A privacy notice is a public-facing document that tells people what personal data a site collects and why. It also states how that data is used, shared, stored, and protected, and what rights people have over it. GDPR and CCPA require one from almost any site that collects personal data.
Below: what a privacy notice must include, how it really differs from a privacy policy, whether you legally need one, and where it goes.
What Is a Privacy Notice?
A privacy notice is the public document an organization publishes to explain how it collects, uses, shares, stores, and protects personal data. It also states what rights individuals hold over that data. GDPR Articles 12 to 14 set the disclosure and timing rules behind it. CCPA imposes a parallel "notice at collection" duty in the United States.
The notice exists because of the transparency principle. A data subject cannot exercise any right over their data if they never learn it was collected. The UK Information Commissioner's Office frames it as a document written for the reader, not the lawyer. It must explain data collection, use, sharing, and retention in language that is easy for people to understand.
A data controller is the organization deciding why and how data is processed. It is the one legally responsible for issuing the notice to the data subject, the individual whose data is collected. GDPR Article 12 requires the whole document to use "concise, transparent, intelligible and easily accessible" language.
What Is the Purpose of a Privacy Notice?
A privacy notice exists to make data handling transparent, let people exercise their rights over their own data, and prove legal compliance. It is also what makes the collection legally accountable, not just polite disclosure.
A privacy notice does four concrete jobs.
- Informs. It tells the data subject exactly what is collected and why, before or at the moment of collection.
- Enables rights. It gives people the specific steps to access, correct, delete, or object to the use of their data.
- Proves compliance. It is the documented record regulators check first during an investigation.
- Builds accountability. It forces the organization to actually know what it collects, since a notice cannot describe data practices that were never mapped out.
What Does a Privacy Notice Include?
A privacy notice must disclose what data is collected and why, who it is shared with, and how long it is kept. It must also explain how people can exercise their rights over that data. GDPR Article 13 lists the full disclosures required when data is collected directly from a person.
A GDPR-governed privacy notice includes:
- Controller identity and contact details, plus the data protection officer's contact if one exists
- Purposes of processing and the legal basis relied on for each purpose
- Legitimate interests, named specifically, if that is the legal basis used
- Recipients or categories of recipients the data is shared with
- International transfer details if data leaves the country, plus the safeguards used
- Retention period, or the criteria used to determine it
- Data subject rights: access, rectification, erasure, restriction, objection, portability, and the right to withdraw consent where consent is the legal basis
- The right to complain to a supervisory authority
- Whether providing the data is mandatory and the consequence of refusing
- Automated decision-making or profiling details, if either applies
When data comes from somewhere other than the person themselves, GDPR Article 14 applies instead of Article 13. It adds one requirement Article 13 does not: naming the source the data came from, including whether it was publicly available. Article 14 also relaxes the "is this mandatory" disclosure, since the subject was not the one asked to hand over data.
Under CCPA, the equivalent US requirement is a "notice at collection." This is a short, upfront disclosure of the data categories collected and the purposes. The California Attorney General requires it at or before collection, distinct from the fuller privacy notice itself.
How Is a Privacy Notice Different From a Privacy Policy?
For most websites, a privacy notice and a privacy policy are the same document with different names, and the terms are used interchangeably in practice. GDPR's own statute text never uses either word. Articles 12 to 14 simply require "information to be provided" to the data subject.
Some privacy professionals still draw a working distinction. A privacy "notice" is the external, public-facing document written for customers and site visitors. A privacy "policy" can also mean the internal, operational document that tells staff and vendors how to handle data day to day. This split is a governance convention, not a rule written into any privacy law.
| Attribute | Privacy notice | Privacy policy |
|---|---|---|
| Audience | External: customers, users, data subjects | Internal: employees, contractors, vendors (or used loosely as the public page) |
| Core purpose | Transparency: informs people of their rights and how data is handled | Establishes internal rules and procedures for staff on data governance |
| Legal mandate | Often required by GDPR, CCPA, and similar laws | Best practice; generally not a standalone legal requirement on its own |
| Typical content | Data collected, retention, third-party sharing, contact details | Internal storage rules, employee access controls, response workflows |
On a live website, the document that matters legally is the public-facing one, whatever it is titled. The UK's privacy regulator itself calls it "your privacy notice (sometimes known as a privacy policy)" in the same sentence. That settles the point: the regulator does not police the label.
