It is not uncommon to witness the use of these terms - Privacy Notice and Privacy Policy – interchangeably by the organizations across the world. Some of the privacy laws wherein this practice can be noticed:
- California Online Privacy Protection Act (CAlOPPA) and Californian Consumer Privacy Act (CCPA) use the terms “Privacy Policy.”
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 requires publication of a "Privacy Policy".
- The Digital Personal Data Protection Act, 2023 (DPDPA) uses the word “notice” to be provided to the individuals while obtaining their consent to personal data processing.
- The General Data Protection Regulation (GDPR) uses the simple term “information” to be provided to the Data Subjects.
Nevertheless, the International Association of Privacy Professionals (IAPP) clearly distinguishes these two terms.
Privacy Policy, according to the IAPP, is in internal document or policy that aims to provide information on data protection and handling practices to the internal stakeholders of an organization. A Privacy Policy is also otherwise known as Data Protection Policy. Privacy Notice is an externally faced document or statement that informs the individuals and other stakeholders about data protection and handling practices of an organization.
Both the Privacy Policy and Privacy Notice may contain information on the (i) individuals’ rights; (ii) categories of information; and (iii) way an organization processes the information. Besides this similarity, there are some differences between these two documents.
The intent of the Privacy Policy is to outline the internal stakeholders’ roles and responsibilities, internal processes and procedures which they should adhere to for ensuring effective data handling and security, and the consequences of non-compliance with such processes and procedures. In simple terms, a Privacy Policy may specify the obligations and/or the way the internal stakeholders can honor the organization’s commitments in the Privacy Notice.
On the other side, the intent of the Privacy Notice is to ensure transparency about an organization’s data processing activities to the external stakeholders. A Privacy Notice includes information on categories of the personal data processed, source of the data, the purposes and manner of processing the data, sale and/or disclosure of such data to other recipients and their details, contact information for the exercise of rights by the individuals, retention and deletion of such data, use of cookies and other tracking technologies; and such other information required under applicable data protection laws.
Considering the use of terms under the DPDPA, “Privacy Notice” may be interpreted as an appropriate label for organizations to depict their privacy practices.