can be chosen from. Consent is one of those three. Valid consent comes with six conditions it must satisfy. Turning more closely to two conditions in particular: consent must be freely given and must be specific to one purpose only. The former stipulates that you cannot be forced to provide consent and the latter stipulates that each purpose you consent to must be individually consented to. 

It is alarming to see how many services offered in the EU still assume that your use of the service equates to your consenting to the processing of personal data. Having users consent to a privacy policy deceitfully convinces them that all subsequent data processing activities are necessary. This is only true of data processed in order to fulfil a contract with an individual (GDPR, Art.6.1.b). All other processing is either optional (based on consent, GDPR, Art.6.1.a) or debatable based on legitimate interest (GDPR, Art.6.1.f). 

Information in the privacy notice is crucial because it must allow users to decide to use a service or not, i.e. to shed some of their privacy. Importantly, users can object to certain activities, among other rights available to them, and engage supervisory authorities to mediate where they believe the processing is excessive or unfair. They can also get courts to intercede should supervisory authorities fail to support. At any rate, asking for consent cannot be bundled or centralized under one consent collection screen. Thus, asking for consent to the notice not only carries falsehoods, but it also opens the door for a court to rule the entire processing was bundled under forced consent.

While organizations might argue that collecting proof of consent helps them demonstrate they have fulfilled their duty to inform, nothing in recent enforcement cases indicates that authorities accept that technique as fulfilling transparency obligations. On the contrary, the violation of the duty to inform is established by comparing what processing took place and what was in effect written and clarified to the data subjects.

Getting Your Privacy Notice Right

Provided you can spare the three minutes it takes to read articles 12, 13, and 14 of the GDPR, and you have up-to-date records of processing activities (Art.30), you can be creative about making information accessible, both situationally and semantically. Don’t for instance list the data subject rights from articles 15 to 22 if they are not actually available to the data subjects. If they are not available, explain why; such as due to the use of a blockchain application, some data will be forever retained and accessible, making it impossible to exercise the right to be forgotten.

In terms of raising awareness to the document, the most organizations can expect is for visitors of their website, or users of their service, to acknowledge the notice. But even that is not an obligation. The explicit requirement remains with the controller to “provide any information […] relating to processing […] in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.” This is why contrary to popular practice, privacy notices are not always best written by the legal team. Achieving transparency requires a certain affinity for the technical understanding of the processing involved, notions of pedagogy, information management, and communication skills.

I like to use a tabular form that drastically reduces the need for lengthy repetitions and increases the reader’s ability to navigate efficiently. Efficiency increases the likelihood the information serves its purpose. Since the data in the privacy notice comes from the Records of Processing Activities (RoPA), it becomes obvious which information is to be carried over from the RoPA to the notice. This ensures;

  1. No details are missed
  2. Gaps are immediately visible
  3. Readers can locate the section they are actually interested in

If you’ve ever tried to convert table data into text or somewhat of a narrative, you will likely adopt that format and never look back. This methodic and fail-safe approach saves a great deal of compliance effort and maintains your sanity so give it a try. 

Remember that for service-user-facing documents, you’ll want to keep the privacy notice and the terms of use separate. Failing that will only cause confusion between how the service should be used (terms) and what data the service needs to operate as intended (notice).

Remember that for staff-facing documents, clearly distinguishing between how their data is used (notice) and how they are expected to handle other people’s data (policy) will go a long way in helping employees make sense of their duties, understand their rights, and in doing so, support your security and data protection goals. Ensure you clearly define, within your ISMS, QMS, RMS, or PIIMS the scope, audience, and uses of each document which can be done in a handbook or on your Confluence wiki.

Yes, Notices Are Meant to Be Noticed

Finally, let us quickly consider the advantage of a GDPR-compliant privacy notice for data processors. The emphasis has been, thus far, on the duty to inform being an obligation of the data controller. However, data processors, who have no direct liability-triggering relationship with data subjects, should nevertheless not underestimate the business development relevance of an adequately titled and impeccably readable privacy notice. 