For the full breakdown of what belongs in that public document, see what a privacy policy is and when your site needs one.
Privacy Notice vs Privacy Statement vs Data Protection Notice
A privacy statement and a data protection notice are simply other names for the exact same public-facing document. The title carries no legal weight. Regulators and vendors use all three terms to describe identical content: what data is collected, why, and what rights apply.
Regional habit drives the choice more than law does. UK and EU organizations lean toward "privacy notice" or "privacy statement," language the GDPR-era Article 29 Working Party associated with the regulation.
US sites more often default to "privacy policy." Even so, "privacy notice" satisfies every US disclosure law too. CalOPPA, CCPA, and GDPR each accept the word "privacy" in the link text regardless of the second word chosen.
Is a Privacy Notice Legally Required?
Yes, for almost any organization that collects personal data from a website visitor, customer, or user. GDPR, CCPA, and a growing list of US state and sector laws each independently impose the requirement.
- GDPR (EU/UK): any organization processing an EU or UK resident's personal data must provide the Article 13 or 14 disclosures. This holds regardless of where the organization is based.
- CCPA/CPRA (California): commercial sites collecting California residents' data must post a notice and display a "notice at collection" at the point of data capture.
- PIPEDA (Canada): requires organizations to disclose their personal information handling practices.
- Sector laws (US): GLBA requires an annual privacy notice from financial institutions; HIPAA requires a Notice of Privacy Practices from health plans and providers.
The trigger is the act of collecting data, not company size or revenue. GDPR Article 83 sets the stakes for getting this wrong. Fines up to 20,000,000 EUR, or 4 percent of global annual turnover, whichever is higher, apply to Article 12 to 14 transparency violations.
For the full region-by-region breakdown of when the underlying document is required, see whether you need a privacy policy for your specific jurisdiction.
When and Where Must You Provide a Privacy Notice?
You must provide a privacy notice at or before the moment you collect someone's personal data, and it must stay easy to find afterward. Timing and placement both depend on how the data was obtained.
When to provide it:
- Direct collection: GDPR Article 13 requires the notice "at the time when personal data are obtained," such as at a signup form or checkout.
- Indirect collection: GDPR Article 14 allows "a reasonable period... at the latest within one month" when data comes from a third party. It applies sooner if you contact the person, or share their data, before that month is up.
- Financial institutions: GLBA requires a fresh annual notice to customers, "not less than annually," regardless of whether anything changed. That is a stricter cadence than GDPR's at-collection trigger.
- Material changes: a meaningful shift in how data is processed or shared calls for a revised notice, not a silent update.
Where to put it:
- A persistent link in the site footer, visible on every page
- Directly at forms, checkout flows, and account registration, the actual points of collection
- Inside account or preference settings, so a returning visitor can find it again
Best practice layers the notice. A short, plain-language summary appears right at the point of collection, linking through to the complete document for anyone who wants the full detail. This tiered version is a layered notice, and the short summary shown at the exact moment of collection is a just-in-time notice. Both exist so people are not forced to read a full legal document mid-checkout.
One frequent misconception is worth correcting directly: nothing in the GDPR text requires an organization to retain proof that a person actually read the notice. The statute's obligation is to provide the information, not to prove it was read.
Privacy Notices by Context: Website, Employee, Financial, and Health
A privacy notice's core content, what data, why, and what rights apply, stays constant, but the specific law and audience shift by context. Four variants cover most real-world cases.
| Context | Governing law | Who receives it | Key trait |
|---|---|---|---|
| Website / general business | GDPR, CCPA | Visitors, customers | Posted publicly; footer link plus point-of-collection notice |
| Employee / candidate | GDPR, applicable employment law | Staff, job applicants | Covers HR data: CVs, payroll, performance records |
| Financial institution | GLBA (Regulation P) | Customers of banks, lenders | Delivered annually, not just at signup |
| Healthcare provider or plan | HIPAA | Patients, plan members | Called a Notice of Privacy Practices; posted at the practice and online |
A job applicant's data counts as personal data the moment a company collects a resume or cover letter. That is why recruitment teams issue their own privacy notice before processing that information.
