Practically every business needs a page on its website or app explaining how it collects and uses personal data.
Some businesses call this transparency information a "Privacy Policy." Some call it a "Privacy Notice" and some call it a "Privacy Statement." There are other names, too, like "Fair Processing Notice" or "Data Protection Notice."
What's the difference? Which one is right for you? While these terms can be used interchangeably, some might be better than others in some contexts. Let's figure out the right one for your business.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is a Privacy Policy, a Privacy Notice, and a Privacy Statement?
- 2. What Do Privacy Laws Say About Privacy Policy, Privacy Notice or Privacy Statement?
- 2.1. California Laws
- 2.2. Other U.S. State Laws
- 2.3. U.S. Federal Level Laws
- 2.4. EU and UK Laws
- 2.5. Canadian Laws
- 2.6. Australian Laws
- 3. What Do Other Businesses Call Their Transparency Information?
- 3.1. Which Term Is Most Widely Used?
- 3.2. What Terms Do the Most Popular Websites Use?
- 3.3. Which Term is Most Popular in Different Regions?
- 4. How Should You Display Your Privacy Policy, Privacy Notice and Privacy Statement?
- 5. Privacy Policy, Privacy Notice, or Privacy Statement? Here's What Really Matters
What is a Privacy Policy, a Privacy Notice, and a Privacy Statement?
As the introduction notes, you almost certainly have a legal obligation to explain how you collect and use personal data. You should provide this explanation to your customers, users, and website visitors, and in some cases, your employees and business partners, too.
What you call this transparency information is up to you, to some extent. But here are some initial factors to consider:
- "Privacy Policy" is the most widely-used term and gets a name-check in several important privacy laws. However, a "Privacy Policy" can also be an internal document setting out how your employees should handle personal data.
- "Privacy Notice" is becoming more popular and is used in many new U.S. privacy laws.
- "Privacy Statement" is relatively rare and doesn't appear in any significant privacy laws. But that doesn't mean you shouldn't use the term.
To decide what you should call this document, we can consider:
- What the law says
- Which terms other businesses use
- The context of your business
What Do Privacy Laws Say About Privacy Policy, Privacy Notice or Privacy Statement?
To help you pick a name, let's look first at how transparency information is described in various privacy and data protection laws that require it.
California Laws
The first U.S. law requiring private sector businesses to explain their personal data-collection practices was the California Online Privacy Protection Act (CalOPPA).
CalOPPA applies to any business whose website or app collects personal information about people in California, and its only requirement is to post an easily accessible Privacy Policy on its website homepage and app download page and "settings" menu.
In 2018, California passed a much more comprehensive privacy law, the California Consumer Privacy Act (CCPA/CPRA). The CCPA/CPRA doesn't apply as broadly as CalOPPA, but its requirements are much more extensive.
Under these two California laws, a Privacy Policy must explain (among other things):
- The types of personal information (called "personally identifiable information" under CalOPPA and "personal information" under the CCPA) you collect
- The types of third parties with whom you share personal data
- How consumers can exercise their privacy rights
- How your website or app tracks users via cookies
While these California laws use the term "Privacy Policy," they don't require businesses to use it. However, California law does require businesses to use the term "privacy" when referencing the document, as we can in the California Attorney General's CCPA Regulations:
Other U.S. State Laws
Since California passed the CCPA in 2018, many other U.S. states have passed "comprehensive" privacy laws.
Several of these new privacy laws are already in effect across states such as Virginia, Connecticut, and Colorado. Privacy laws in other states, such as Montana, Oregon, and Texas, will kick in throughout 2024.
All these new laws include transparency requirements, too. But unlike in California, these other laws refer to a "Privacy Notice" rather than a "Privacy Policy." For example, here's the relevant part of the Virginia Consumer Data Protection Act (VCDPA):
So far, all major U.S. state privacy laws except California also refer to a "Privacy Notice." But the laws don't require businesses to use that term.
However, in Colorado, just like in California, businesses are required to use the word "privacy" when referring to their transparency documents, as shown in the Colorado Attorney General's Colorado Privacy Act (CPA) Rules:
U.S. Federal Level Laws
Several U.S. federal laws, which apply across every state, also include transparency requirements.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires certain healthcare providers to create a "Notice of Privacy Practices."
While HIPAA does require healthcare providers to include certain language in the notice, the law does not mandate the title "Notice of Privacy Practices."
Nonetheless, many healthcare providers, and the Department of Health and Human Services (HHS), tend to use the term "Notice of Privacy Practices" or "NPP" to refer to this document.
EU and UK Laws
Transparency requirements in the European Economic Area (EEA) (which includes the EU) and the UK come from the General Data Protection Regulation (GDPR).
European law distinguishes between "privacy" and "data protection" differently than in the EU. However, European companies generally still use terms like "Privacy Policy" to describe their transparency information.
The GDPR doesn't provide a name for your transparency information. The law sets out what information you have to provide, gives some general rules about how to provide the information, and leaves the rest up to you.
The GDPR's transparency rules are at Articles 12-14 of the GDPR. Read our GDPR Privacy Policy Template article for more information about the requirements.
