Privacy Notices

An organization should publish a privacy notice in most cases, even where the law does not mandate it. Why? Drafting and updating privacy notices helps better inform your team and your customers of their roles and their rights. Advisori can help.

Privacy Notices

Privacy Policy vs. Privacy Notice

Though often conflated, it is important to understand that privacy policies and privacy notices are distinct concepts with different requirements.

privacy policy is an internal resource that instructs employees on the organization’s rules related to personally identifiable information (PII). In contrast, a privacy notice is a publicly facing document advising potential and existing customers, website visitors, and others on the organization’s PII collection, use, and related privacy practices.

Privacy notices detail what categories of PII the organization is collecting and who it is collecting this data from. It further defines how it is collected, who it is shared with, what legal basis the organization has for collecting the data, when the data is purged, and what rights the data subject has regarding the collection and use of their data.

The Privacy Notice: What’s Included

At a high-level, a privacy notice should include sufficient information so that a user can understand what personal data is being collected, why it is being collected, what is it being used for, how long it is being retained, and how the user can restrict the processing of their data and even withdraw consent.


The following elements should be included in a privacy notice.

  • Contact information for the representative/data protection officer
  • Purpose and legal basis for processing personal data
  • The legitimate interests of the organization (or third party)
  • Recipient or categories of recipients of personal data
  • Details related to any inter-country transfers of personal data, as well as procedural safeguards in place
  • The duration that the data is being kept (retention period), or the criteria under which data is retained
  • The existence of the rights of the person from whom data is collected (referred to as a data subject under GDPR)
  • The right to withdraw consent
  • The right to initiate a complaint with the supervisory authority
  • Whether the personal data pertains to a statutory or contractual right and the potential consequences for failing to provide the necessary data (this is not required if data comes from a third-party)
  • The existence of any automated decision-support/decision-making system; how the system has been set up, its overall process, and any resulting consequences
  • If data is obtained via third-party, then privacy notice must advise the categories of personal data that is being collected
  • When the privacy notice was last updated.
The following elements should be included in a privacy notice.

Want to learn more?

Advisori can help you craft a privacy notice that makes sense for your organization – while maintaining compliance with Articles 12, 13, and 14 of the GDPR.

Best Practices for Developing a Privacy Notice

Many regulators consider privacy notices a contractual promise by the organization to the data subject. Therefore, a privacy notice must be both accurate and transparent. The GDPR requires plain-language privacy notices, void of legalese or terms buried in poorly-structured paragraphs. Furthermore, privacy notices should use definitive language – not qualifiers such as “may,” “might,” “some,” often,” ”usually,” etc., as these terms can be viewed by a regulator as purposefully vague.

Privacy notices should be conspicuously labeled as “PRIVACY NOTICE” and should be in writing, placed on the organization’s website (on the same page where data collection occurs) and be available orally upon request both to ensure adequate comprehension by the reader and to aid the visually impaired.

These are the challenges businesses face when developing a privacy notice.

Drafting and updating privacy notices may be time consuming and risky for a number of reasons.

The following elements should be included in a privacy notice.

  • Businesses operating in multiple jurisdictions may need to comply with more than one privacy law or regulation – the volume of country/region/state-specific laws is growing rapidly.
  • Many businesses do not have in-house privacy counsel to draft and maintain privacy notices.
  • Outsourcing privacy work to a law firm can be costly.
  • The categories of PII collected by a business, as well as the business use of such data, often change as the business evolves.
  • Varying business units or divisions may collect and use data in different ways, like product development, marketing, and sales.
These are the challenges businesses face when developing a privacy notice.

Privacy notice management is a significant task, and relying on manual processes to do so is often time-consuming and tedious. Can your business handle the reputational risks associated with inaccurate or incomplete privacy notices, or the regulatory violations and related penalties that come with failing to comply?

Let Advisori be your guide.

Advisori has the people, processes, and technology necessary to assist our clients with managing their privacy notices. Using’s secure privacy portal, we collaborate with all necessary stakeholders to assist in the selection of the appropriate privacy notices from our extensive template library. We then tailor the chosen privacy notice to business operations to ensure a regulatory compliant, accurate, detailed, and transparent public facing Privacy Notice.

We also give our clients the option of AI-powered robotic automation and data intelligence, which enables a continuous scan of data stores and an automatic updating to any changes to the collection, processing, sharing, selling, or retention of personal data. These updates are then pushed to the business’s published privacy notice, thereby allowing real-time updates. This can even include cookie related updates as well.

Don’t wait to get started.

Reach out to our team to learn more.


Contact Us