- When do we collect information? In addition to information you collect from users when they register as a member or order a product, do you collect information concerning site usage behavior, IP addresses and other anonymous information using tracking technologies? If so, one component of the answer to the “when?” question may be “any time a user visits the website.”
- What information do we collect? The answer to this question is often broken down into the personally identifiable information (e.g. first and last name, address, telephone number, etc.) that is collected and into another category, often called aggregate information. Any data you collect from users on an anonymous basis to administer the site and analyze its usage probably falls into the aggregate information bucket.
- What information do we disclose to third parties? In answering this question, remember that you likely cannot make an absolute promise not to disclose personal information to thirds parties. Leaving aside the acts of various scalawags that are out of your control, you need to think about any necessary disclosures to contractors (e.g. those who ship goods ordered from your site), to courts or law enforcement agencies, or to third parties in the context of a business combination.
- How do our customers access and update their information? This process usually includes a user logging into their account on the site and updating the information they’ve shared. If such online functionality is not available, it’s a good idea to post an e-mail address where users can request changes to or deletion of their personal information.
Answering these questions will likely require you to perform some internal due diligence. You should engage all relevant departments (e.g. marketing, IT, billing) of your business in assessing and understanding your privacy practices. Once you have a thorough understanding of what you’re actually doing with respect to website visitors’ privacy, you can craft a policy that is consistent with reality and with other statements made on the website, and that you will be able to adhere to.
Of course, your company may have special concerns about its website. For example, if you plan to collect data from children under the age of 13, you’ll need to comply with the Children’s Online Privacy Protection Act (“COPPA”). Enforcement of COPPA is the responsibility of the FTC and has lately been the focus of review by the agency and the scrutiny of all sorts of advocacy groups. This is an area that may be in flux and deserves careful monitoring.