What Is Privacy in SOC 2?
Privacy is one of the five Trust Service Criteria established by the AICPA for SOC 2® compliance, alongside Security, Availability, Processing Integrity, and Confidentiality. While those other criteria focus on system reliability and protection of business-critical data, Privacy zeroes in on the rights of individuals and the responsible management of personally identifiable information (PII).
In SOC 2®, Privacy refers to how your organization collects, uses, retains, discloses, and disposes of personal data in accordance with its privacy policies and customer expectations. It covers everything from user sign-up data to behavioral analytics and user-generated content.
You should consider including this criterion if your business handles:
Direct collection of customer PII (names, emails, addresses, IDs)
Tracking technologies (cookies, pixels, fingerprinting)
Behavioral profiling, recommendation engines, or personalized marketing
Data subject requests under GDPR or CCPA
Want to explore other Trust Service Criteria?
Privacy Category and Criteria in SOC 2
The Privacy TSC includes a single category (P1), with eight criteria and associated Points of Focus. These outline how to handle personal data responsibly and transparently:
P1.1 – Notice and Communication
Organizations must inform users of their data practices, what data is collected, how it’s used, and who it’s shared with, via clear privacy notices or disclosures. These notices must reflect actual practices and be easy to find and understand.
P1.2 – Choice and Consent
Users should have options regarding the collection and use of their personal information. This includes cookie consent, opt-outs, and preferences. Organizations must obtain and document valid consent when required by law or policy.
P1.3 – Collection
Only data necessary for the intended purpose should be collected. Data minimization principles apply here: collect what’s needed, nothing more.
P1.4 – Use, Retention, and Disposal
Personal information must only be used for the purposes stated in the privacy notice. It should be retained only as long as necessary, then securely deleted or anonymized.
P1.5 – Access
Individuals should be able to access their personal data and request corrections or deletions. Companies must have processes in place to authenticate and fulfill such requests.
P1.6 – Disclosure and Notification
If personal data is shared with third parties, those relationships must be governed by proper agreements. In the event of a breach, users must be notified in accordance with relevant laws.
P1.7 – Quality
Data should be accurate, complete, and up to date. This involves validation checks, update mechanisms, and error resolution procedures.
P1.8 – Monitoring and Enforcement
There must be oversight mechanisms to ensure compliance with privacy policies and controls. This may include audits, privacy training, and an escalation process for issues.
When Should You Include Privacy in Your SOC 2® Audit?
Consider adding the Privacy criterion to your SOC 2® report if:
You operate a B2C platform or collect user-generated data
You rely on targeted advertising or behavioral analytics
You process PII from multiple jurisdictions (e.g. EU, US, Canada)
Customers or partners ask how you handle data subject rights
Adding Privacy demonstrates that your company goes beyond security, it actively respects user data and complies with global standards.
Best Practices for Meeting the Privacy Criterion
To build a privacy-ready system, organizations typically implement:
Transparent privacy policies and consent workflows
Cookie management platforms (CMPs) for tracking consent
Role-based access to personal data
Data subject request portals or intake forms
Data minimization and anonymization tools
Logging and documentation of user data actions
SOC 2® Privacy helps translate privacy promises into action. It’s about protecting trust at the most personal level. Whether you serve individuals directly or hold customer data in trust, including the Privacy criterion, makes a clear statement: people’s data matters here.
