The U.S., on the other hand, doesn't have a singular governing data protection legislation. Rather, the U.S. uses a combination of related data privacy laws at the federal and state level.
For instance, the Federal Trade Commission Act (FTCA) empowers the Federal Trade Commission to enforce privacy and data protection laws in federal jurisdiction. On the other hand, the California Online Privacy Protection Act (CalOPPA) is one such data privacy law which protects users with residency in California.
This ranges from emails, physical and IP addresses, credit card details, phone numbers or tracking locations. CalOPPA goes a step further to mandate that commercial or online websites collecting information on California residents must categorically list the type of personal information collected.
Will you use the data for transactional purposes alone or will you also send newsletters to your visitors? Will your company share information with other third-party entities like merchants? If so, the law legally requires you to list down all the relevant parties who will also have access to user information alongside your business.
The industry-standard safety measure for protecting private information is the use of a Secure Socket Layers (SSL) system. With SSLs, information fed into a website by users is automatically encrypted and coded, which prevents a breach during transmission.
You're free to integrate as many security measures as you want as long as malicious parties or unrestricted personnel can't intercept or have access to user information.
Here's how Bath and Body Works explained its security measures in place. It doesn't go too technical on what they do, but its description manages to assure customers that their details are safe:
Under the EU's GDPR laws, you should also inform your users of the rights they have with their data. Under these rights, users should be able to request, update, transfer, view or erase their data (where applicable) upon request.
The GDPR outlines explicitly that the user has a right to:
As a business owner, you should also let your users know how long you intend to keep their information in your database.
For example, many website owners also share with marketing entities, whether in-house or as third-party entities. This is not exactly illegal, but at the very least, users should have the option of opting out from a marketer's mailing list in a simple way like sending an email or text message to a toll-free number.
You should place Privacy Policies strategically, so users have easy access.
Gwyneth Paltrow's goop is just one among many websites that prefer this style: