Flow

SOC2-P1-PRIVACY-NOTICE

Privacy Notice and Consent Management

preventivemedium effectivenessAnnually

What this control does

Public privacy notice that clearly communicates what personal data is collected, how it is used, and users' rights.

Implementation guidance

Publish a privacy policy that covers: data collected, purpose, legal basis, third parties, retention periods, and user rights (access, deletion, portability). Review and update annually or when data practices change. Obtain explicit consent for any new use of previously collected data.

Requirements satisfied

P1.1

Why it matters

Without a clear, publicly available privacy notice, users cannot make informed decisions about sharing personal data, exposing the organization to privacy law violations (GDPR, CCPA, etc.) and loss of user trust. A weak or outdated notice creates ambiguity around consent validity and data handling practices, increasing regulatory penalties and reputational damage.

Evidence to collect

  • Current published privacy notice with effective date and list of all data categories collected
  • Consent management system logs showing explicit opt-in records for new data uses in past 12 months
  • Document or log showing when privacy notice was last reviewed/updated and what changes were made
  • Evidence of user communication (email, in-app banner, notification) when material privacy practices changed

Testing procedure

Retrieve the organization's published privacy notice and verify it explicitly identifies: (1) all personal data categories collected, (2) the lawful basis for collection (consent, contract, legal obligation, etc.), (3) third-party recipients and their purposes, (4) retention schedules by data type, and (5) user rights (access, deletion, portability, objection). Confirm a documented review was completed within the last 12 months, and spot-check 3–5 recent data practice changes to verify users were notified and fresh consent obtained before implementation.

Common gotchas

Many organizations publish generic boilerplate notices that don't reflect their actual data practices, leaving them non-compliant when audited against real workflows. A critical pitfall is failing to update the notice after adding integrations, third-party vendors, or AI/analytics tools—regulatory bodies now closely scrutinize notices for accuracy and completeness.