SOC 2 Privacy Criteria

Privacy is the most demanding SOC 2 criterion

Privacy has eight control categories — P1 through P8 — which is more than any other SOC 2 Trust Services Criterion. It touches every team that handles personal information and requires operational discipline across the full data lifecycle: notice, choice, collection, use, retention, disclosure, access, and monitoring. For organizations adding the privacy criterion to an existing SOC 2, the scope expansion is substantial. For those starting fresh with privacy in scope, the readiness effort is significant.

The privacy criterion applies when the organization collects and processes personal information — data that can identify an individual. It aligns closely with regulations like GDPR, CCPA, PIPEDA, and other data protection laws, though SOC 2 Privacy attests to controls, not regulatory compliance. Buyers often request it as operational assurance that privacy commitments are not theoretical.

The eight privacy categories

The Trust Services Criteria organize the privacy criterion into eight control categories. Each maps to a principle in the AICPA's generally accepted privacy principles.

Each category has specific points of focus. Below, we summarize the operational controls for each.

P1 — Notice

P1 requires that the organization provide notice about its privacy practices. The notice must be readily available, describe the entity's practices clearly, and be updated when practices change.

Typical controls

• Published privacy notice on the company website
• Notice at the point of data collection where relevant
• Version history with effective dates
• Procedures for updating and re-communicating notice when practices change
• Internal policy on when notice updates are required

Evidence expectations

• Current notice document
• Prior versions with effective dates
• Records of material changes during the observation period

P2 — Choice and consent

P2 addresses how individuals exercise choice over their personal information. This includes opt-in, opt-out, and consent mechanisms.

Typical controls

• Consent management platform or equivalent
• Opt-in and opt-out workflows aligned to applicable law
• Consent records with timestamp, scope, and method
• Procedures for responding to revoked consent
• Cookie consent and tracking preferences where relevant

Evidence expectations

• Consent configuration
• Sample consent records
• Revocation handling evidence

P3 — Collection

P3 requires that personal information be collected for specified purposes and limited to what is necessary. This is the data minimization principle.

Typical controls

• Documented purposes for each data element collected
• Data inventory or data map
• Review of collection forms and API endpoints for minimization
• Controls preventing collection of unrelated or unnecessary data
• Purpose limitation during new feature design

Evidence expectations

• Data map or inventory
• Privacy impact assessments for new data flows
• Collection forms reviewed against documented purposes

P4 — Use, retention, and disposal

P4 addresses how personal information is used after collection and what happens when it is no longer needed.

Typical controls

• Purpose limitation enforced through access controls and code review
• Data retention schedule with defined periods per data type
• Automated or tracked deletion when retention expires
• Disposal procedures for physical and logical data
• Documentation of exceptions and legal holds

Evidence expectations

• Retention schedule
• Evidence of automated deletion (job logs, records)
• Disposal records for the observation period
• Examples of purpose limitation (access restrictions tied to purpose)

P5 — Access

P5 requires procedures for providing data subjects with access to their personal information, including correction or deletion rights.

Typical controls

• Subject access request (SAR) intake process
• Identity verification procedures
• Response timelines aligned to applicable law
• Procedures for correction, deletion, and objection requests
• SAR tracking system with full audit trail

Evidence expectations

• SAR policy and procedure
• Sample SAR cases closed during the period
• Response timeline metrics

P6 — Disclosure and notification

P6 covers how personal information is shared with third parties and how breaches are handled.

Typical controls

• Data processing agreements with all processors
• Subprocessor notification procedures
• Breach detection and notification procedures
• Notification templates for regulators and data subjects
• Records of disclosures for accounting purposes

Evidence expectations

• DPA templates and executed DPAs
• Subprocessor list
• Breach response procedures
• Notification records if any occurred during the period

See breach notification for related glossary.

P7 — Quality

P7 addresses maintaining accurate, complete, and current personal information. This intersects with both P5 (correction rights) and operational data quality.

Typical controls

• Data quality checks at collection and processing
• Procedures for correcting inaccurate information
• Periodic data quality reviews
• Deduplication processes
• Customer-facing update flows

Evidence expectations

• Data quality policy and reviews
• Evidence of corrections handled during the period
• Sample of updated records

P8 — Monitoring and enforcement

P8 closes the loop by requiring that privacy practices are monitored and enforced across the organization.

Typical controls

• Privacy training for staff
• Periodic privacy compliance reviews
• Investigation and remediation of privacy complaints
• Privacy metrics reported to leadership
• Enforcement actions (disciplinary procedures for violations)

Evidence expectations

• Training completion records
• Privacy reviews or assessments
• Complaint log and resolutions
• Metric reports to leadership

Overlap with other Trust Services Criteria

Privacy pulls heavily from the Common Criteria and often overlaps with confidentiality.

• CC6 (access control) — access restrictions on personal data
• CC7 (monitoring) — detection of privacy events
• CC9 (risk) — privacy risk assessment and vendor oversight
• Confidentiality — technical controls like encryption apply to both
• Security — the foundation of privacy

A well-mapped control inventory lets a single encryption, access, or disposal control support multiple criteria simultaneously.

How this fits into SOC 2

Privacy is often the last criterion added because of its scope. Organizations typically pursue security first, add availability or confidentiality based on customer commitments, and layer privacy on top when GDPR, CCPA, or enterprise privacy expectations demand it. Because privacy spans the entire data lifecycle, it benefits from strong policies and procedures and a mature vendor management program.

Buyers who request a SOC 2 report with privacy in scope are usually asking about operational discipline, not legal compliance. Pair SOC 2 Privacy with explicit GDPR or CCPA programs, DPAs, and regulatory filings for a complete privacy story.

Evidence auditors expect

Beyond the category-specific evidence listed above, auditors typically request:

• Data map or inventory spanning the observation period
• Privacy impact assessments for new data flows
• Training completion records
• Executed DPAs and subprocessor lists
• Full SAR case logs for the period
• Breach response records if applicable

Common mistakes

• Privacy policy without practice. A published notice that does not reflect actual data flows fails walkthroughs fast.
• No data map. Without a data inventory, it is impossible to demonstrate P3 (collection limited to purpose) or P4 (retention by type).
• Manual SAR handling with no audit trail. Responses happen but nothing is logged. Auditors need the record.
• Subprocessor gaps. Vendors that process personal data without DPAs are a P6 finding.
• Training as a checkbox. Annual training that nobody actually completes is a P8 weakness.

Implementation tips

• Build the data map first. Every privacy control depends on knowing what personal data exists, where, and why.
• Treat consent as a system of record, not a form. A consent management platform that produces auditable records is far stronger than email trails.
• Automate retention. Scheduled deletion jobs are cleaner evidence than manual cleanup.
• Run a quarterly privacy review covering new data flows, new subprocessors, and any incidents. Document it.
• Align SOC 2 Privacy work with your GDPR and CCPA programs so artifacts are reused.

How episki helps

episki maps the P1 through P8 control categories to operational workflows — consent management, SAR tracking, data inventory, subprocessor management — and collects evidence continuously. Start a free trial or read the full SOC 2 framework guide to see how privacy integrates with security, confidentiality, and the rest of the Trust Services Criteria.