P1.1 SOC 2

SOC 2 P1.1: Privacy - Notice of Privacy Practices

What This Control Requires

The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes in the entity's privacy practices, including changes in the use of personal information.

In Plain Language

Auditors will look for one thing first: can a user find out what you do with their data before you collect it? If the answer involves digging through obscure links or reading walls of legalese, you have a problem.

In practice, this means publishing a clear, accessible privacy notice on your website and inside your applications. It needs to cover what personal information you collect, why you collect it, who you share it with, how long you keep it, and what rights people have. Write it in plain language, not lawyer-speak.

Keeping the notice current matters just as much as having one. When your data practices change - say you add a new analytics provider or start collecting a new category of data - you need to update the notice and tell affected users. Auditors check version history and change logs, so treat your privacy notice like a living document, not a one-and-done compliance checkbox.

How to Implement

Start by drafting a privacy notice that covers every required element: types of personal information collected, collection methods (direct input, automatic tracking, third parties), purposes of use, categories of third parties you share data with, retention periods, individual rights (access, correction, deletion, portability), how to exercise those rights, and contact details for privacy questions.

Make the notice impossible to miss. Link it in your website footer on every page. Surface it within your app wherever you collect personal information. Support all languages your user base actually uses, and make sure it renders properly on mobile.

Write it in plain language. Drop the legal jargon. Use headings, bullet points, and short paragraphs. A layered approach works well - give people a concise summary up front with links to the full detail underneath.

Set up a review cadence. Go through the notice at least annually and after any material change to your data practices. Keep a version history so auditors can see what changed and when. Define internally what counts as a "material change" versus a minor editorial fix.

Build a notification process for material changes. Email, in-app banners, or prominent website notices all work - pick what fits your user base. Give people reasonable advance notice before changes take effect. Where local law requires it (GDPR, for instance), collect fresh consent.

Finally, audit your own notice against reality. Walk through your actual data flows and confirm the notice matches. If you find a gap - say you are sharing data with a vendor not mentioned in the notice - fix it immediately. Auditors specifically look for mismatches between what you say and what you do.

Evidence Your Auditor Will Request

Published privacy notice covering all required elements (collection, use, sharing, retention, rights)
Privacy notice version history showing regular review and updates
Change notification records when material updates are made to the privacy notice
Evidence that the privacy notice is accessible across website and applications
Audit records verifying consistency between the privacy notice and actual data practices

Common Mistakes

Privacy notice uses excessive legal jargon that is incomprehensible to the average reader
Notice does not accurately reflect actual data collection and sharing practices
Privacy notice has not been updated to reflect changes in services, technologies, or data practices
No process for notifying individuals when material changes are made to the privacy notice
Privacy notice is difficult to find or access on the organization's website or within applications

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related
nist-csf	GV.PO-01	Partial overlap

Frequently Asked Questions

How long should our privacy notice be?

There is no magic number, but aim for completeness without making people's eyes glaze over. A layered approach works best: a short summary (one to two pages) hitting the key points, linking out to the full notice. For a typical SaaS company, the full version runs three to eight pages. Prioritise clarity over brevity - cutting important information just to keep it short will cause you more problems than a longer, well-organised document.

Do we need separate privacy notices for different jurisdictions?

Usually not. A single notice with jurisdiction-specific sections works fine - for example, a GDPR section for EU residents covering their specific rights, and a CCPA section for California residents. Some organisations prefer separate supplements that extend the base notice. Either approach satisfies auditors, as long as you actually cover the requirements for every jurisdiction where you operate.

What constitutes a material change requiring user notification?

Think of it this way: if a user would care about the change, it is material. New categories of personal data collected, new purposes for using data, sharing with new types of third parties, changes to retention periods, or modifications to user rights - all material. Fixing a typo or updating a phone number? Not material. When in doubt, err on the side of notifying people. It builds trust and keeps auditors happy.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment