SOC 2 · Trust Services Criteria · Privacy
SOC 2 Privacy Criteria
GDPR & Data Subject Rights
Demonstrate your commitment to protecting personal data and honoring data subject rights. Privacy criteria prove you comply with GDPR, CCPA, and other privacy regulations — critical for companies processing EU/California customer data.
Privacy is an optional Trust Services Criteria (the P1–P8 series) — only Security (CC1–CC9) is mandatory in every SOC 2 report.
AICPA Trust Services Criteria · SSAE 18 attestation · Last reviewed June 2026
Direct Answer
Is the Privacy criterion mandatory?
The SOC 2 Privacy criterion is the optional AICPA Trust Services Criterion that evaluates how an organization collects, uses, retains, discloses, and disposes of personal information in line with its own privacy notice and the AICPA Privacy Management Framework. It is structured as the eight P-series criteria (P1–P8) and is examined as part of a SOC 2 report — an SSAE 18 attestation performed by a licensed CPA, not a certification (AICPA).
The Criterion
What is the SOC 2 Privacy criteria?
Privacy criteria demonstrate that your organization protects personal data and honors data subject rights in accordance with GDPR, CCPA, and other privacy regulations. Unlike Security criteria (which is mandatory), Privacy is optional — but it's critical for companies processing EU or California customer data.
If you process personal data (names, emails, addresses, payment information) from EU or California residents, you should include Privacy in your SOC 2 report to demonstrate GDPR/CCPA compliance.
Optional but Critical for GDPR/CCPA Compliance
Companies processing EU or California customer data need this
Proves Data Subject Rights Compliance
Validates processes for access, rectification, erasure, and portability
Covers Consent Management & Privacy Notices
Demonstrates transparent data practices and user consent
Required by EU/UK Customers
European customers often require Privacy criteria in SOC 2 reports
When to Include Privacy Criteria
EU/UK Customers
Processing personal data of EU/UK residents (GDPR compliance)
California Customers
Processing personal data of California residents (CCPA compliance)
B2C SaaS Platforms
Consumer-facing apps collecting personal information
Healthcare/HR Systems
Systems processing sensitive personal data (health, employment)
The Controls
8 Key Privacy Controls
Implement these controls to demonstrate personal data protection and meet SOC 2 Privacy criteria requirements.
Privacy Notice & Transparency
Clear privacy notices informing data subjects about data collection, use, and sharing practices.
Key Implementation Points
- Comprehensive privacy policy published
- Notice at collection (what data, why, how long)
- Third-party data sharing disclosures
- Privacy policy updates communicated to users
- Privacy notice in plain language (not legalese)
Consent Management
Obtaining and managing user consent for data collection and processing activities.
Key Implementation Points
- Explicit consent for data collection
- Opt-in for marketing communications
- Granular consent options (not all-or-nothing)
- Consent withdrawal mechanism
- Consent records maintained and auditable
Data Subject Rights (GDPR)
Processes to honor data subject rights including access, rectification, erasure, and portability.
Key Implementation Points
- Right to access - provide copy of personal data
- Right to rectification - correct inaccurate data
- Right to erasure (right to be forgotten)
- Right to data portability - export in machine-readable format
- Response within 30 days (GDPR requirement)
Data Retention & Deletion
Documented data retention policies with automated deletion after retention period expires.
Key Implementation Points
- Data retention policy documented
- Retention periods defined by data type
- Automated deletion after retention period
- Legal hold procedures for litigation
- Deletion verification and audit trails
Purpose Limitation
Ensuring personal data is only used for the purposes disclosed in the privacy notice.
Key Implementation Points
- Data processing purposes documented
- No secondary use without additional consent
- Purpose limitation training for employees
- Data processing agreements with vendors
- Regular audits of data usage
Data Minimization
Collecting only the minimum personal data necessary for the stated purpose.
Key Implementation Points
- Data minimization policy documented
- Regular review of data collection forms
- Removal of unnecessary data fields
- Justification for each data element collected
- Privacy by design in new features
Third-Party Data Sharing Controls
Controls over sharing personal data with third parties including vendors and partners.
