Consumer Protection and Privacy
The U.S. is more lax about consumer privacy and data collection than the EU. Under the EU Data Privacy Directive of 1995 EU signatories were required to implement laws and regulations in compliance with the directive. The Directive contains strict guidelines for consumer data collection. It also requires the registration of consumer databases with government agencies. If you live in the EU it is very likely that as a business you are required to handle user data in accordance with the Directive. You can find the full text here.
1. Introduction—this includes the company name, the business you're engaged in, and special instructions (e.g. parental verification)
2. Description of what information is being collected—having a user fill out a form and stating the information collected from that form should be obvious. However, this also includes the personal information that is passively collected such as information logged by your server or collected by a third party program that is integrated in your site or game.
3. Method of Collection—Explain how you're getting the information from the user, whether it be automated, passive, or via form.
4. Description of the use of the information—how do you plan on using the information? Who has access to the information? Do you need to share this information with third parties, and if so, who? Are you going to sell this information to marketing or advertising firms? Honesty is the only policy here. If you need or want to share user information with third parties for any reason, you need to say so.
5. Storage/Protection—this is another area where honesty is the only policy. If you decide to describe the technology by which you plan to store and protect user privacy, make sure you a) accurately describe that technology and b) update your policy whenever you change that method.
6. Contact information—Give several options and make sure users are able to contact you to discuss their privacy. This includes e-mail, a phone number, etc.
7. Compliance with regulations—you may be required to comply with federal or international regulations. If that's the case, you have to include everything those regulations require.
Regulations and Regulation Compliance
The Children Online Privacy Protection Act
COPPA pertains to websites and businesses directed to children that collect data from children under the age of 13. If your audience includes minors 13 or younger and you're collecting their e-mail, address, or other personal info, here's what you need to know:
2. You need a way to obtain verifiable parental consent. You have some options here:
a) Provide a form that the parent can fill out and send;
b) Require the parent to use a credit card in connection with a transaction;
c) Provide a phone number where parents can call in their consent;
d) Get consent via e-mail from the parent, provided the e-mail contains a digital signature.
3. You need to provide a method by which parents can make requests concerning the child's personal information—this includes destroying that information or refraining from selling or sharing that information.
You should carefully review the COPPA FAQ. Not only can it provide specific guidelines for compliance, but you may also be eligible for certain exceptions.
State Laws That Require Privacy Policies