GRCWatch
Sign inStart free trial

SOC 2 P1.1: Privacy Notice Requirements

Privacy notice is foundational to SOC 2 compliance—data subjects must understand how their information is collected, used, and protected. P1.1 requires you to provide clear, timely notice and update it whenever your privacy practices change. Without documented, accessible privacy communications, you create audit risk and erosion of user trust.

What this means

P1.1 mandates that your organization inform data subjects about its privacy practices in support of privacy objectives. This includes transparent disclosure of data collection, use, retention, and sharing practices. When your privacy practices change—whether in data handling, third-party sharing, or retention periods—you must communicate those changes to affected data subjects promptly and clearly. The control emphasizes both initial transparency and ongoing communication as privacy practices evolve.

How to comply

  1. 1.Draft a comprehensive privacy notice that discloses all data collection, use, retention, and sharing practices relevant to your service
  2. 2.Make the privacy notice easily accessible to all data subjects (e.g., website footer, account settings, during signup)
  3. 3.Establish a process to identify and document changes to privacy practices
  4. 4.Define notification timelines for communicating material privacy changes to data subjects (e.g., via email, in-app notification, or dashboard alert)
  5. 5.Maintain version control of your privacy notice with effective dates and change logs
  6. 6.Test and verify that all data subjects receive privacy notice updates before new practices take effect
  7. 7.Document your communication process and retain evidence of all notices sent

Evidence auditors look for

  • Published privacy policy with version history and effective dates
  • Email templates or notification records for privacy practice changes sent to users
  • Screenshot or log of privacy notice accessibility in your product
  • Change management documentation linking business decisions to privacy notice updates
  • Records of communications to data subjects before implementation of new privacy practices
  • Signed or timestamped privacy policy acknowledgments from key user segments

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates privacy notice change tracking and user notification workflows, generating audit-ready evidence of timely communication for P1.1 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

P2.1 — Notice of ChangesP3.1 — Choice and ConsentP7.1 — Data Quality