Privacy Policy or Privacy Notice?

Privacy Policy or Privacy Notice? This one seems to run and run! But does it matter and why is this even a discussion?

Let’s answer the question up front: nowhere in UK or EU data protection law is it written that you have to call any document a Privacy Policy or Privacy Notice. GDPR doesn’t even use the term notice. It’s fake news!

This distinction of internal/external simply does not exist in the world of GDPR or Privacy. As we’ll see, it’s the obligation to give information – and that applies as much to data subjects who are employees as customers. 

The bottom line is there’s no legal rule on this in Privacy law – the important thing is you provide data subjects with the information you’re meant to, when you’re meant to.  

The dominant practice historically has been to call the document on your website ‘Privacy Policy‘. But calling it ‘notice’ is totally fine, too. Let’s look at the law and practice (references to website usage by regulators and other entities is as at 20 July 2022).

 

‘Privacy Notice’ isn’t in GDPR

Not only does the term ‘Privacy Notice’ not appear in GDPR – ever – the word ‘notice’ only appears once in GDPR, in Recital 103 about when the Commission can give notice to revoke an adequacy decision. 

Here’s the relevant parts of Article 13 and Article 14 from GDPR – no reference to the word ‘notice’ at all. It’s about giving information.

GDPR Articles 13 and 14

 

And Article 12 of GDPR, which goes into transparency of the information to be given, doesn’t use the word ‘notice’ either.

What about before GDPR?

Articles 10 and 11 in the 1995 Data Protection Directive before GDPR were the same. And the word ‘notice’ didn’t appear at all, zero, in the 1995 Data Protection Directive. Not even in a recital.

What about UK law?

As to UK law, the word ‘notice’ isn’t used in UK GDPR either and isn’t used in this sense in any of the 1984, 1998 or 2018 UK Data Protection Acts. 

‘Notice’ appears 417 times in the 2018 UK DPA – we’ve looked at each one to check (!) – and it’s all about enforcement notices or penalty notices, not information to be given to the data subject.

Right. We’ve established that nowhere in EU or UK law does it say to use Privacy Policy or Privacy Notice. It doesn’t even use the word ‘notice’ itself, it just says ‘give this information to the data subject’.

You’re free to call the document whatever you want. 

That’s the law. Let’s look at what the UK and EU regulators use, starting with the UK regulator, the ICO.

 

Regulators’ Practice

Back in 1995, the UK ICO itself just ‘Privacy’ in its website footer in 1995, which linked to a document they themselves called a ‘privacy policy’. 

UK ICO 1995

In 2007, they had changed to use ‘Privacy Statement’ in their footer, which still linked to a document they themselves called a ‘privacy policy’. 

UK ICO 2007

In July 2022, post-GDPR, the UK ICO uses ‘Privacy Notice’ in its footer and that links to a document they call a ‘privacy notice’. So the UK ICO used ‘policy’ for decades then switched to ‘notice’. Fine, but they didn’t need to. 

UK ICO 2022

Looking at EU regulators, starting with the French regulator, CNIL, CNIL uses donnée personnelle, or ‘personal data’, in their footer. And this links to what they call their Politique de protection des données or ‘Data Protection Policy’.

‘Privacy Policy’ is also used by the Danish DPA, the Norwegian DPA, the Spanish, the Polish… The Romanian authority uses ‘cookie policy’ and ‘Information on processing’ which then refers to policy. We stopped at that point, seems pretty clear.

Do all these national data protection regulators have it wrong? Of course not.

Interestingly the European Data Protection Board, the EDPB, the evolution of the Article 29 Working Party, uses ‘General Data Protection Notice’. In 2018, they used ‘Data Protection Notice’.

And this is interesting for 2 reasons. First the European Commission, the CJEU and the European Parliament all use ‘Privacy Policy’. 

EU Privacy Policy Privacy Notice

And secondly the EDPB itself endorsed and adopted the Guidelines on transparency under GDPR issued by its predecessor, the Article 29 Working Party, on 11 April 2018, page 8 of which says:

Every organisation that maintains a website should publish a privacy statement/ notice on the website. A direct link to this privacy statement/ notice should be clearly visible on each page of this website under a commonly used term (such as “Privacy”, “Privacy Policy” or “Data Protection Notice”).

