Privacy Policy Vs Privacy Notice – What’s the difference

Privacy policy vs privacy notice

Privacy Policy

According to IAPP (International Association of Privacy Professionals), a privacy policy is an internal statement related to the Privacy Practices and Standard laid down by the Organisation for the employees to follow and adhere to it in all kinds of communication be it electronic or verbal. It also governs how the organisation or entity handles the personal data of its employees. A privacy policy is directed at employees/vendors or, in general, members of an organisation responsible for handling or making decisions regarding the collection, use, storage, and deletion of personal data. A privacy policy may also be called a data protection policy of the organisation.

Purpose of Privacy Policy

  • A privacy policy asks employees/vendors to comply with the privacy standards, restrictions, individual/departmental roles and responsibilities as set forth by the organisation.
  • It helps an organisation define the permissible areas necessary for the development of privacy practices based on which an organisation can tell external stakeholders about the Privacy Policy that the organisation adheres to.
  • A privacy policy acquaints employees with the laws and regulations pertaining to the Privacy Standards set by the organisation and also guides them on how to be in compliant with the various Privacy Practices and Standards as set forth by the Organisation.

Contents of a Privacy Policy

A privacy policy typically consists of elements like:

  • An effective date.
  • To whom the policy applies (employees/vendors).
  • Type of information to deal with, such as electronic, paper, encrypted.
  • Protection standards to abide by to keep users’ data safe.
  • Destruction standards to follow upon the termination of the contract with third parties.
  • Departments/executives to hash out questions and concerns.
  • Professional behaviour; repercussions of non-compliance.
  • CCTV Surveillance Policy while being in the office.
  • Social Media Account Policy.

Privacy Notice

According to IAPP, A privacy notice familiarises visitors or users of a website including e-commerce websites with how an organisation collects, uses, retains, and discloses their personal information. A privacy notice may also be referred to as a privacy statement, a fair processing statement, or a privacy policy. A privacy notice is an external statement made to users or visitors of a website.

Purpose of Privacy Notice

  • Data controllers use privacy notices at times when they collect personal information from data subjects or visitors to the website including e-commerce websites.
  • It’s a public declaration of how the data protection principles apply to data processed on a website.
  • It unfolds into what information is collected, why it’s collected, and how the organisation stores, treats and shares visitor’s or consumers’ data.
  • Many a times, the website especially the e-commerce websites may like to collect the location data of the device as well with the purpose to improve upon the marketing services of various products.  However, it needs to be clearly mentioned to the users/visitors in the Privacy Notice.

Contents required for Privacy Notice

The following contents will be required to form the basis of a Privacy Notice:

  • Identity and contact details of the organisation.
  • Contact info of the organisation’s data protection officer (DPO).
  • The intended purpose of data collection and its processing.
  • Timestamp of data, from collection to deletion.
  • The sensitive information that the website including e-commerce websites collect about the visitor/user/consumer should be clearly mentioned e.g Gender, Date of Birth, Payment Information, Passport Details including the photograph(if any), Social Security Number or Aadhaar in Case of India etc.
  • Overseas data transfer information.
  • Lawful grounds for processing personal information.
  • Data subjects’ rights.
  • Collection of any geo-location data of the visitor/user.
  • Data sharing with 3rd
  • Data Analytics if any, for improving the user/visitor’s website experience.
  • In case of e-commerce websites or Apps, how the sensitive information including the credit/debit card details are protected and secured with the Payment Gateways.

How to publicise Privacy Notice?

A website including e-commerce websites should format concise, transparent, intelligible, and easily accessible privacy notice/statement in clear and plain language. This external statement to the visitors or data subjects should generally appear as a pop-up, asking for their consent to categories that an enterprise finds fit for facilitating personalised website experiences as well as marketing and retargeting. A privacy notice can be communicated orally, in writing, through signage, and/or electronically.

Stance of EU GDPR and CCPA on Privacy Notice

The EU GDPR entitles an individual to eight data subject rights, which an organisation must explicitly explain in the privacy notice. These eight rights are right to be informed, right of access, right of rectification, right to be forgotten, right of portability, right to restrict processing, right to object, rights related to automated decision making (including profiling).

