Is a Privacy Policy the Same as a Privacy Notice or Privacy Statement?

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 01 March 2023.

Is a Privacy Policy the Same as a Privacy Notice or Privacy Statement?

In most cases, the terms "Privacy Policy," "Privacy Notice" and "Privacy Statement" are interchangeable.

In some cases, data privacy laws use one of these terms to cover a specific set of details you must publish.

You may also use different terms to cover presenting information in different circumstances and contexts.

In this guide, we'll break down the ways to use the terms and why what really matters is conveying the right information to customers.


Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


Overview of the Terms "Privacy Policy," "Privacy Notice" and "Privacy Statement"

Usually, you can use any of these terms to cover a document explaining how you collect and use personal data and how people can exercise their data rights.

For internal communication, using any of the terms should be fine as long as there's no risk of confusion and you continue to comply with all relevant laws.

The three main reasons to prefer one of these terms over the other are:

  • You are talking about (or complying with) a data privacy law that has specific requirements for the personal data information you must publish and uses one of these phrases
  • You publish more than one document about personal data and want to either publicly or internally make clear which is which
  • You want to distinguish between instructions you give to employees and information you give to data subjects (the people data is about)

Let's explore these scenarios in more detail.

Terms Used in Specific Privacy Laws

Terms Used in Specific Privacy Laws

Several laws on data privacy require you to publish specific information. These laws often use a particular term to describe the document that contains this information.

For the most part, such laws don't require you to use this term on the document itself. Instead you'll mainly use the term for internal communication or for dealings with regulators.

General Data Protection Regulation (GDPR): "Privacy Notice"

The GDPR works to protect data of those individuals located in the European Union.

The law specifically requires a "privacy notice" that contains the following information:

  • Your identity and contact details and those of your data protection officer (if you have one)
  • The purposes for which you will process personal data
  • The legal basis for the processing. (If the basis is "legitimate interests" you must say what these are.)
  • Who you will share the data with
  • Whether you plan to transfer the data outside the EU and, if so, how you will protect it
  • How long (or how you decide how long) you'll keep the data
  • The person's rights, including to object to processing, give and withdraw consent, and complain to a supervisory authority
  • Whether the person is legally or contractually required to provide data and what happens if they don't
  • Whether you use automated decision-making such as profiling

Personal Information Protection and Electronic Documents Act (PIPEDA): "Privacy Policy"

PIPEDA affects most Canadian businesses unless a comparable provincial or territorial law already applies.

It requires you to follow the principle of openness and says you must make relevant information "readily available." Official guidance on the law refers to a "Privacy Policy" and says you must list:

  • The name and contact details of your data protection officer (or equivalent person) and the person who handles data access requests (if that's somebody different)
  • How people can access the data you store about them
  • How to file a complaint
  • Your general "policies, standards and codes" for handling personal data
  • What personal information you share with third parties

California Consumer Privacy Act (CCPA/CPRA): "Inform"

The CCPA and its CPRA amendments apply to large firms serving California, along with those handling data about large numbers of Californians.

It doesn't use a specific term for documentation, but instead specifies that you make some information available before you collect personal data.

This includes:

  • The types of data you collect and whether you intend to share it
  • Whether you collect sensitive personal data
  • How long you keep each type of data
  • The consumer's rights under the law including access, delete and correct data

The CCPA (CPRA) also says you must have a dedicated page where people can opt out of you selling their data. You must include a clear link on your home page pointing to this dedicated page. This link must use the text "Do Not Sell My Personal Information."

NBC Universal puts the link in its footer section:

NBC Universal website footer with Do Not Sell My Personal Information link highlighted

California Online Privacy Protection Act (CalOPPA): "Privacy Policy"

CalOPPA applies to commercial websites and online services that collect personal information about residents of California. It requires sites to publish a "Privacy Policy" that includes:

  • The types of personal data you collect
  • Whether and how consumers can access and correct this data
  • The date the current version of the Privacy Policy took effect and how you will tell people about any changes to it
  • How you respond to "do not track" signals from web browsers
  • Whether any third parties collect personal data when people use your site (for example, through cookies)

If you fall under the scope of CalOPPA, you must include a conspicuous link on your home page that points to your Privacy Policy.

Complying With Multiple Laws

Complying With Multiple Laws

If you have to comply with multiple privacy laws, you can usually comply with all their notification requirements by providing a single document. Although different laws use different terms, they usually only say you must include particular information: they don't say you cannot display this alongside other information.

