Data Processing Notice Template for the United States
Generate a bespoke document
What is a Data Processing Notice?
The Data Processing Notice serves as a crucial compliance document in the U.S. privacy landscape, required by various federal and state regulations. It provides transparency about an organization's data processing activities and helps meet legal obligations under laws such as the CCPA/CPRA, HIPAA, and GLBA. The notice should be provided to individuals before or at the point of data collection, detailing the types of data collected, processing purposes, sharing practices, and individual rights regarding their personal information.
About the Data Processing Notice
A Data Processing Notice is a fundamental privacy document that you must provide to individuals when collecting or processing their personal data under United States law. This notice serves as your organization's transparent communication about data handling practices, ensuring compliance with federal regulations like the FTC Act and state laws such as the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA).
When do you need this document?
You need a Data Processing Notice whenever your business collects, uses, or shares personal information from individuals. This applies to website operators collecting user data through cookies, healthcare providers processing patient information under HIPAA, financial institutions handling customer data under GLBA, and any business serving California residents under CCPA/CPRA. The notice must be provided at or before the point of data collection, whether through your website, mobile app, or in-person interactions. Organizations processing children's data must ensure COPPA compliance by obtaining verifiable parental consent before collection.
Key legal considerations
Your Data Processing Notice must clearly identify the legal basis for processing personal data, whether for legitimate business interests, contractual necessity, or legal compliance. The document should specify data retention periods and deletion practices, as individuals have rights to request data deletion under various state privacy laws. You must also disclose all categories of third parties who receive personal data and explain how individuals can exercise their privacy rights, including access, correction, and deletion requests. Be transparent about any automated decision-making or profiling activities that could significantly impact individuals. Consider including information about international data transfers if your organization shares data with overseas partners or service providers.
Legal requirements in United States
Under the FTC Act, your notice must not contain deceptive or unfair practices regarding data processing activities. CCPA and CPRA require comprehensive disclosures about data collection, sale, and sharing practices, including specific categories of personal information and business purposes. Healthcare organizations must ensure HIPAA compliance by detailing protected health information uses and patient rights. Financial institutions operating under GLBA must explain how customer financial data is collected, used, and shared with affiliates and third parties. State-specific laws like Virginia's VCDPA and Colorado's CPA impose additional requirements for data processing transparency and consumer rights. Your notice should be written in plain language, easily accessible to users, and regularly updated to reflect changes in data processing practices or applicable laws.
GOVERNING LAW
Applicable law
This Data Processing Notice is drafted to comply with United States law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it