Privacy Policy

Origin & evolution

The privacy policy became a legal obligation, not a courtesy. Under GDPR's transparency duty, a controller must tell people, at the point of collection, who is collecting their data, for what purposes, and on what legal basis. California's CCPA, as amended by the CPRA, requires a "notice at collection" that lists the categories of personal information collected and how each is used, shared, or sold, and it permits that notice to be delivered as a linked section of the privacy policy (TermsFeed, CCPA Notice at Collection).

The bar has risen past mere disclosure. Current CCPA regulation expects the notice to state retention periods, whether data is sold or shared, and the named third parties controlling collection, and to be accessible to users with disabilities under WCAG (CPPA, General Notices). The drift across regimes is toward specificity: a vague "we value your privacy" page no longer satisfies a regulator, because the policy is now read as a list of verifiable claims.

That shift makes the policy-versus-practice distinction the one that matters. A privacy policy is a promise about data handling. If the product collects a field the policy omits, or retains data past the period it states, the document is not protecting the company; it is a written admission of the gap.

How it works in practice

A consumer app's policy says it collects email and usage events, keeps them for twenty-four months, and shares nothing with advertisers. An engineer adds a marketing SDK that quietly ships device identifiers to an ad network. The product now does something the policy denies. A regulator or a researcher reading the policy against the actual network traffic finds the contradiction, and the document that was meant to be a shield becomes evidence🔎EvidenceValidationData supporting or refuting a hypothesisView reference →. The fix is to model the policy against the real data sources🛢️Data SourceData & AnalyticsA data source or integrationView reference →, so that adding a new collector flags the policy that has to change before the feature⭐FeatureProduct SpecificationA product capability or featureView reference → ships, not after a complaint.

Privacy policy vs. its neighbours

• Compliance framework🏟️Compliance FrameworkComplianceA compliance framework (SOC 2, GDPR, etc.)View reference →. The framework (GDPR, CCPA) is the external rule set that requires a policy; the policy is the product's specific response to it. The framework says "be transparent about collection"; the policy is the concrete text that attempts to satisfy that, which is why compliance_framework_requires_privacy_policyCompliance FrameworkrequiresPrivacy Policyhierarchy connects them.
• Data source. A data source is a place data actually flows from or to. The policy is the claim about those flows. The whole risk🎲RiskComplianceA risk to the product or businessView reference → of a policy is whether its words match the data sources it covers, which is what privacy_policy_governs_data_sourcePrivacy PolicygovernsData Sourcecross-domain makes checkable.
• Data classification🍃Data ClassificationSecurityA data classification levelView reference →. A classification labels data by sensitivity (personal, special-category, anonymous). The policy describes how each class is handled. The classification is the fact about the data; the policy is the commitment about treating it.

In the graph

In the Unified Product Graph the privacy policy lives in the legal domain, with three defining edges. product_governed_by_privacy_policyProductgoverned byPrivacy Policyhierarchy ties it to the product it speaks for; compliance_framework_requires_privacy_policyCompliance FrameworkrequiresPrivacy Policyhierarchy records the regime that mandates it; and privacy_policy_governs_data_sourcePrivacy PolicygovernsData Sourcecross-domain bridges into the data and analytics domain to name exactly what the policy covers. The domain's standing warning is the privacy policy with no scope, because a policy that connects to no data source is a promise no one can verify.