The U.S. Federal Trade Commission (FTC) provides some guidelines and regulations, while the State of California has enacted broad-reaching online privacy rules that apply to any commercial website or online service that may be accessed by a resident in the State of California. Essentially, California Online Privacy Protection Act (CalOPPA) is far-reaching, and would apply to most websites.
Looking globally, the European Union (EU) also has regulations regarding online privacy in the Data Protection Directive and the ePrivacy Directive. EU regulations apply to those websites that target EU customers.
1. Notice of Collection
Notice of collection clearly describes what information is collected about the website visitor online. Many companies expand this to include not only information is collected from email, but also other offline communication channels that are linked to the customer or prospective customer.
Also included in notice of collection are the types of technology used on the site such as web beacons, cookies or other similar technologies. Often websites will include a separate ‘Cookie Notice’ that provides additional detail on the types of technology used, third-parties solutions that are used on the site, as well as how to opt-out of tracking. This separate ‘Cookie Notice’ may be used to follow the EU Directive if your website targets a global customer base.
2. Purpose of Collection
Disclosure includes a description of how the customer, prospective customer or website visitor information collected will be shared. This includes how information will be shared with third-parties as well as whether the information collected will be sold, traded or rented.
A requirement of CalOPPA, the State of California’s online privacy act, is to disclose how your website responds to ‘do not track’ signals or similar technologies sent by the user’s browser. CalOPPA doesn’t require the website to honor the request, just to disclose how it responds to a ‘do not track’ request.
The Children’s Online Privacy Protection Act (COPPA), a federal rule, requires websites to disclose whether any personal information is collected from children under the age of 13. If information is collected from children under the age of 13, then verifiable consent from the parent or guardian is required before any personal information is collected from the child.
Depending on the type of business your website supports, consent may be needed by the customer that they are over a certain age (e.g. marketing of alcohol, tobacco or adult content).
6. Provide Access and Accountability
Depending on the type of business, as well as the type of new information collected, notice in advance of implementing privacy changes are made to the website visitor. These notifications are typically shown as a clickwrap agreement.
In the Series