It's normally fine to take all the privacy-related information that you must (or want to) publish and combine it in a single document. You can then explain if any detail relates to a specific law, for example when talking about legitimate interests under the GDPR.

British Gas Energy Trust adds some context before listing the legitimate interests:

British Gas Energy Trust: Legitimate Interests page excerpt

One situation where you can do things differently is if particular rights only apply to people in a particular location and you don't want to extend these rights to all of your customers.

For example, many businesses find it useful to have a special section for California consumers detailing their rights under CalOPPA and the CCPA.

USA Today goes a step further by having a completely separate Privacy Policy for California residents:

USA Today Privacy Policy: Privacy Policy for California Residents clause

Make sure you know all of the laws that you need to comply with and that you're doing so in the way they require.

Having Multiple Privacy Documents

Having Multiple Privacy Documents

Sometimes using different terms is appropriate if you have more than one document addressing data privacy. This could happen if you have a dedicated page that covers everything, along with a shorter piece of text that appears at the point you ask for personal data.

This shorter text could:

  • Summarize your privacy practices
  • Cover a specific, relevant point for the context where it appears
  • Cover the specific way you will use the data you are about to collect, particularly if this is different to your usual practices

The most common wording with this approach is to call the dedicated page a "Privacy Policy" and then the short text a "Privacy Statement" or "Privacy Notice."

The main things to watch out for with this approach are that:

  • You include the most relevant and important information in the short text, particularly if you are gathering consent. In this case you must be certain the person is making an informed decision and thus their consent is meaningful.
  • You include a clearly marked link in the short text pointing to the full Privacy Policy. It's also useful to include a link in your main navigation menus, for example in a sidebar or footer, so that the link appears on every page in your site.

The Futur has what's effectively a very brief privacy statement covering what it is about to collect and how it will use it, with a link to the full Privacy Policy. The statement would be better with a brief note that subscribers have the right to withdraw consent for their email being used this way.

Futur email newsletter subscribe form with Privacy Notice section highlighted

Internal vs External Documents

Another situation where you can use terms in different ways is when you have separate documents for internal and public audiences.

In this scenario, a "Privacy Policy" could refer to the internal document. This document wouldn't simply list the information that you legally have to provide to customers. Instead, it could also go into more detail about what you require and expect staff to do to maintain customer privacy.

This could include:

  • Rules on who can access what information and what they can share with colleagues
  • Security measures such as having to use passwords
  • How privacy laws affect the way you collect and handle data about employees
  • What steps staff should take if they suspect a data breach
  • A statement that violating the privacy policy constitutes gross misconduct (or other relevant wording) and the potential disciplinary consequences

The main reasons to have an internal Privacy Policy are to make sure you protect data and to use it as mitigation if you suffer a breach and come under investigation from data regulators.

Some laws (and their implementation) allow leeway to impose less harsh penalties on companies that have suffered an isolated breach but have generally acted responsibly to reduce privacy risks.

Remember that having an internal Privacy Policy is not a substitute for a public document that informs customers about the way you use and protect data and their legal rights.

The Most Important Thing

As we've discussed, terms such as "Privacy Policy," "Privacy Statement" and "Privacy Notice" can be interchangeable but can also be useful for distinguishing between different types of document.

Ultimately, what you call the documents is not the most important thing.

Instead, what matters is that at the bare minimum you publish all the required information set out in relevant data protection laws, and that you do so in a way that means people will see this information.

In most cases, it's best to go beyond the bare minimum and publish as much detail as will help customers make informed decisions about their personal data, without overwhelming them with irrelevant information. Getting this balance right will help earn customer trust and make them more confident that you intend to use their data in a responsible way.

Summary

Let's recap what you need to know about titling privacy documents:

  • "Privacy Policy," "Privacy Notice" and "Privacy Statement" are generally interchangeable
  • You might prefer a specific term when referring to the information you must publish under specific laws such as the GDPR, PIPEDA, the CCPA (CPRA) or CalOPPA
  • It's usually fine to publish mandatory information for different privacy laws in the same document. You may want a separate section for information and rights that only apply to people in a particular location.
  • You could use "Privacy Policy" to cover a full document about all your privacy procedures and "Privacy Notice" or "Privacy Statement" for a shorter text covering a specific scenario. This could appear at the point you collect information, though it should link to the full document.
  • "Privacy Policy" can also indicate an internal document that details the steps staff must take when handling personal data, and any related safeguards or sanctions
  • Whichever term or terms you use, the most important thing is to provide all legally required information to customers and make sure they have enough detail to make informed decisions about their data