It’s also a legal requirement in some countries, and to register with Google AdSense and other affiliate networks.
- Describe the information you collect from consumers and how you collect it.
- Disclose whether you share consumers’ personal information with other businesses or third parties. If so, who are they and what do they do with it?
- Tell consumers what kind of security measures you use to protect their data.
- Explain how consumers can opt-out of receiving marketing messages from you or stop sharing their information with third parties.
- How a user can request changes or deletion of their data.
What are the legal responsibilities of websites regarding their users’ data?
Every website has different legal responsibilities regarding the management and use of its users’ data. Those responsibilities generally fall into the following three categories:
Data ownership – who owns the data generated by a user, which can include everything from their IP address to the comments they leave on articles to their purchase history. Truly anything a user does on a website constitutes “data.”
Data privacy – how that information is used and how it is kept confidential. For example, a website may not be able to sell or give away its users’ information without explicit consent.
Data security – how that information is safeguarded from theft or corruption. For example, a website may be required to encrypt its users’ data so that it can’t easily be stolen by hackers.
When users provide data, websites must ensure that they only use that data for the purposes listed at the time of collection. They also need to be transparent about what they are doing with the data—using clear language that is easily understandable by someone who is not a legal expert.
Websites must make it easy for people to access and retrieve their data, and they need to be able to delete all of it upon request. (Since this request can come in through many channels, websites should consider synchronizing all of their databases containing user information.) Websites also need to disclose any breaches of their systems within 72 hours of discovering them.