- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Should it be called a “privacy policy,” a “privacy notice,” an “information notice,” or something else?
Companies use different names to describe the document that discloses their practices in relation to the collection, use, and disclosure of personal information including: “Privacy Notice,” “Privacy Policy,” “Information Notice,” “Privacy Statement,” and “Data Protection Notice.”
From a legislative perspective, statutes have been equally inconsistent in their use of terms. For example, the California Online Privacy Protection Act (“CalOPPA”) refers to the creation of a “privacy policy,” but acknowledges that the document can be described via a text link to consumers in any manner so long as the link “[i]ncludes the word ‘privacy.’”1 The California Consumer Protection Act (“CCPA”) refers to the obligation to provide consumers with “notice” of privacy practices.2 While the CCPA does not itself require it, the Act also refers to the fact that some businesses may have an “online privacy policy.”3 In comparison, the European GDPR refers only to the obligation of a controller to provide “information” to data subjects, and does not reference explicitly either a “policy” or a “notice.” In its interpretation of the GDPR, the Article 29 Working Party typically referred to a website “privacy statement” or a “privacy notice,” but recognized that “commonly used terms” by organizations included “Privacy,” “Privacy Policy,” “Data Protection Notice,” and “Fair Processing Notice.”4 The United States Federal Trade Commission – which is often looked to as the primary federal data privacy regulator for most companies in the US – has used the term “privacy notice” and “privacy policy” interchangeably.5
The net result is that, from a legal standpoint, companies can choose how they want to label their disclosure of privacy practices, so long as their label would be understood by a reasonable person.
From a practical perspective, many companies maintain internal policies that are not intended to fulfill the function of notifying data subjects of the company’s privacy practices. For example, a company might have a “privacy policy” focused on the company’s commitment to comply with certain privacy laws, or that sets up an internal structure for managing privacy within an organization. A company might also have a “privacy policy” that discusses whether, or how, the company monitors the email of its employees, or a “privacy policy” that discusses the type of information that will be shared between managers or supervisors. It can be confusing to create a “privacy policy” focused on data subjects when other “privacy policies” exist concerning internal operations and procedures. Using the term “Privacy Notice” typically avoids that confusion. Arguably, “Privacy Notice” also is better aligned with the intent of privacy-related statutes – i.e., to have companies “notify” data subjects of their privacy practices.