In this position paper, we claim that access control policy languages can be extended to address data handling. Indeed, matching users’ privacy preferences and services’ privacy policies as well as enforcing what services can do with collected data rely on authorization queries and obligations, which exist in some access control languages. We present results from extending SecPAL to address data handling and discuss what could be applied to XACML.