Financial institutions face a distinct obligation: GLBA's Regulation P requires an annual notice to every customer, not a one-time disclosure at account opening. Healthcare providers and health plans issue a Notice of Privacy Practices under HIPAA, and HHS publishes model notices for them. As of February 16, 2026, that notice must also address how substance use disorder patient records are used and disclosed.
A government agency collecting personal data from residents provides its own privacy notice too, under whatever public-records or privacy statute applies to that agency.
How to Write a Privacy Notice
Writing a privacy notice starts with an honest inventory of what you actually collect, not a template copied from another site. Six steps cover the process end to end.
- Inventory your data and cookies. List every type of personal data and every cookie or tracker your site actually sets, and why each one exists.
- Identify your lawful basis and recipients. Decide which GDPR legal basis applies to each purpose, and name who the data is shared with.
- Map the rights you must honor. Confirm you can actually act on access, deletion, and objection requests before you promise them in writing.
- Write in plain language. GDPR Article 12 requires clear, plain wording; avoid vague qualifiers like "may," "might," and "some" that regulators specifically flag as unclear.
- Publish it where data is collected. Link it site-wide in the footer, and surface a short version at every form and checkout step.
- Keep it current. Revisit the notice whenever you add a new tool, tracker, or data-sharing partner, not on a fixed schedule alone.
Starting from a real example speeds this up considerably. See privacy policy examples from live sites, or begin directly from a free privacy policy template built for the same disclosures this page covers.
How Consently Generates Your Privacy Notice
Consently's privacy policy generator produces your public-facing privacy notice from a guided questionnaire. Its cookie scanner feeds that document the exact data and trackers your site actually uses.
The generator is one of three document generators in Consently, alongside cookie policy and terms and conditions. Rather than guessing what your site collects, Consently's automatic cookie and tracker scanning runs on a schedule and on demand. It then populates the "what we collect" section of the generated notice with real findings instead of boilerplate.
The consent banner itself functions as the just-in-time notice at the point of collection. It appears before non-essential cookies load, and every consent choice is stored in an exportable consent log. That log serves as audit evidence if a regulator asks.
Start free for 14 days, no credit card required, and generate a privacy notice built from what your site actually collects.
FAQs
Is a privacy notice the same as a privacy policy?
In practice, usually yes. Some privacy professionals reserve "notice" for the external, public document and "policy" for internal staff rules. Neither term appears in the GDPR statute, though, and most sites use them interchangeably.
What is another name for a privacy notice?
A privacy notice is also called a privacy statement or a data protection notice. All three describe the same public-facing document; the title carries no legal weight.
Why am I getting a privacy notice?
Because an organization has collected or is about to collect your personal data. The law requires it to tell you what it collects, why, who it shares data with, and what rights you hold. The notice is that disclosure, not a request for your consent.
What are the types of privacy notices?
Privacy notices come in a few common types. Each covers the same core facts but is governed by a different law and audience.
- The website notice, shown to consumers and site visitors.
- The employee or candidate notice, for workers and applicants.
- The financial institution notice, required under GLBA.
- The healthcare Notice of Privacy Practices, required under HIPAA.
What should a privacy notice include?
It must name the data collected, the purpose and legal basis, and who it is shared with. It must also state how long data is kept and how people can exercise their rights. GDPR Article 13 sets the full list for data collected directly from the person.
Is a privacy notice a legal requirement?
Yes, for almost any organization collecting personal data. GDPR, CCPA, PIPEDA, and sector laws like GLBA and HIPAA each independently require one, triggered by data collection itself, not by company size.
When must you give someone a privacy notice?
At or before the moment you collect their data directly, or within one month if the data came from someone else. Financial institutions under GLBA must also send a fresh notice to every customer annually.
Where should a privacy notice go on my website?
In the site footer on every page, plus directly at every form, checkout, or signup flow where data is actually collected. Account or preference settings should link to it too.
What is the difference between a privacy notice and a privacy statement?
None in substance. "Privacy statement" is the term GDPR-era guidance associates with EU organizations, but it describes the identical public-facing document as a privacy notice.
Can I write my own privacy notice?
Yes, starting from an accurate inventory of your own data practices. A ready-made template or a generator built from your actual cookie scan results is faster and less error-prone than drafting from scratch.

