In some cases, data privacy laws use one of these terms to cover a specific set of details you must publish.
You may also use different terms to cover presenting information in different circumstances and contexts.
In this guide, we'll break down the ways to use the terms and why what really matters is conveying the right information to customers.
- 2. Terms Used in Specific Privacy Laws
- 2.1. General Data Protection Regulation (GDPR): "Privacy Notice"
- 2.3. California Consumer Privacy Act (CCPA/CPRA): "Inform"
- 3. Complying With Multiple Laws
- 4. Having Multiple Privacy Documents
- 5. Internal vs External Documents
- 6. The Most Important Thing
- 7. Summary
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Usually, you can use any of these terms to cover a document explaining how you collect and use personal data and how people can exercise their data rights.
For internal communication, using any of the terms should be fine as long as there's no risk of confusion and you continue to comply with all relevant laws.
The three main reasons to prefer one of these terms over the other are:
- You are talking about (or complying with) a data privacy law that has specific requirements for the personal data information you must publish and uses one of these phrases
- You publish more than one document about personal data and want to either publicly or internally make clear which is which
- You want to distinguish between instructions you give to employees and information you give to data subjects (the people data is about)
Let's explore these scenarios in more detail.
Terms Used in Specific Privacy Laws
Several laws on data privacy require you to publish specific information. These laws often use a particular term to describe the document that contains this information.
For the most part, such laws don't require you to use this term on the document itself. Instead you'll mainly use the term for internal communication or for dealings with regulators.
General Data Protection Regulation (GDPR): "Privacy Notice"
The GDPR works to protect data of those individuals located in the European Union.
The law specifically requires a "privacy notice" that contains the following information:
- Your identity and contact details and those of your data protection officer (if you have one)
- The purposes for which you will process personal data
- The legal basis for the processing. (If the basis is "legitimate interests" you must say what these are.)
- Who you will share the data with
- Whether you plan to transfer the data outside the EU and, if so, how you will protect it
- How long (or how you decide how long) you'll keep the data
- The person's rights, including to object to processing, give and withdraw consent, and complain to a supervisory authority
- Whether the person is legally or contractually required to provide data and what happens if they don't
- Whether you use automated decision-making such as profiling
PIPEDA affects most Canadian businesses unless a comparable provincial or territorial law already applies.
- The name and contact details of your data protection officer (or equivalent person) and the person who handles data access requests (if that's somebody different)
- How people can access the data you store about them
- How to file a complaint
- Your general "policies, standards and codes" for handling personal data
- What personal information you share with third parties
California Consumer Privacy Act (CCPA/CPRA): "Inform"
It doesn't use a specific term for documentation, but instead specifies that you make some information available before you collect personal data.
- The types of data you collect and whether you intend to share it
- Whether you collect sensitive personal data
- How long you keep each type of data
- The consumer's rights under the law including access, delete and correct data
The CCPA (CPRA) also says you must have a dedicated page where people can opt out of you selling their data. You must include a clear link on your home page pointing to this dedicated page. This link must use the text "Do Not Sell My Personal Information."
NBC Universal puts the link in its footer section:
- The types of personal data you collect
- Whether and how consumers can access and correct this data
- How you respond to "do not track" signals from web browsers
- Whether any third parties collect personal data when people use your site (for example, through cookies)
Complying With Multiple Laws
If you have to comply with multiple privacy laws, you can usually comply with all their notification requirements by providing a single document. Although different laws use different terms, they usually only say you must include particular information: they don't say you cannot display this alongside other information.
It's normally fine to take all the privacy-related information that you must (or want to) publish and combine it in a single document. You can then explain if any detail relates to a specific law, for example when talking about legitimate interests under the GDPR.
British Gas Energy Trust adds some context before listing the legitimate interests:
One situation where you can do things differently is if particular rights only apply to people in a particular location and you don't want to extend these rights to all of your customers.
For example, many businesses find it useful to have a special section for California consumers detailing their rights under CalOPPA and the CCPA.
Make sure you know all of the laws that you need to comply with and that you're doing so in the way they require.
Having Multiple Privacy Documents
Sometimes using different terms is appropriate if you have more than one document addressing data privacy. This could happen if you have a dedicated page that covers everything, along with a shorter piece of text that appears at the point you ask for personal data.
This shorter text could:
- Summarize your privacy practices
- Cover a specific, relevant point for the context where it appears
- Cover the specific way you will use the data you are about to collect, particularly if this is different to your usual practices
The main things to watch out for with this approach are that:
- You include the most relevant and important information in the short text, particularly if you are gathering consent. In this case you must be certain the person is making an informed decision and thus their consent is meaningful.
Internal vs External Documents
Another situation where you can use terms in different ways is when you have separate documents for internal and public audiences.
This could include:
- Rules on who can access what information and what they can share with colleagues
- Security measures such as having to use passwords
- How privacy laws affect the way you collect and handle data about employees
- What steps staff should take if they suspect a data breach
Some laws (and their implementation) allow leeway to impose less harsh penalties on companies that have suffered an isolated breach but have generally acted responsibly to reduce privacy risks.
The Most Important Thing
Ultimately, what you call the documents is not the most important thing.
Instead, what matters is that at the bare minimum you publish all the required information set out in relevant data protection laws, and that you do so in a way that means people will see this information.
In most cases, it's best to go beyond the bare minimum and publish as much detail as will help customers make informed decisions about their personal data, without overwhelming them with irrelevant information. Getting this balance right will help earn customer trust and make them more confident that you intend to use their data in a responsible way.
Let's recap what you need to know about titling privacy documents:
- You might prefer a specific term when referring to the information you must publish under specific laws such as the GDPR, PIPEDA, the CCPA (CPRA) or CalOPPA
- It's usually fine to publish mandatory information for different privacy laws in the same document. You may want a separate section for information and rights that only apply to people in a particular location.
- Whichever term or terms you use, the most important thing is to provide all legally required information to customers and make sure they have enough detail to make informed decisions about their data