In a survey conducted by the Pew Research Center, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies. In addition, 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
Start by determining what type of data your site needs for its basic functions.
Will you collect just their name and email address? Or, will you collect more sensitive information like browsing history or contacts/address book? Make sure to cross reference with any third-party software used in your app that will also require data collection.
- Identify the categories of personally identifiable data collected by the site and/or app.
- Identify how you will use each type of personally identifiable data and the retention period for each.
- If your users make purchases online or in-app, disclose whether you keep their payment information and for how long.
- Describe the process for a user to review and request corrections to his or her personally identifiable information.
- Describe the choices a user has regarding the use, retention, and sharing of personally identifiable data.
- State that your organization takes the necessary steps to safeguard the users’ data and that it has the electronic capabilities to keep it safe. (And actually do those steps, of course!)
- If users subscriber to a newsletter or create an account or membership, explain how their information will be used for marketing, analytics, and future advertising (i.e., sending them emails). You should also include instructions on how they can unsubscribe or cancel their account, at a later date.
- Even if you don’t have a site targeted to children under 13 and your site is targeted to a more general audience, it’s still a good idea to insert a caveat that you don’t collect any information on users under the age of 13 … just in case.
- Disclose the means for users to contact you if they should have any questions or concerns.
Be sure to include any industry-specific requirements. For example, if you are in the healthcare industry, you have to abide by HIPAA’s set of rules. Or if you have a site or app for children under the age 13, there is a separate set of requirements you’ll need to meet.
Be proactive in actually implementing your policy & encourage your employees to be accountable, too!