The key lies in acknowledging that the notice is not the shameful document companies hide away in their footer or deter you from reading by using the anchor “legal” in the hyperlink. First and foremost, the notice is a publicly available document. Procurement teams supported by their DPOs source their corporate intelligence where they can and before engaging in lengthy email exchanges with ill-trained sales teams, they peruse privacy notices to get a sense of your approach to fulfilling data protection transparency requirements. Yes, they remain more interested in your B2B2C product than in the internal processing activities your privacy notice outlines, but they don’t remain insensitive to the first impression it makes when fulfilling that obligation. If you provide PaaS solutions, ask yourself: out of five alternate suppliers, which website are they likely to come back to for a second look?

Self-Assessment

The following questions might help you review, understand, challenge, and improve your organization’s practices and terminology. If you feel confused, it’s a good sign. The following are all based on real-life examples.

  1. Would the following elements best be suited in a privacy notice or a privacy policy?
    1. A section on the 6 principles of data protection
    2. An out-of-context synthesis of chapter 3 of the GDPR that brings little value in this form
    3. An outline of the do’s and don’ts of using K:/ public and private folders
    4. A statement on the company’s commitment to keeping data confidential
  2. If, as a user of service provided in the EU, you happened upon that service’s data protection notice, what information would you need to find there?
  1. What data is collected from you and for what purposes?
  2. Whether your data is flowing to jurisdictions that do not ensure your fundamental rights.
  3. How the company is committed to protecting users from AI harms when personal data is subject to automated decision-making.
  4. How AI is involved in processing data, whether automated decision-making takes place and what rights are available in that respect.
  1. If, as a consultant or auditor, you came across a data protection policy; what from the following would you expect to find (there or referenced)?
  2. A detailed list of security measures implemented to secure company data?
  3. The inventory of all the processing activities and data needs?
  4. Detailed guidance on privacy practices product engineers should abide by?
  5. The data processing agreement appended to the service contract?

Answers

  1. a: notice, b: neither, c: policy, d: policy. Note that the notice is not a place for wishful thinking, it’s a place for facts.
  2. a: yes, b: yes, c: no, d: yes.
  3. a: yes, b: no, c: yes, d: no.

Conclusion

Why should you care? Given the vast regulatory landscape forcing security, privacy, legal, compliance and management teams to work together, getting your definitions right helps multidisciplinary teams build solutions stronger, better, faster. Speaking the same language is paramount to reaching the same goals. If you’ve recently been tasked with security management activities, make sure you understand and are able to explain complexity in simple terms, even when it comes to what documentation is needed, what it must contain and how it ought to be named. Break down complexity and reiterate patiently to build engagement. 

Your organization is not necessarily breaking the law when making the mistakes outlined above. There remain many grey areas not worth the effort of enforcing but dark patterns are known, described, and enforced against. This guidance is more of an appeal to the notion that clarity, robust definitions lead to cultures where multidisciplinary efforts contribute to building trust. While Silicon Valley has undertaken to dismantle the democratic world for the rest of us by excelling at cosmetic trust, genuine trust in a product still remains a laudable goal for SMEs seeking prosperous and responsible development. The privacy notice is where it all starts.                                                        

Stay tuned for an upcoming deep dive into the compliance risks inherited when relying on privacy notice templates and common ownership issues. We’ll even throw in a no-nonsense, high-readability template that non-lawyers can easily own and update.

Alex Carroll

Consulting Manager at TechGDPR DPC GmbH Alex Carroll is consulting manager at TechGDPR DPC GmbH, a small privacy consultancy that offers projectbased and hourly consulting in data protection, training, DPO as-a-service, EU representation and ISO27001 implementation support. He leads a small team of highly motivated and experienced privacy and tech consultants, manages key accounts, and develops upskilling strategies for his team to stay atop a fast-evolving field.He was part of the drafting committee that led to the 2020 publication of the DIN Spec 4997 Privacy by Blockchain Design. More recently, he was invited to speak and moderate at the 2022 PECB Insights conference in Brussels on the topics of cookies and blockchain security. He and his team are about to release regular videos on TechGDPR’s youtube channel related to privacy compliance management from a distinctly European perspective. He has developed the self-paced GDPR-for-product-ownersand- software-developers training course and a standard GDPR compliance audit methodology and will soon offer an internationally recognised 3rd-party-certified training on EU data protection. His background in adult education and elearning design led him to dive into quality management frameworks. It was while determining how the GDPR informed the context-of-the-organisation clause under ISO 9001 that he was led down the rabbit hole of data protection, struck by the parallels between normative and statutory compliance and comparable stakeholder management strategies.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts