Privacy Notice and Privacy Policy

It is not uncommon to witness the use of these terms - Privacy Notice and Privacy Policy – interchangeably by the organizations across the world. Some of the privacy laws wherein this practice can be noticed:

    • California Online Privacy Protection Act (CAlOPPA) and Californian Consumer Privacy Act (CCPA) use the terms “Privacy Policy.”
    • Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 requires publication of a "Privacy Policy".
    • The Digital Personal Data Protection Act, 2023 (DPDPA) uses the word “notice” to be provided to the individuals while obtaining their consent to personal data processing.
    • The General Data Protection Regulation (GDPR) uses the simple term “information” to be provided to the Data Subjects.

Nevertheless, the International Association of Privacy Professionals (IAPP) clearly distinguishes these two terms.

Privacy Policy, according to the IAPP, is in internal document or policy that aims to provide information on data protection and handling practices to the internal stakeholders of an organization. A Privacy Policy is also otherwise known as Data Protection Policy.

Privacy Notice is an externally faced document or statement that informs the individuals and other stakeholders about data protection and handling practices of an organization.

Both the Privacy Policy and Privacy Notice may contain information on the (i) individuals’ rights; (ii) categories of information; and (iii) way an organization processes the information. Besides this similarity, there are some differences between these two documents.

The intent of the Privacy Policy is to outline the internal stakeholders’ roles and responsibilities, internal processes and procedures which they should adhere to for ensuring effective data handling and security, and the consequences of non-compliance with such processes and procedures. In simple terms, a Privacy Policy may specify the obligations and/or the way the internal stakeholders can honor the organization’s commitments in the Privacy Notice.

On the other side, the intent of the Privacy Notice is to ensure transparency about an organization’s data processing activities to the external stakeholders. A Privacy Notice includes information on categories of the personal data processed, source of the data, the purposes and manner of processing the data, sale and/or disclosure of such data to other recipients and their details, contact information for the exercise of rights by the individuals, retention and deletion of such data, use of cookies and other tracking technologies; and such other information required under applicable data protection laws.

Considering the use of terms under the DPDPA, “Privacy Notice” may be interpreted as an appropriate label for organizations to depict their privacy practices.

Author: Mr. Sandeep G, Associate at NovoJuris Legal.

Similar Articles

Contact us for a Solution

Contact us for more information about our services and how we can help

Contact
Disclaimer

As per the rules of the Bar Council of India, we are not permitted to advertise or solicit work. By accessing and browsing through this website, all users agree and acknowledge that the content of this website is for informational purposes only and that there has been no form of solicitation, advertisement or inducement by NovoJuris Legal or its members, in any form. No information provided on this website should be construed as legal advice and NovoJuris Legal shall not be liable for consequences of any action taken by relying on the information provided on this website.