Privacy Policy vs Privacy Notice vs Privacy Statement

Is it a Privacy Policy or a Privacy Notice? Same thing, right? What about a Privacy Policy or a Privacy Statement? Some feel these terms are entirely interchangeable and are simply a case of "you say potato, I say potahto." The truth is, in many cases, these terms are synonymous, but not always.

For example, Fair Processing Notices and Privacy Notices are the same things. They both pertain to statements that are given to website users at the point of data collection.

On the other hand, Privacy Policies may mean the same thing, too. Still, they can also refer to a document that is primarily used internally by an organization to provide details on the rules and practices governing its use of personal information.

Are you confused yet? Don't be.

Below we're going to simplify the differences and sort things out for you.

Does It Matter What I Name My Privacy Policy?

Organizations name this document in a variety of ways. Yet one thing is always the same: the document discloses their rules and practices concerning personal data collection, disclosure, and use.

While they often use different terms, the terms still usually sound incredibly similar. These terms include "Data Protection Notice," "Privacy Policy," "Privacy Notice," "Privacy Statement," and "Information Notice" to name a few.

This may cause confusion on the part of business owners who are required by law to include a document that provides website users with important information on the organization's practices and rules when it comes tof private information. However, owners of websites aren't the only ones who may be slightly confused. There hasn't been much consistency in the use of these terms by lawmakers around the world.

Take California's Online Privacy Protection Act (CalOPPA), for example. The law talks about creating a Privacy Policy as you can see in the quote below, but then goes on to say that business owners can describe the document in any manner they choose as long as the word "privacy" is included in a link consumers can clearly see:

(3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:

(A) Includes the word "privacy."

In contrast, The California Consumer Protection Act (CCPA) says that website owners need to give users "notice" of their privacy practices, while Europe's GDPR only mentions the controller's duty to give "information" to consumers.

To be fair, the Article 29 Working Party (which was an advisory body made up of a representative from the data protection authority of each EU Member State) 0 the GDPR's reference to "information" to mean "privacy notice" or "privacy statement."

Finally, as just one more example, in the past the United States Federal Trade Commission has used the terms "Privacy Policy" and "Privacy Notice" interchangeably.

The bottom line is that it doesn't matter what you call your Privacy Policy in most cases if the link to the document, which appears on your website, includes the word "Privacy" in it.

How to Display Your Privacy Policy, Notice or Statement

Your Privacy Policy ought to be easily accessible and common locations for a link to the document include your website's footer section, in mobile app menus, and anywhere where you request users share personal information such as ecommerce checkout pages and email newsletter sign-up forms.

Include a link in your site footer, like this:

Screenshot of the email footer from The Economist with Privacy Policy link highlighted

Here's an example of how to link your policy to an email newsletter sign-up form:

Matomo sign up for newsletter pop-up with Privacy Policy link highlighted

Here's how you can display a Privacy Policy link within marketing emails:

Screenshot of Credit Karma email footer

You can also include a link to your Privacy Policy in pop-up boxes, such as when consumers are about to enter their personal data. (Privacy Notices are also sometimes referred to as "Pop-Up Notices" because they are commonly used in website pop-ups.)

For example, when you visit the 100% Pure website, a pop-up message appears after about a minute on the site. This pop-up requests personal information (a mobile phone number) in exchange for a discount on a purchase:

100 Percent Pure pop-up to sign up for a discount - Privacy Policy link highlighted

Shoppers are informed that by signing up for text messages from the company, they're accepting the Privacy Policy. A link to the Privacy Policy is included so users can reference the policy before giving their agreement by way of entering their mobile phone numbers.

While the Privacy Policy is also available in the website footer, including it directly in the pop-up where personal information is requested is a best practice that your customers will appreciate.

Is it Legally Required to Name Your Document a Privacy Policy?

The short answer is no.

Take a look at the following screenshot from Amazon. Note that the company doesn't call the Privacy Policy a "Privacy Policy." Unlike the Pop-Up Notice example taken from HubSpot, which was a statement about privacy, Amazon actually calls its Privacy Policy a Privacy Notice:

Amazon website footer with Privacy Notice highlighted

In the end, the law in most countries demands that you have a document that outlines how you handle the private data of those who use your website. You can call the document whatever you like as long you have one and:

  1. You ensure that your website's visitors can clearly see a link to that document, and
  2. You ensure the word "privacy" is included in that link

In conclusion, all of these different names are just different in aesthetics, and ultimately mean the same thing: A document that informs others about the privacy practices of the business, including:

  • What personal data is collected
  • How it is collected
  • What it's used for
  • How long it's kept by the company
  • How it's kept secure
  • If it's shared or sold to any other parties
  • What rights users have regarding any of this

What's more important than the name of the document is the document's content and that it complies with any global privacy laws that it must comply with.