The report every enterprise deal asks for
Ask a B2B sales team what document unblocks the most deals, and the answer is usually a SOC 2 report. It's a written attestation, produced by a licensed CPA firm, describing the controls a service organization runs and whether they actually worked over a period of time. The framework behind it comes from the AICPA, which sets the Trust Services Criteria that every SOC 2 examination is measured against.
SOC 2 gets treated as a security credential, and mostly it is. But one of its five criteria is Privacy, and that's the part that touches cookies, consent, and the personal data you collect from a website. Most companies scope it out. Understanding what it covers tells you whether you should.
Five criteria, one required
A SOC 2 report is built from the Trust Services Criteria (the 2017 set, updated with revised points of focus in 2022). There are five categories:
- Security is the common criteria, and it's mandatory in every SOC 2. It covers protection against unauthorized access.
- Availability covers whether the system is up and reachable per your commitments.
- Processing Integrity covers whether processing is complete, accurate, and authorized.
- Confidentiality covers information you've agreed to keep restricted, like a customer's business data.
- Privacy covers personal information: how you collect it, use it, retain it, disclose it, and dispose of it.
You always include Security. You add the other four based on what you promise customers and what their buyers demand. Privacy is optional, and it's the one companies most often leave out, partly because it's more work and partly because Confidentiality already covers a lot of what buyers care about.
What the Privacy category actually tests
The Privacy criterion checks whether your handling of personal information matches the commitments in your own privacy notice, and whether it lines up with the AICPA's Privacy Management Framework. That framework arrived in 2020 to replace the older Generally Accepted Privacy Principles (GAPP) from 2009, updated for GDPR and the modern privacy laws that followed. It's organized around components like notice, choice and consent, collection, use and retention, access, disclosure, quality, monitoring, and security for privacy.
The through-line is this: whatever you told people you'd do with their data, the audit checks that you did exactly that. If your privacy notice says you get consent before setting analytics cookies, the auditor will look for evidence that you do. If it says you honor opt-outs, they'll test that opt-outs stick.
Type I versus Type II
There are two report types, and buyers care about the difference. A Type I describes your controls and confirms they're designed correctly at a single point in time. A Type II goes further: it tests whether those controls operated effectively across a review period, usually three to twelve months. A Type II is harder to earn and worth much more, because it proves the controls held up over time rather than looking good on the day of the audit. When a customer asks for "your SOC 2," they almost always mean a Type II.
One more distinction worth knowing: SOC 2 reports are confidential and shared under NDA. SOC 3 is a public, stripped-down summary of the same examination that you can post on your website without gating it. If you want something a prospect can read before they've signed anything, that's the SOC 3.
Do you actually need the Privacy category?
For a lot of companies, the honest answer is no, and scoping it in anyway just adds cost and audit time. Ask two questions. First, do you handle personal data as a core part of your product, or mostly hold your customers' business data? If it's the latter, Confidentiality often covers what buyers care about. Second, are your customers actually asking for Privacy? Some regulated buyers do; many accept Security plus Confidentiality and get the rest from your DPA and privacy policy.
Where the Privacy category earns its place is when you collect personal data directly from individuals: end-user accounts, a consumer app, marketing data at scale, or anything involving special-category data. In those cases the extra scrutiny on notice, consent, and retention is exactly what a serious buyer wants to see tested. If you're unsure, start with Security and Confidentiality, add Privacy when a deal or a regulator makes you.
Where cookie consent enters the picture
SOC 2 doesn't grade your cookie banner directly. There's no criterion that says "the reject button must be the same size as accept." What it does is test the choice-and-consent component of the Privacy category, and cookies are where most websites operationalize consent. So when the audit reaches that section, the evidence you hand over is your consent records.
An auditor pulling a sample will ask you to demonstrate that a given visitor was shown a notice and made a choice, with a date attached. CookieBeam's consent log answers that: it stores each decision with a timestamp, the version of the banner presented, and the specific purposes the visitor accepted or declined. That record is what turns "we ask for consent" into something an examiner can verify. It's the same evidence that supports the choice component of the Privacy Management Framework. For the anatomy of a record that holds up, see proof of consent documentation.
SOC 2 or ISO 27701?
They overlap, and buyers sometimes accept one in place of the other. The rough split: SOC 2 is the North American default and reports on control effectiveness over a period, written by an auditor. ISO 27701 is the international privacy management certificate, more common with European buyers, and it certifies that you run a defined system rather than reporting on a test window. Large vendors often hold both because different customers ask for different things. If you sell globally, expect to be asked for whichever one a given procurement team is used to.
Whichever you pursue, the privacy plumbing underneath is identical. You need a clear notice, a real consent mechanism, records you can retrieve, and retention limits you actually enforce. Get that right and the audit is mostly a matter of showing your work. For the wider buyer conversation, see answering vendor security and privacy questionnaires.