What is a privacy notice and why do you need one?

Most data privacy laws require that users be notified about the use of their data, their rights, and more. A privacy notice is a common way to provide this. Read on for everything you need to know about the what, when, why, and how of privacy notices.
Man holding phone with shield and lock
by Usercentrics
13 mins to read
Aug 6, 2024

Given the continued expansion of global privacy laws, many companies are choosing to take a proactive and privacy-first approach. According to the International Association of Privacy Professionals, 64 percent of consumers place more trust in companies that provide clear information about their privacy policies. That’s why privacy notices are indispensable tools for maintaining this transparency and trust.

But there’s confusion around the term, what it encompasses, and the purpose of privacy notices. Let’s talk about what they include, how to create one, where to place it, how implementing one can protect user data, and help website owners uphold legal standards.

What is a privacy notice?

Let’s start with the basics. A privacy notice is a legal document that website owners publish, e.g. on their websites for the benefit of website visitors and to meet privacy regulation requirements. The purpose of a privacy notice is to explain to website visitors how you collect their information, what is done with it, who may have access to it, and what their rights are, like how they can opt-out. It must be kept up to date as a company’s data processing services and relevant laws change.

Privacy notices serve as a crucial tool for transparency and building trust between organizations and individuals.

What’s the difference between a privacy notice vs a privacy policy?

Privacy notices and privacy policies are often used interchangeably but may need to serve different purposes and audiences. For example, laws will often reference a privacy notice, but many websites link a privacy policy in the footer.

One needs to be an external document aimed at informing individuals about how an organization collects, uses, and protects their personal data. It’s typically found on websites or apps and is designed to fulfill legal transparency requirements under data protection laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

There is also a separate need for an internal document outlining an organization’s overall privacy and data protection approach. It provides detailed guidelines for employees on handling personal data responsibly and serves as a governance tool.

Privacy policies are, typically, more detailed and comprehensive legal documents.

There is a legal requirement to inform website visitors (data subjects) about data use and their rights, but also for companies to maintain internal compliance and consistency in data handling practices. You may find the former called a privacy notice and the latter a privacy policy, or vice versa.

There is no mandated term website owners must use according to various laws like the GDPR and the CPRA. As long as you use the word “privacy” in your links and document title, the important part is the document’s comprehensive and up-to-date content.

The different types of privacy notices

Privacy notices can be categorized into different types based on their timing, purpose, and target audience. The primary types of privacy notices include:

  • Initial notice: This type of notice is provided when a website owner begins to collect personal data from an individual, e.g. when the person arrives at a website for the first time. It explains the data processing practices and sets the foundation for transparency and trust. This is also often when consent for data processing is requested.
  • Annual notice: Issued regularly, typically once a year, this notice updates individuals on any changes in data processing practices while reaffirming a company’s commitment to data protection. Some types of data processing services and processing require annual renewal of consent as well.
  • Revised notice: Whenever there are significant changes to how personal data is processed, a revised notice is issued to inform individuals about these updates. If people previously made consent choices, they need to renew them.
  • Layered notice: This notice provides key information upfront with links to more detailed explanations. It’s useful when space is limited, like on a consent banner, or when dealing with complex information systems.
  • Child-friendly notice: Tailored for children, this type of notice uses simple language and visuals to ensure that young people can understand how their data is being used. Note that under most privacy laws, children cannot legally consent to data processing, and it must be obtained from a parent or guardian. However, the age range for the definition of a child varies for different laws.
  • Just-in-time notice: Provided at the moment data is collected, such as during a form submission, this notice ensures that individuals are immediately informed about data collection and its purposes. Often used to enable delivering a product or service to the customer, like sending a newsletter or completing an ecommerce transaction.

It’s worth noting that these categories are not officially mandated. Instead, they represent best practices for ensuring transparency and compliance with various data protection laws. How you notify users about data privacy will vary depending on what your business does and what laws are relevant.

Website owners should choose the appropriate type of privacy notice based on the context in which personal data is collected and processed, as well as the specific needs of their audience. Prioritizing user experience is also a best practice.

Where to place a privacy notice?