 

So, are the supranational Article 29 Working Party and EDPB wrong? Again, no they don’t.

You can call the document whatever you want. ‘Policy’ is perfectly good, and not only recognised by Europe’s top regulators but recommended and used by them. Notice is fine too!

 

Law firms

We’ve looked at the laws and regulators, all pretty clear. Let’s now look at some leading law firms.

Probably the top UK firm on data protection is Bird & Bird – in July 2022 they use ‘Privacy Policy’. Ashurst, uses ‘Policy’. 

Outside Europe, the leading Australian firm Minter Ellison uses ‘policy’, as does the leading US firm Wilson Sonsini.

Law Firms Privacy Policy

These are great global firms. And they’re not wrong either.

 

Notice

So where did ‘notice’ come in if it’s not mentioned in GDPR?

In practice, regulators and Privacy pros have long spoken about ‘Data Collection Notices’, the information you give to satisfy your information obligations. Typically it was layered. combining a short notice, just in time at the point of collection, with a link to your longer Privacy Policy. 

But the word ‘notice’ is just a descriptor of the one or more ways combined in which you give the required information to the data subject. Everyone in the UK and EU used Policy. 

The debate seems to have started after GDPR came in in 2018 and it may be related to GDPR being thrown at IT and Security professionals. Security has good reason to like tight nomenclature, for example to be able to differentiate between internal and external, or differentiate to secure different information appropriately. All perfectly reasonable – but again, it’s not a rule in UK or EU-level Privacy law, there is no official rule.

 

Standards & Standards Bodies

‘Privacy Notice’ isn’t in ISO 27001, which only mentions Privacy once, and it’s not in ISO 27701 (although 27701 does use the word ‘notice’ with a small ‘n’ on 4 pages, when it talks about ‘Openness, transparency and notice’). It also talks of ‘Privacy Policy’ on 4 pages.

Well, surely ISO itself, the organisation, uses ‘Notice’? Nope, it uses ‘Policy’. 

Well, what about NIST? They use ‘cookie policy’ and, in their footer, ‘Site Privacy’. When you click Site Privacy you go to a page setting out the information and referring to the Privacy Policies of other sites you visit and Google’s Privacy Policy. 

Which brings us onto commercial entities. 

 

Commercial Entities

Microsoft use ‘Privacy Statement’. Apple uses ‘Privacy Policy’. And we’ve seen Google uses ‘Policy’.

 

Conclusion

So, if someone tells you it has to be ‘Privacy Policy’ for internal and ‘Privacy Notice’ for external for UK or EU GDPR compliance, they’re wrong. EU regulators confirm it can be ‘Policy’, ‘Notice’, ‘Information’, ‘Statement’, anything you want.

‘Privacy Notice’ appears precisely nowhere in GDPR. Regulators endorse and use ‘Policy’. Leading law firms use ‘Policy’. Major organisations use ‘Policy’, ‘Statement’ and ‘Notice’. And nowhere in the world of UK and European Data Protection is there a legal rule about Notice vs Privacy for internal vs external use, or otherwise.

You can call it what you want.

 

Do you need help with your Privacy Policy?

Here at Keepabl we make operationalising Privacy simple and intuitive, from data mapping to breaches, with instant insights. And we have a great Privacy Policy Pack to give you an instant Privacy Policy – or Notice 😉 – saving you a lot of time and cost.

If you’re ready to get your Privacy governance into gear for your business, why not request a demo or free trial of our Privacy Management Software?

 

 

 

 

 

GDPR

 

Guidelines on transparency under Regulation 2016/679, WP260 rev01, Adopted on 29 November 2017 As last Revised and Adopted on 11 April 2018

 

EDPB endorsement of WP260 rev01

Topics:

Related Articles

Blog
Privacy and Environmental, Social and Corporate Governance (ESG)

What is ESG? ESG, or Environmental, Social and Corporate Governance, is the evaluation of a company’s commitment to improving environmental and social factors and the governance part, reporting on them…

Read More
Blog
A very blue Monday for Google

On 21 January 2019, the French Data Protection Authority (CNIL) hit Google LLC with an incredible fine of €50m. Implications of the decision for online account management and marketing will…

Read More