Websites and internet-based startups are booming. Many startups thrive by collecting data about their online users’ age, gender and geography and interpreting that data to predict consumer preferences and demand. In addition, many third party marketing services pay a premium for useful consumer data. Startups often find that data is their single most valuable asset.
But with big data comes big responsibility. Most websites and online services are obligated to disclose their privacy practices. Failure to do so can raise concerns for potential investors or acquirors and could even result in lawsuits or the attention of state regulators. Overbroad privacy disclosures, or borrowing disclosures from other websites, may also inhibit a startup from evolving its data monetization strategy as its business model evolves. Each startup needs a tailored approach to privacy to prevent these risks and maximize the value of its consumer data.
- Conspicuously Posted
- Identify Categories of PII Collected and Who Else Sees It
- Describe the Website or Online Service’s Process for Individual Users to Review and Revise Their PII (if such a process exists)
- For example, websites with registered users often have individual account pages where users can log in to review and revise their PII. Other websites have a specific email address for users to request revisions to their PII, such as “firstname.lastname@example.org”.
- Disclose How the Website or Online Service Responds to “Do Not Track” Signals Regarding a User’s Online Activities Over Time and Across Different Websites
- Tools like Google Analytics track users’ online activity, including which websites they visit. Website and online service operators can use this information to learn more about the people visiting their site.
- A hyperlink to a description of the website or online service’s “Do Not Track” policy can satisfy this requirement.
- Disclose Whether Other Parties May Collect a User’s PII from the User’s Activity on the Website or Online Service
- Special Rules for Certain Websites and Online Services
- Financial Institutions
- Healthcare or anything with Health Information
- Startups that collect PII from children under the age of 13 must obtain verifiable parental consent before collecting, using or disclosing such PII.