P1.2 SOC 2

SOC 2 P1.2: Privacy - Covers Required Privacy Elements

What This Control Requires

The entity's privacy notice covers all required elements including the purpose of personal information collection, the types of personal information collected, the methods of collection, the use, retention, and disposal of information, access rights, disclosure to third parties, security measures, quality assurance, and monitoring and enforcement mechanisms.

In Plain Language

Having a privacy notice is not enough - auditors will go through it with a checklist, ticking off each required element. Miss one, and you have a finding.

The notice must address every stage of the data lifecycle: why you collect personal information, what types you collect, how you collect it, what you do with it, how long you keep it, how you dispose of it, what rights people have, who you share data with, how you protect it, and how you enforce your own policies. Each element needs genuine substance, not just a vague sentence.

During a SOC 2 privacy audit, assessors will map each statement in your notice to your actual practices. They want to see that what you wrote is not just comprehensive on paper but reflects reality. If your notice says you delete data after 90 days but your database tells a different story, that is a finding.

How to Implement

Structure your privacy notice with clear headings matching each privacy principle. This makes it easy for users to find what they need - and easy for auditors to verify coverage.

For purpose, state plainly why you collect each type of data. Link specific data types to specific purposes. Be honest about the distinction between what is essential for the service and what is for marketing or analytics.

For types and methods, list the categories of personal information you collect (identifiers, contact details, financial data, usage data, device information) and explain how each is gathered - directly from users, automatically via tracking, or from third-party sources.

For use and retention, explain what happens to data after collection and how long you keep it. Give concrete retention periods per data category. "For the duration of your account plus 30 days" is good. "As long as necessary" without context is not.

For disposal, describe how you destroy data when it is no longer needed. Reference the standards you follow for secure deletion.

For access rights, spell out what rights people have (access, correction, deletion, portability, objection), how to exercise them, and how quickly you will respond. Note any limitations and explain the appeals process.

For disclosure, identify the categories of third parties you share data with, why you share it, and the legal basis. Cover the common scenarios: service providers, business transfers, and legal obligations.

For security, describe your protections at a general level - encryption, access controls, regular assessments, certifications. Give enough detail to build confidence without publishing a roadmap for attackers.

For monitoring and enforcement, explain how you hold yourself accountable. Internal audits, privacy impact assessments, and a clear complaints mechanism all belong here.

Evidence Your Auditor Will Request

Privacy notice content analysis showing coverage of all required elements
Mapping document linking privacy notice statements to actual practices for each element
Evidence that each required element is addressed with sufficient detail and accuracy
Regular review records verifying that notice content remains complete as practices evolve
Privacy notice review by legal counsel or privacy professional confirming regulatory compliance

Common Mistakes

Privacy notice omits one or more required elements, such as retention periods or disposal practices
Elements are addressed superficially without providing meaningful information to data subjects
Security section reveals too much technical detail or conversely provides no useful information
Rights section does not clearly explain how individuals can exercise their rights
Disclosure section uses vague language without identifying categories of third-party recipients

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related
nist-csf	GV.PO-01	Partial overlap

Frequently Asked Questions

How specific do retention periods need to be?

As specific as you can reasonably be. If a regulation dictates a retention period, state it. For other data, give meaningful criteria like "for the duration of your account plus 30 days" or "12 months after last activity." Vague statements like "as long as necessary" without further context will draw auditor questions. Different data types almost certainly have different retention needs, so list them separately.

Should we list specific third-party companies we share data with?

You do not always have to name specific companies, but it helps with transparency. At minimum, describe categories of recipients - cloud hosting providers, analytics services, payment processors. Some regulations (like CCPA) require specific category-level detail. A practical approach: maintain a separate sub-processor list that you can update independently without revising the entire privacy notice each time.

How do we describe security measures without creating risk?

Stay at the general level. Mention encryption in transit and at rest, access controls, regular security assessments, and your certifications (SOC 2, ISO 27001, etc.). Do not specify exact technologies, software versions, or configurations. The goal is giving users enough information to feel confident about your security without handing attackers a blueprint.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment