Second—and this is related to my previous point—identify all types of third parties with whom you might possibly have a reason to share the personally identifiable information. If the list is expansive, it might help to specify the purpose for which consumers’ information might be shared. Consumers are unlikely to be upset that you share their information with your parent company if they are informed that sharing their information will be limited to legitimate and helpful purposes—not simply to flood their email with third-party advertisements.
Third, list everything you collect. This can include a first and last name, physical addresses, email addresses, social security number (make sure you have a good reason to collect this though), telephone numbers, pictures, videos, messages, or any other information that could identify a consumer, even if in combination with other information on the website. Resolve all doubts in favor of disclosure here.
Fourth, provide a process for an individual consumer to review and request changes to their personally identifiable information.
Finally, if you have actual knowledge that children under 13 years old are using your website (a demographic to which I highly advise against directly marketing), an additional set of regulations promulgated by the Federal Trade Commission pursuant to the Children’s Online Privacy Protection Act applies to you. Because they are expansive, they are beyond the scope of this article. I mention them here simply to put you on notice.