Most Internet-based businesses collect user data. Some data elements are deliberately collected to identify a specific a user (name, address, contact information, etc.), while others are not (IP address, browser type, search term, to name a few). The collection and use of personally identifiable information (“PII”) raises numerous privacy issues, which, over the course of the last decade, has caught the attention of state and federal regulators.
2. Identify the specific elements of PII collected (name, address, etc.) even if they’re obvious.
3. Describe who who has access to PII. If if the data is passed on to third parties, they do not have to be specifically identified; a description of their business (i.e., “marketing partners”) will suffice.
4. Identify the date when the policy became effective, and include dates that it is updated. If any update includes a material change, users should be notified of it via email or a message on the site.
5. Disclose how the site responds to “do not track” signals regarding a user’s online activities over time and across different websites (i.e., Google Analytics). If your site offers no response to those signals, simply say so.
The guidance in this article is not intended to be comprehensive. There are other considerations that companies should consider including, and certain types of companies (financial institutions, healthcare companies, and online services for children) have more stringent requirements.