A privacy notice should be placed in several strategic locations on a website to ensure it is easily accessible and noticeable to users. Here are the key places to include a privacy notice:

  • Website footer: The most common and important location is in the footer of every page on the website. This ensures the privacy notice is accessible from any page a user visits.
  • Navigation menu: Including a link in the main navigation or a secondary menu makes the policy easily findable.
  • Signup forms: Any forms where personal information is collected, such as account creation, newsletter subscriptions, or contact forms, should include a link to the privacy notice.
  • Checkout pages: For ecommerce sites, the privacy notice should be linked from pages where order details and payment information are collected.
  • Cookie consent notices: If you use a cookie consent banner, include a link to your privacy notice there.
  • Landing pages: Important landing pages should have a link to the privacy notice, especially if they collect user data.
  • Mobile app: If you have a mobile app, include a link to the privacy notice within the app’s settings, consent banner, and/or information section.

What should a privacy notice include?

Although a privacy notice sounds complex, it doesn’t have to be. However, it does require certain expertise to ensure it’s legally compliant, and certain components need to be included.

What should a privacy notice include

  • Company identity and contact details: The name and contact information of your company, its representative, and its Data Protection Officer (if applicable) need to be present on a privacy notice.
  • Types of personal data collected: A description of the categories of personal information collected, like via website cookies, ecommerce checkout, etc.
  • Source of data: Companies must record where and how data was obtained, if not directly from the individual.
  • Purpose of data processing: Include the reasons for processing personal data and the legal basis for doing so, where privacy law makes legal basis relevant.
  • Data sharing: If you plan on sharing or selling data, your privacy notice needs to outline who the data is shared with, including third parties’ names and contact details.
  • Data transfers: Inform users on whether their data will be transferred to other countries, and the safeguards in place for such transfers. Not all countries’ data privacy and protection operations are considered “adequate”.
  • Data retention plan: A privacy notice must include how long the data will be retained before being securely deleted, anonymized, or returned.
  • Individual rights: Information on the rights that individuals have regarding their data, such as access, rectification, deletion, restriction, and objection. Also how they can exercise their rights, and how to appeal decisions made by the company regarding exercising their rights.
  • Automated decision-making: A privacy notice must mention if automated decision-making, including profiling, is used and the logic involved. As well as the significance and consequences of such processing. This includes use of AI tools.
  • Information related to complaints: Instructions on how individuals can file a complaint if they have concerns about the handling of their data.
  • Contractual obligations: Whether individuals are required by law to provide personal data and the consequences of not providing it.

Having these elements present in a privacy notice helps to ensure that individuals are fully informed about how their personal data and cookies are being used and can exercise their rights under data protection laws.

Generate a personalized privacy policy for your website that aligns with data privacy laws in a few easy steps. Achieve legal compliance and protect your users’ data.

Generate your privacy notice

Example of a privacy notice

Website owners have to include a certain amount of information in their privacy notice, which varies depending on relevant laws, their business operations, and other considerations. There are multiple ways of arranging this information, from one lengthy document to organized pull-down sections. Cookie use can also be included in the privacy notice, or provided in a separate document, for example.

Let’s take a look at an example so website owners can better understand how to categorize and organize all the necessary information.

Privacy policy

Usercentrics’ privacy policy has an easy-to-navigate structure based on a pull-down menu, so visitors can quickly scan for specific information, and then access sections of interest.

It lists important details like the kinds of data collected, user rights, cookie policies, and how to make a data request. It also discusses third-party services and personally identifiable information that might be shared with them. Usercentrics does business around the world, and website visitors can also be global, so the company has responsibilities under multiple privacy regulations, like the GDPR and CPRA.

The information displayed in each menu item is carefully organized with bullet points and short paragraphs so that you’re able to understand the policy without feeling overwhelmed.

General information about the collection and processing of your data

The importance of including a privacy notice on your website

At its core, a privacy notice enables websites to be compliant with global privacy laws while protecting a user’s data and privacy preferences, demonstrating respect for their privacy. However, privacy notices are essential for several reasons beyond this.

