There are dozens of federal statutes and regulations that govern consumer privacy. They regulate what data a company can collect and how you must protect it once you have it. One of the best ways to mess up in e-commerce is not to follow your own guidelines. (As a side note, one of the best ways to mess up as an employer is not to follow your own employee handbook!)
The Federal Trade Commission, which enforces unfair trade practices, can bring federal action against companies that do not comply with their stated privacy policies or violate other consumer protection laws. As of 2015, the FTC has brought approximately 130 spam and spyware cases, 50 general privacy lawsuits, 60 cases alleging data security breaches, 30 cases for violating the Gramm-Leach-Bliley Act which protects financial data, 20 cases for violation of children’s privacy under COPPA (see below), and 122 do-not-call cases.
Violation of your own stated policy can be a violation of Section 5 of the Federal Trade Commission Act and, in North Carolina, an unfair trade practice allows a plaintiff to ask for triple damages and punitive damages.
Privacy law, as it relates to consumer protection, comes from multiple sources and varies based on the industry. Highly regulated industries, such as medical or financial firms, have significantly higher regulation and oversight of their information policies and practices. So do companies that might attract children to their website.
• What information is collected;
• Whether personal information is stored separately by individual account or aggregated for statistical/analytical purposes;
• Whether it is kept confidential;
• What security measures are employed; and
• Whether it is shared with partners, or sold to other companies.
Before your website goes live, make sure your privacy policies adequately represent what your company does with the data, and that you are prepared to actually follow you policy. Your terms and conditions should be appropriate to your business, e-commerce activities and data collection.