The information of personal data consists of names, addresses (physical or e-mail), IP addresses, telephone numbers, date of birth, and financial information, such as debit or credit card details.
In addition to outlining how the company will use the information, it also includes how it will meet its legal obligations, and how those sharing their data can seek recourse should the company fail to meet those responsibilities.
In Europe, those countries which form part of the European Economic Area (EEA) are required to meet seven principles.
These principles require that the data collected be limited to only that which is entirely necessary for the purpose of the site; how individuals may access their data; how the information is protected; and the accountability of the data collector.
As of May 2016, the General Data Protection Regulations (GDPR) became law across the EEA, standardizing the regulations across the entire region. Any organization whose website is available in Europe will be required to meet the GDPR, regardless of where in the world it is registered, including Canada and the USA.
In the United States, there is no over-riding data protection law, but it does have a number of other laws that cover specific demographics and circumstances. One of the best known is the Children's Online Privacy Act (COPPA).
This regulates websites that are deliberately targeted at children under the age of 13, whether or not they collect data. It also applies to websites that, while they may not be targeted at children, knowingly collect information from users who are under the age of 13.
The other latest regulation that takes effect in January 2020 is the California Consumer Privacy Act (CCPA).Any website that meets these criteria and is accessible within the United States must adhere to these regulations. Usually, where a site does gather information from children, a parent or guardian must provide their consent for this to happen.
THIRD PARTY ADVERTISING
So many non-ecommerce websites, especially blogs, generate income through advertising placed on their site by third parties. The best-known ones are Google's Ad Sense and Amazon Affiliates, although there are many other similar schemes. As these schemes involve the sharing of data, before being allowed to take part in either program, websites are required to have privacy policies published within them.
The exact information that will be collected from website users, which may include names, physical or e-mail addresses, IP addresses, and telephone numbers, and location tracking.
If cookies are being used on the site, how to opt-out of them, and what effect this might have on the user's experience.
How the information will be collected, and by whom, for example, if it is being collected by an advertising program.
How the information will be used, including if it will be shared with third parties.
How the information is protected from misuse or unauthorized access.
How to opt-out of data sharing, along with the potential consequences of doing so.
In addition, certain types of websites must include other information. For example, anyone using Google Ad Sense must include information about the cookies, links, and any third-party sellers or advertisers featured on the site.
E-commerce websites must also detail how payment information will be accessed, processed and stored. They must make it clear who is handling the information, as the complexity surrounding the storage of payment details means that many sites use third parties to manage the payment process and storage of financial information.
We collect the content and other information you provide when you use our services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our services, such as the types of content you view or engage with or the frequency and duration of your activities.
Facebook clearly outlines what information that the user provides - whether deliberately or not - will be accessed and used. There is no ambiguity about what data will be collected, and where from.