Regulatory compliance

Data protection laws, such as the GDPR and CPRA, vary around the world, but all of them mandate the provision of various information via privacy notices. Organizations are required to disclose specific details about their data processing activities and keep the information up to date over time, enabling ongoing compliance with legal obligations and avoiding potential fines for noncompliance.

User rights

Privacy notices empower users by informing them of their rights regarding their personal data. For instance, under the GDPR, individuals have rights regarding their personal data, like access, rectification, and erasure. Privacy notices provide the necessary information for users to exercise these rights, like who to contact and via what mechanism. If a company does not comply with a user’s rights request, the privacy notice also needs to provide information about how they can appeal the decision to another authority.

Transparency

Privacy notices are crucial for maintaining transparency between organizations and individuals. They clearly inform users about what personal data is being collected, why it is collected, how it will be used, and who it will be shared with. They need to be presented in simple language that’s not overly legal or technical. This helps users understand the data practices of the organization, such as how such practices affect the user personally. And enables them to make informed decisions about their interactions with the company.

Trust and accountability

By providing clear and accurate privacy notices, organizations can build and maintain trust with their website visitors, and bolster their brand reputation, which can affect relations with partners, investors, and others as well. These notices are legal documents and are often seen as contractual promises, making website owners accountable for adhering to their stated data practices and meeting the requirements of relevant laws.

Privacy notices and global regulations

Privacy notices have significant legal implications and are often mandated by various data protection laws around the world. While a company can take a DIY approach to building and maintaining a privacy notice, getting qualified input from legal counsel or a privacy expert is important to ensure the right information is included in the right way.

This is important to remember as there are several privacy policy generators available, which can be a good starting point, but which need customization to enable valid compliance. Additionally, companies may need privacy policies that address compliance requirements of multiple global privacy laws.

To avoid hefty fines and legal action, here’s what you need to know about privacy notices and various global data privacy laws.

How to create a GDPR-compliant privacy notice

According to Art. 13 GDPR, it’s a requirement for “information to be provided where personal data are collected from the data subject.” Art. 12 GDPR highlights how businesses must notify the data subject of any information about the processing of their data and the rights available to them. This is considered to be the privacy notice requirement under GDPR.

To create a GDPR-compliant privacy notice, start by using clear and simple language that is easy for website visitors to understand. The notice should explain how website owners collect, use, store, and protect personal data.

Begin the notice with an introduction that states the purpose of the document and includes the date it takes effect. Ideally also include the effective date of the previous version, and a link to it. Clearly identify the company and provide contact details for key roles like a Data Protection Officer. This role is required under some laws or business operational circumstances, but optional under others.

In the main body of the document, describe what types of personal data the website collects and why it is needed. Explain how this information will be used, what sources it’s coming from, and list any third parties the company may share data with, including processors, like advertising partners. Be sure to mention how long the data is kept, how it is dealt with once it’s no longer needed, and what rights individuals have regarding their information, such as the right to access or delete it. Include easily accessible contact information to make inquiries or exercise user rights.

Lastly, make the privacy notice easily accessible by placing a clear link to it on the website, such as in the footer. In addition, link to it wherever data is collected, such as signup forms or checkout pages. Remember to keep the privacy notice up to date and inform users of any changes. This includes when the tools and systems a company uses — which use personal data for analysis or to deliver products or services — change, including cookies on the website.

By following these guidelines, website owners can create a privacy notice that not only complies with the GDPR, but also builds trust with their users by being transparent about their data practices.

How to create a CPRA-compliant privacy notice

Among other data privacy state laws in the United States, the CPRA grants California residents certain rights regarding their personal information, including the right to know what personal information is collected about them and the right to opt out of the sale or sharing of their personal information, or its use for targeted advertising or profiling. Organizations that fall under the scope of the CPRA must provide privacy notices that comply with the requirements of the law.

To create a CPRA-compliant privacy notice, begin by clearly explaining what personal information the business collects from consumers, including any sensitive data. It’s important to be specific about the categories of data gathered and the reasons for collection. It’s a good idea to be clear about when prior consent is required before data processing starts — for sensitive data or that belonging to children — and when it isn’t — in most cases, companies only need to enable users to opt out of data processing.