CCPA refers to the obligation of a compatible data controller to provide consumers with explicit “notice” of how the data is collected, what types and categories of data are processed, why and how the data is processed, if and how data is shared with third parties, how consumers can retrieve the collected data, and company’s way of dealing with do not track settings.

There are some exceptions to these regulations. All companies needn’t comply. These exemptions are based upon the company’s annual revenue, personal data collection capacity, and earning potential from the sale of data, etc.

Privacy Notice under PECR, EC Directive 2003

PECR are the Privacy and Electronics Communication Regulation.  Their full form is The Privacy and Communication Regulations (EC Directive), Regulations 2003. 

They are derived from European Law.  PECR implement European Directive 2002/58/EC and is also known as e-Privacy Directive.

The e-Privacy Directive complements the general data protection regime and sets out more specific privacy rights on electronic communications.  It recognises that widespread public access to digital mobile networks and the internet opens up new possibilities of businesses and users but also new risks to their privacy.

PECR covers several areas:

  • Marketing by electronic means, including marketing calls, texts, emails and faxes. This also includes marketing thorough websites.
  • The use of Cookies or similar technologies that track information about people accessing a website or other electronic service.
  • Security of public electronic communications.
  • Privacy of customers using communication networks or services as regards traffic and location data, itemised billing, line identification services (e.g caller ID and call return) and directory listing.

The Privacy Notice under PECR for B2B or B2C should clearly cover and define the following that it applies to:

  • Email and Text Correspondence.
  • Telephone Contact.
  • Location Data.

The UK ICO has several ways of taking action to change the behaviour of anyone who breaches PECR and  include the following:

  • Criminal Prosecution.
  • Non-criminal enforcement and Audit.
  • The ICO can also serve a monetary penalty notice imposing a fine of up to 500,000 Pounds which can be issued against the organisation or its directors.

How do Privacy Policy and Privacy Notice differ?

Although many websites use privacy policy and privacy notice interchangeably, it’s not technically sound to refer to a privacy notice as a privacy policy, and vice-versa. There is a narrow yet intelligible difference between the two that businesses need to understand.

  • A simple difference between these two artefacts is how they are focused. Whereas a privacy policy is internally focused and is implemented by the organisation for employees/vendors, the privacy notice is externally focussed and is meant for websites or social media platforms and makes them aware about different facet of law.
  • A privacy policy guides employees of an organisation into what they may–and may not–do with consumers’ personal information, whereas a privacy notice guides visitors,consumers, regulators, and other stakeholders into what an organisation does with their personal information while they visit websites or any social media platform.
  • A privacy policy comprises more operational details than a privacy notice. A privacy policy discusses more significant details than a privacy notice, on how personal information is handled.
  • While a privacy policy is directed at employees to make them “policy compliant” and strictly abide by laws and regulations being followed by the organisation, a privacy notice provides some flexibility to external stakeholders on the selection of cookie choices.

Importance of Privacy Policy and Privacy Notice for organisations

Privacy notice and privacy policy go hand in hand. These legal documents steer clear an organisation or a  website including e-commerce websites of unlawful damage to its reputation and image while ensuring that they are compliant to the regulatory and legal frameworks,  and provide an edge over competitors in the long run. The importance of these documents varies with national laws as well as international laws on Privacy or Data Privacy. However, amid the rapidly evolving stance of consumers towards data protection and its security, it’s safe to say that transparency is the key to securing employee and consumer trust, which makes it mandatory for an organisation to have a privacy policy and a privacy notice properly drafted.

We at Data Secure endeavour to spread awareness regarding the protection of personal data on the internet and assist organisations to tune in with the privacy compliances. Get in touch with us to have your privacy documents reviewed.

For downloading the latest version of various data privacy laws, kindly visit the Resources page under www.datasecure.ind.in

For more on Privacy Policy or Privacy Statement, kindly write to us at info@datasecure.ind.in

Leave a Reply

Your email address will not be published. Required fields are marked *