The European Data Protection Board (EDPB), which brings together each of the EU's Data Protection Authorities (DPAs), mentions several names in its GDPR transparency guidelines:
This guidance suggests that the following terms are acceptable under the GDPR:
- Data Protection Notice
- Privacy Notice
- Privacy Policy
- Privacy Statement
- Fair Processing Notice
However, the EDPB's list isn't intended to be exhaustive. To some extent, you can call your Privacy Policy whatever you want, as long as it is clear and accessible to the people who need to read it.
Canadian Laws
Canada's main privacy law, the Personal Information and Protection of Electronic Documents Act (PIPEDA), requires businesses to provide "information" but doesn't specify a name for the document containing the information:
The Canadian Office of the Privacy Commissioner (OPC) calls this type of document a "Privacy Policy," but doesn't necessarily expect you to do the same:
Australian Laws
Entities covered by Australia's Privacy Act 1988 must comply with the Australian Privacy Principles (APPs), including by publishing an "APP Privacy Policy."
What Do Other Businesses Call Their Transparency Information?
We've looked at what various privacy and data protection laws say about transparency information. While some laws use specific terms, such as "Privacy Policy" and "Privacy Notice," most do not require a business to use any particular terminology.
So what do most businesses do? Let's take a look at the most widespread approaches to titling transparency documents.
Which Term Is Most Widely Used?
To give you an idea of how many businesses use the terms "Privacy Policy," "Privacy Notice," and "Privacy Statement," here is the number of pages indexed for each term by Microsoft's Bing (which, unlike Google, still displays the number of search results):
- "Privacy Policy": 1.4 billion results
- "Privacy Notice": 460 million results
- "Privacy Statement": 354 million results
"Privacy Policy" is by far the most popular term, but bear in mind that some of these results might relate to internal privacy policies rather than transparency information.
What Terms Do the Most Popular Websites Use?
Google, which remains the world's most popular website, uses "Privacy Policy."
Meta, the owner of Facebook and Instagram, also uses "Privacy Policy."
In fact, almost all of the world's most-visited websites use "Privacy Policy", except Amazon, which uses "Privacy Notice."
Which Term is Most Popular in Different Regions?
"Privacy Policy" appears to be popular across most English-speaking regions.
UK-based BBC News, the world's most visited news website, uses "Privacy Policy":
And Daily Mail, the second most popular UK-based website, uses "Privacy Policy" too:
Using the term "Privacy Policy" is also popular in the United States. However, as businesses publish new transparency information to comply with new U.S. state laws, it seems "Privacy Notice" might be experiencing an uptick in popularity.
Most websites specifically referencing Virginia appear to prefer the term "Privacy Notice." This makes sense, as the state's new privacy law, the VCDPA, references this term.
Here's an example from the Financial Health Network:
And some websites appear to be transitioning between the California-inspired "Privacy Policy" and the more recent "Privacy Notice," like this page from Smarty Pants Vitamins:
How Should You Display Your Privacy Policy, Privacy Notice and Privacy Statement?
The laws we've considered have different requirements for what your Privacy Policy (or "Privacy Notice", etc) must include. But all these laws require you to make your Privacy Policy easy to understand, and easy to access.
Place a link to your Privacy Policy, Notice or Statement in the footer of your website, and on any page that collects personal data (whether via cookies or otherwise).
Here's how Misfits Market does this, displaying both a Privacy Policy link and a separate California Privacy Notice link:
If you have a cookie consent notice, you should link your Privacy Policy within it so that users can find out more about how you use their personal data.
Here's an example from The Times:
If you have a newsletter, put a link to your Privacy Policy alongside your newsletter signup form since people submit an email address here, and this is legally protected personal information.
Here's an example of this:
If you allow users to create an account with your business, make a link to your Privacy Policy available during the account creation process.
Here's how Tesco does this:
And if you have an app, make sure users can access your Privacy Policy within your mobile app's "settings" menu.
Here's an example of this:
Privacy Policy, Privacy Notice, or Privacy Statement? Here's What Really Matters
It should be clear that there's no "one right name" for your transparency information.
But if you run a website or operate an app, you have a legal obligation to be transparent about how you collect, use, and share personal data. As such, you need to pick a name and publish the required information.
Here's a summary of what we've learned in this article:
- You should publish information about your data-collection practices.
- There's no legal obligation to choose one name over another.
- The important thing is that people can find the information they're looking for.
- To comply with U.S. state laws and regulatory requirements, you should choose a name that includes the word "privacy."
- Even outside of the U.S., people increasingly expect to see the word "privacy" in the title of this document.
- "Privacy Policy" appears to be the most popular choice across the world's most visited websites.
- "Privacy Notice" might become more popular due to new U.S. state laws.
- But "Privacy Statement" is fine too! Even "Privacy Information" could work.
- Ensure your Privacy Policy meets the requirements under whichever laws apply to you.
- Display a link to your Privacy Policy on your website, wherever you collect personal data, and with your app's "settings" menu (if you have one).
Whether you choose "Privacy Policy," "Privacy Notice," "Privacy Statement," or something else entirely, make sure you're giving people the right information in an easily-accessible and understandable format.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.