Best Practices when Collecting Online Consumer Data

The do's and don'ts about what to do with online consumer information.

Customer information can be a valuable online marketing tool provided that you follow state and federal privacy laws and recognize best practices when collecting online consumer data. The Federal Trade Commission (FTC) offers helpful information on proper data gathering standards. Non-profit organizations, such as TRUSTe and the Better Business Bureau (BBB), also administer seal or certification programs for businesses that follow best practices in protecting online privacy. This area of law is undergoing a great deal of change so it is important to stay current on your privacy compliance obligations. The FTC has spelled out several key principles to consider when establishing a data collection program.

  • Keep Your Focus on Transparency. Your website or social media home page should clearly and conspicuously disclose your data collection practices. In plain English, your privacy policy should state who is amassing this personal information, what data you are collecting, how that data is being used, and with whom you are sharing this data. Some states, like California, require online businesses to post a privacy policy, even if there are no plans to gather or share data. If your business does not undertake any data collection, then simply post that policy in a prominent place. Also recognize that under the Can Spam Act of 2003, it is illegal to harvest email addresses from Internet chat rooms, blogs, and other online sources without the permission of site owners and users. So do not poach consumer emails from other online sources.
  • Offer Consumers a Simplified Choice. Consumers need to have a voice about whether or not their personal data is collected and how it is used. Some consumers may be happy to permit your business to use their data to alert them to special deals or events while others may balk at their information being circulated to third parties. As part of your privacy policy, you may decide to offer consumers a simple “opt-in” procedure in which they can clearly indicate their willingness to allow data collection and uses. Alternatively, your business may offer an “opt-out” choice for your customers, allowing data harvesting and sharing unless the consumer states otherwise. An online “Do Not Track” list, similar to the “Do Not Call” list for telemarketing, is under FTC consideration, so stay tuned for future efforts to improve consumer choice.
  • Provide Consumers Access to Their Data. It is important to consider a process for allowing customers to review their personal information that your business has collected. This review process should offer consumers a chance to check data for its accuracy and to make any relevant corrections. A good model is the credit reporting agencies that must provide consumers with an opportunity to review their credit histories for accuracy and to indicate any necessary updates or revisions. This review process will help serve as a form of quality assurance of your data collection efforts while promoting greater overall transparency in your data harvesting program.
  • Undertake Reasonable Data Security Efforts. Before you start to gather and store consumer data, be sure to have up-to-date security measures in place. Hackers are constantly seeking opportunities to strike at databases of personal information and our newspapers are filled with stories about data breaches. Think about only accumulating sensitive information that you actually need and disposing properly and securely of any personal data not in use. Consider the idea of consulting with data security professionals to determine reasonable measures your business can take to preserve its customers’ personal information. The FTC also provides a variety of free resources to aid data security for a broad range of businesses.
  • Recognize Special Protections for Children’s Data. If your business targets a youthful audience, then you will have to comply with the Children’s Online Privacy Protection Act (COPPA). This federal law mandates a posted privacy policy for child-oriented sites and restricts the collection of personal information on children under age 13. Under COPPA, verifiable parental consent must be secured in advance and parents must be allowed to review any personal information collected about their children. In addition, a parent may withdraw their consent at any time and prevent further sharing of their child’s data. The FTC is considering expanding COPPA to “mixed” audience websites that attract both adults and children and further restricting the types of data that can be retrieved. So be vigilant about upcoming legal developments on safeguarding children’s privacy.
  • Follow Your Stated Policy. Disclosing your policies and procedures is only a first step. Be certain that your business consistently follows its privacy promises to avoid potential liability. You should train any employees on your company’s data collection policies and supervise them to help prevent any misuses of accumulated personal information. Some online companies have been required to pay millions of dollars in fines for violating their stated privacy policies. By not complying with your policy, you could be faced with a costly, embarrassing mistake that damages your business revenues and reputation.

To learn more about best practices in data collection and online privacy, check out the FTC’s website or visit TRUSTe or BBB to see what industry peers are doing to defend online privacy.

Talk to a Lawyer

Need help? Start here.

How it Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you
Swipe to view more

Talk to a Business Law attorney.

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you