Key Implementation Points
- Data Processing Agreements (DPAs) with vendors
- Third-party privacy assessments
- Disclosure of third-party sharing in privacy notice
- Vendor data handling audits
- Prohibition of unauthorized data sharing
Privacy Impact Assessments (PIAs)
Systematic assessment of privacy risks for new products, features, or data processing activities.
Key Implementation Points
- PIA required for new data processing activities
- Privacy risk identification and mitigation
- PIA review and approval process
- PIA documentation maintained
- Annual PIA reviews for existing systems
From the Audit Floor
Common Privacy Mistakes
The patterns we see derail Privacy evidence — and how to keep your report clean the first time.
Generic Privacy Policy
Using a template privacy policy without customizing it to your actual data practices.
Fix: Document actual data collection, use, and sharing practices. Update privacy policy to reflect reality.
No Data Subject Rights Process
Lacking documented procedures to handle GDPR data subject requests (access, erasure, portability).
Fix: Implement documented process for handling data subject requests with 30-day response SLA.
Implied Consent Instead of Explicit
Assuming consent without explicit opt-in (e.g., pre-checked boxes) violates GDPR.
Fix: Implement explicit opt-in consent with unchecked boxes and clear consent language.
Indefinite Data Retention
Keeping personal data forever without documented retention periods violates data minimization.
Fix: Define retention periods by data type and implement automated deletion after expiration.
Missing DPAs with Vendors
Sharing personal data with vendors without Data Processing Agreements violates GDPR.
Fix: Require DPAs with all vendors processing personal data on your behalf.
No Privacy Impact Assessments
Launching new features without assessing privacy risks can lead to GDPR violations.
Fix: Require PIAs for new data processing activities with privacy risk mitigation.
Frequently Asked Questions
Core questions on the AICPA SOC 2 Privacy criterion (P1–P8), how it differs from Confidentiality, and the evidence auditors request.
Is the Privacy criterion mandatory for SOC 2?
No. In a SOC 2 examination only the Security category (the Common Criteria, CC1–CC9) is mandatory. Privacy is one of four optional add-on Trust Services Criteria, alongside Availability, Processing Integrity, and Confidentiality. Companies typically add Privacy when they collect personal information directly from individuals and their customers or regulators want assurance over how that data is handled.
What does the Privacy criterion actually cover (P1–P8)?
The AICPA Privacy criterion is organised into eight series of criteria: P1 Notice and communication of privacy practices; P2 Choice and consent; P3 Collection; P4 Use, retention, and disposal; P5 Access; P6 Disclosure to third parties; P7 Quality (keeping personal information accurate and complete); and P8 Monitoring and enforcement. It evaluates whether the entity collects, uses, retains, discloses, and disposes of personal information in line with its own privacy notice and the AICPA Privacy Management Framework.
How is the Privacy criterion different from Confidentiality?
They protect different things. The Privacy criterion applies specifically to personal information — data about an identifiable individual — and follows that information across its full lifecycle against the commitments in your privacy notice. The Confidentiality criterion applies to any information you have agreed to keep confidential, such as business plans, source code, or contracts, regardless of whether it relates to a person. A SaaS platform handling consumer PII would usually add Privacy; one protecting clients’ proprietary data would add Confidentiality.
Does the Privacy criterion make us GDPR or DPDP compliant?
Not automatically. SOC 2 Privacy is an AICPA attestation that you meet your stated privacy commitments and the Trust Services Criteria; GDPR, CCPA, and India’s DPDP Act are separate legal regimes with their own obligations. The controls overlap heavily — notice, consent, data-subject rights, retention limits, and vendor data-processing agreements all support both — so a well-run SOC 2 Privacy programme is strong evidence of good privacy hygiene, but it is not a substitute for a formal GDPR or DPDP assessment.
What evidence will auditors request for the Privacy criterion?