The notice should then outline how consumers can exercise their rights under the CPRA. This includes the right to correct inaccurate personal information, opt out of data sharing, and limit the use of sensitive data. Clear instructions for submitting requests related to these rights should be provided.

Details about data retention practices should be included, explaining how long personal information is kept and why. If automated decision-making processes involving personal data are used, this fact should be disclosed along with an explanation of how it works.

The notice should describe any third parties with whom data is shared and for what purposes. If personal information is sold, this should be clearly stated along with an explanation of how consumers can opt out.

All this information should be presented in simple, straightforward language that’s easy for the average person to understand. Headers, bullet points, and short paragraphs can improve readability. The privacy notice should be updated at least annually and displayed prominently on the website, such as in the footer or through a popup banner.

The CPRA requires that companies prominently display a link that reads “Do Not Sell Or Share My Personal Information”, which enables users to opt out of data processing. This link may be directly on a web page or displayed via a consent banner. Linking to the privacy policy from there is also recommended.

Scan your website and find out which cookies and tracking technologies are collecting data – for free.

Scan now

Use privacy notices to tell the world about your business

Incorporating a well-crafted privacy notice on your website is more than a legal necessity; it’s a commitment to transparency and user trust and a public declaration of your corporate values for respecting privacy.

By clearly communicating how personal data is managed, companies not only comply with regulations like the GDPR and CPRA but also empower individuals to understand and control their information. Building trust in this way helps build engagement long-term and makes customers more comfortable sharing more data, or doing business with a company more often, which benefits revenue.

Ultimately, a privacy notice is a testament to a company’s dedication to protecting its user data, fostering a trustworthy relationship with its audience, and upholding high standards of data integrity and transparency.

Frequently asked questions

What is a privacy statement?

A privacy statement, also known as a privacy policy, is a legal document that discloses how an organization collects, uses, shares, and protects personal information about its users or customers. It typically outlines the types of data collected, the purposes for collection, data storage practices, third-party sharing policies, and user rights regarding their personal information.

When must you give a privacy notice to an individual?

A privacy notice must be provided to an individual at or before the point of data collection, when you are obtaining their personal information directly. If you obtain personal data indirectly (from a third party), you must provide the privacy notice to the individual in a timely manner. Different laws may specify how soon, e.g. no later than one month after obtaining the data.

What are GDPR privacy notice requirements?

GDPR privacy notices must be concise, transparent, intelligible, easily accessible, and written in clear and plain language, providing specific information about data collection, processing, sharing, and retention practices. They must be provided at or before the point of data collection when obtained directly from individuals, or within a reasonable period of time, not exceeding one month of obtaining the data if done indirectly.

What is the purpose of a privacy notice?

The primary purpose of a privacy notice is to inform individuals about how an organization collects, uses, shares, and protects their personal information in a clear and transparent manner. It serves as a crucial tool for building trust with data subjects and achieving and maintaining compliance with data protection regulations by providing essential details about data processing practices, individual rights, and contact information for privacy-related inquiries.

What information should be included in a valid privacy notice?

A valid privacy notice should include the categories of personal data collected, the purposes for which the data is used, the legal basis for processing, and the categories of third parties with whom the data is shared. It should also provide information on data retention periods, data subject rights, contact details for the data controller, and how individuals can lodge complaints.

Aug 8, 2024
Privacy by design starts long before visitors arrive on your website. It centers data privacy best practices, user experience, and data protection at all stages of planning, design, development, and operations. Learn about the core principles and how it can benefit your business.
Jun 26, 2024
The Andorran data protection authority (APDA) issued guidelines on the use of cookies in Andorra, requiring compliance from January 2024. We take a look at the Andorran cookie guidelines to learn about cookie banner and privacy policy requirements, and how you can be compliant.
May 19, 2024
Under data privacy laws, you need to clearly communicate with data subjects about the data you’re processing and why, who the data is shared with, and what the individual’s data privacy rights are. Learn how to create and maintain a legally compliant and user-friendly privacy policy or notice.