by Suzette Corley; Privacy Paralegal         

It’s late at night and you want to download an app so you can catch up on your favorite TV show. You quickly type in your name and e-mail address, then click ‘create account.’ An annoying gray box pops up, and you scroll through as quickly as possible so you can hit ‘accept.’ Whether you know it or not, you’ve just accepted a company’s privacy policy.”

Almost everyone has come into contact with either a privacy policy or a privacy notice. If your employee handbook discusses the access of company e-mail or client records via personal device, you’ve seen a privacy policy. And if you’ve ever downloaded an app, created a social media account or signed up for a retailer’s newsletter, you’ve seen a privacy notice. While privacy policies and privacy notices are important, we’re going to focus on privacy notices.

What is a privacy notice?

While the terms “privacy policy” and “privacy notice” are often confused and used interchangeably, they are not synonymous. Privacy policies are generally internal documents addressed to employees and clearly state how an employee’s personal information will be handled.

Unlike privacy policies, which are used internally, a company’s privacy notice is directed externally and explains how an organization handles any customer, client or employee information gathered to operate its business. A privacy notice also serves as legal notice to the public and states how customer personal information is used. For example, Facebook provides a “Privacy Notice” to users and makes it available in the “privacy” tab. A law firm may provide its privacy notice to clients in the form of an engagement letter or as an e-mail signature. Websites will often provide a link to their privacy notice in the footer of each page.

Does the law require a business to have a privacy notice?

Although almost every organization can benefit from a privacy notice, in the U.S. there are only two types of organizations which are required to have one: the banking industry, which is regulated by Gramm-Leach-Bliley/Federal Trade Commission (FTC), and the medical industry, which is regulated by the U.S. Department of Human Services, HIPAA laws.  If you’re in the U.S. and don’t fall into either of these categories, you’re not required to have a privacy notice—with one notable exception. If your company is located in California, the CAN SPAM dictates very specific privacy laws which require companies to have a privacy notice.

Is it a good idea for my business to have a privacy notice?

While not required for unregulated industries, most businesses choose to maintain a privacy notice at some minimal level.  With increasing consumer concern over privacy and data collection, having one in place can help with prospective marketing and customer retention. By maintaining a privacy notice, you’re showing your customers you care about their information and are being transparent with what you do with that information.

Ultimately, the question of whether your company should have a privacy notice comes down to whether you collect any personal data on the customer. Many businesses collect some sort of sensitive information on their customers, such as such as email, cookies, subscription information, credit card payment information, IP addresses, or demographics. If your company collects this type of data, it most certainly should have a privacy notice. If it doesn’t, you’ll need to decide what’s in your best interest.

How do I draft a privacy notice? 

First, ensure your policy does:

Identify what you’re collecting

Need assistance with your privacy notice?

Whether you need to draft a new privacy notice or amend an existing one, remember these best practices:



Contact us to help with your privacy notice today.