For a Type II report expect a CPA to sample evidence across the period: the published privacy notice and its version history (P1), consent and opt-in/opt-out records (P2), data-collection and minimisation justification (P3), the data-retention and disposal schedule plus deletion logs (P4), records of data-subject access and correction requests (P5/P7), data-processing agreements with sub-processors and disclosure logs (P6), and privacy training, incident records, and monitoring evidence (P8).
Continue your SOC 2 research
- SOC 2 compliance hub — the Common Criteria and all five Trust Services Criteria in one place.
- SOC 2 consulting for Indian companies — readiness and audit support from Tranquility Cybersecurity (indicative ₹2–4L).
- Tranquility Cybersecurity credentials & proof — 250+ SOC 2 attestations delivered.
Written By Expert Auditors
Going Deeper
More on SOC 2 Privacy & Data Subject Rights
Is Privacy criteria mandatory for SOC 2?
No, Privacy is optional. Only Security criteria (CC1-CC9) is mandatory. However, companies processing EU or California customer data should include Privacy to demonstrate GDPR/CCPA compliance. If you have EU/UK customers or California residents using your platform, you likely need this criteria.
What are the 8 data subject rights under GDPR?
The 8 GDPR data subject rights are: (1) Right to be informed - transparent privacy notices; (2) Right of access - provide copy of personal data; (3) Right to rectification - correct inaccurate data; (4) Right to erasure - delete data (right to be forgotten); (5) Right to restrict processing - limit how data is used; (6) Right to data portability - export in machine-readable format; (7) Right to object - opt-out of processing; (8) Rights related to automated decision-making - human review of automated decisions. You must respond within 30 days.
What's the difference between GDPR and CCPA?
GDPR (EU) applies to processing personal data of EU/UK residents. Requires explicit consent, 30-day response to data subject requests, and has strict penalties (up to 4% of global revenue). CCPA (California) applies to processing personal data of California residents. Allows opt-out instead of opt-in, 45-day response window, and has lower penalties. Both require privacy notices, data subject rights, and data minimization. SOC 2 Privacy criteria can cover both GDPR and CCPA compliance.
How do I handle data subject access requests (DSARs)?
Step 1: Verify identity of requester (prevent unauthorized disclosure). Step 2: Search all systems for personal data (databases, backups, logs, emails). Step 3: Compile data in machine-readable format (CSV, JSON). Step 4: Redact third-party personal data (don't disclose others' data). Step 5: Deliver within 30 days (GDPR) or 45 days (CCPA). Step 6: Document the request and response. Use tools like OneTrust, TrustArc, or build custom DSAR portal.
What evidence will auditors request for Privacy criteria?
Auditors will request: (1) Privacy policy - Published privacy notice with all required disclosures; (2) Consent records - Evidence of explicit consent with timestamps; (3) DSAR logs - Documentation of data subject requests and responses; (4) Data retention policy - Documented retention periods and deletion procedures; (5) DPAs with vendors - Data Processing Agreements with third parties; (6) PIA documentation - Privacy Impact Assessments for new features; (7) Training records - Privacy training completion for all employees.
Do I need a Data Protection Officer (DPO) for SOC 2 Privacy?
GDPR requires a DPO if: (1) You're a public authority; (2) Your core activities involve large-scale systematic monitoring; (3) Your core activities involve large-scale processing of sensitive data. Most SaaS companies don't need a DPO, but you should designate a Privacy Lead responsible for privacy compliance. This person should: (1) Maintain privacy documentation; (2) Handle data subject requests; (3) Conduct PIAs; (4) Train employees on privacy; (5) Serve as point of contact for privacy questions. Can be part-time role combined with legal/compliance.
Keep Exploring
Related Reading
Trust Services Criteria
Security, Availability, Confidentiality, Processing Integrity, Privacy.
Read moreTSC: Confidentiality
Data classification, encryption and access control criteria.
Read moreTSC: Security (CC Series)
The mandatory common criteria — every SOC 2 report includes these.
Read moreSOC 2 Knowledge Hub
Type 1 vs Type 2, criteria, timelines and audit prep — all guides.
Read moreDPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours