To get to the answer, let’s take a look at these two questions.
- What are my legal obligations to users?
- What data you collect. Be specific. Explain what information you will take, including names, addresses, phone numbers, email, credit cards, financial information, etc.
- How you use data. Inform users if you plan to add them to an email list or share their information with marketers.
- What a user can opt out of. Explain the user's rights to manage their data. Tell them how to opt out of certain features, emails, or other services.
- What security measures you take. Explain your general security protocol. Tell users what data is encrypted, how you limit access to it, what your data loss prevention plan is, and how you will contact them about a data breach.
What Are Your Legal Obligations to Users?
If your business handles private data, you need to understand the various regulations that govern its use, storage, and management. Our article "Cyber Law Essentials" details some of the most important regulations that might apply to you. Here's a rundown of four cyber security laws you need to know:
- Children Online Privacy Protection Act. Did you know it is illegal to store children’s private data on your networks? This year, the startup social networking company Path had to pay an $800,000 fine after failing to delete the temporary data it had on its servers. For more on this law, visit the FTC's frequently asked questions about the Children Online Privacy Protection Act (COPPA).
- State data security laws. There is no federal law that standardizes how business should protect data and respond to security breaches (with the exception of HIPAA and HITECH, which are discussed below). Instead, states determine your legal duty to respond to a data breach, how quickly you should contact users, and what agencies you need to report it to.
- HIPAA and HITECH medical data regulations. If your business works with medical data (or financial data for medical payments), you'll need to follow these strict guidelines. Under HIPAA and HITECH laws, IT firms must take extra steps to encrypt, protect, and limit access to data. For a detailed explanation, see "HITECH: The Strictest Data Protection Law."
- Data Protection Act of 1988. This European Union law governs the use of data for its citizens. The E.U. and U.S. Department of Commerce have set up a series of guidelines for U.S. companies to follow while handling the data of E.U. citizens.