Privacy

Privacy is one of the five Trust Services Criteria in SOC 2. It evaluates whether a service organization collects, uses, retains, discloses, and disposes of personal information in conformity with its privacy notice and applicable laws. Privacy controls cover consent management, data subject access rights, retention schedules, third-party data sharing disclosures, breach notification procedures, and integration with privacy laws like GDPR, CCPA, and HIPAA where relevant. The criterion overlaps with regulatory frameworks but is not a substitute for them: a company subject to GDPR still needs to comply with GDPR independently of any SOC 2 scope decisions. Auditors test Privacy controls by reviewing the published privacy notice, examining consent records, sampling data subject request fulfillment, and verifying retention and disposal practices match documented schedules. Privacy is the least-selected optional category in SOC 2, partly because it overlaps heavily with regulatory compliance programs, but it remains important for companies that want a single attestation covering both security and privacy posture.