There are two basic types of information a website can collect. The first type is aggregate information. This is the kind of information websites collect when the user isn’t registered or logged in, and his or her identity isn’t known. It is essentially anonymous information, and includes things like IP addresses and cookie information. IP addresses are numbered based on location, so by collecting IP addresses, a website operator can tell that a user may be from California, or Ohio, or New York. Cookies, which are small pieces of code left on a user’s computer, can tell the website operator where a visitor goes next. If the website operator collects enough aggregate information, it can use data mining to fine tune advertising and promotions that appear on its site. Even though aggregate information is anonymous, a website operator must disclose that it collects such information. In addition, the operator must give visitors an option to switch off cookies, although the website can still tell visitors that switching off cookies might cause an inferior user experience. The website operator also should disclose how aggregate information might be shared with third-parties — for example, Amazon.com for mobile apps and various analytics companies.
The second type of information a website can collect is personally identifiable information. This might include a visitor’s name, address, e-mail address, age, credit card number, social security number, and other information that a visitor provides when he registers or logs in. The website operator must disclose the nature of personally identifiable information collected, and the kinds of uses to which it is put. It is also advisable to discuss how such information is safeguarded (although not in such detail that might compromise the safeguards).
Privacy issues are particularly important when it comes to children. There is a federal law, the Children’s Online Privacy Protection Act (or COPPA), which applies directly to this area. COPPA prohibits the collection of information from children under the age of 13 without parental consent. If you operate a website targeted at children – for example, an educational website or a game website – you will want to ensure that your website complies with COPPA. Even if your website doesn’t target minors, you may want to include a provision in your terms of service that all users must be 18 years of age or older.
Once you start collecting information, whether it is aggregate information or personally identifiable information, you need to safeguard that information. If there is a data breach, you may need to report the data breach to various state agencies. Since each state has different requirements, this can be an expensive proposition. When companies do suffer a data breach, they frequently offer their customers an identity theft protection service, free of charge, for a period of time. This can be quite expensive for companies, too. As the Target data breach has shown, however, failing to deal with data breaches in a straightforward, diligent way can have serious consequences for the business in terms of loss of customers, management turnover, and possible exposure to lawsuits.
Follow me on Twitter @PaulHSpitz