The following measures will help protect you from unnecessary liability and attention from regulators.
1. Collect only the data you need. Dispose of the data you no
longer need.
2. Adopt a Privacy Policy. Some states regulate privacy
policies. The California Online Privacy Protection Act of 2003 requires
"any commercial web sites or online services that collect personal
information on California residents through a web site to conspicuously post a
privacy policy on the site." Business and Professions Code sections
22575-22579.
3. Consider when to get consent. Even if the law does not
require getting consent for some sensitive information, it is still a good idea
to get consent for location-based data and other information that may be used
to identify an individual user.
4. Familiarize yourself with license terms of
public libraries and all other third-party code you consider using. Do they
allow commercial use? What copyright notices must be included if you use the
code?
5. Protect the sensitive information you
collect. Certain
data should be encrypted and access to it should be limited to authorized
personnel. Use transit encryption (SSL) to protect login credentials, API keys
and any other important data. Appoint a security officer within your
company.
6. Children’s privacy. Children’s Online Privacy
Protection Act (COPPA) applies to the online collection of personal information
from children under 13 years of age. COPPA requires a service operator to
seek verifiable consent from a parent or guardian. For many online services, it
makes more sense to disallow collection of personal information from those
under 13 altogether than to implement the verifiable consent procedures
required by COPPA.