Chapter 4: Information Management and Privacy Risk Management
Privacy Policy vs Privacy Notice
A privacy policy is the internal document guiding how employees and contractors handle PI; a privacy notice is the external transparency statement to consumers. Violating a notice-communicated promise can trigger an FTC or state AG deceptive-practice action.
| Aspect | Privacy policy | Privacy notice |
|---|---|---|
| Direction | Internal | External |
| Audience | Employees and contractors | Customers, potential customers, users, and (sometimes) employees |
| Purpose | Implement privacy goals/vision; guide PI handling | Provide transparency; treated as a promise to consumers |
Both describe how PI is collected, used, shared, and stored. If a U.S. organization violates a promise made in a policy that is also communicated in the notice, the FTC or a state attorney general may bring an enforcement action for a deceptive practice.
Key terms - quick answers
What is “Privacy policy”?
High-level internal document implementing privacy goals and informing employees/contractors how PI must be handled.
What is “Privacy notice”?
External statement providing transparency to consumers about an organization's privacy practices; treated as a promise.