1. Identify the types of personal information your website collects about its visitors. You may collect the email address of any visitor who posts a message to your website’s bulletin board or chat area, or who contacts you via a web form or email. You may also collect consumer preference information from website surveys or other pages, and there may be additional information that users voluntarily provide or provide while on your website. You must identify each of these types of information.
It is also good practice to describe the type of information your website server automatically records about each visitor, which may include the IP address of the computer the customer is using. You must also state whether your website sets “cookies” on the visitor’s computer, and if so, what information is stored in the cookie and what the information is used for.
3. Explain how website users can review and make changes to their personal information, if that is an option available to them. For example, if your website has an ecommerce component and you allow customers to store their shipping or billing information on your website, then you must state how the customer can access that information if he or she wishes to review or change it.
The first is that you may face liability under more and more state laws to protect consumer privacy. For example, California law requires operators of commercial websites that collect any personal information about users to prominently post their privacy policies on their websites. Although the term “flashy” is not defined explicitly in the law, it is generally accepted that this means that a link should be on the homepage of a website.
Pennsylvania and Nebraska both have laws that prohibit website operators from knowingly making false statements or statements in their privacy policies about the use of personal information collected from their users.
Should you care about these state laws if you don’t live in one of these three states? The answer, again, is – maybe. If your business targets users across countries (or, more accurately, doesn’t target users in specific locales), then your website will likely be subject to legal requirements in each state. This will be the case if you are in the business of selling information products such as e-books, providing consulting services to clients anywhere in the US, or something similar.
What should I do next?