With the changing technology landscape, advertisers and businesses have even more avenues to capture user data. For example, some businesses are creating single, universal identifiers to track consumers across multiple devices and connect their offline, email, and digital interactions. The proliferation of IoT related devices has caused this type of invisible tracking to evolve. Some companies now use techniques such as "device fingerprinting" to uniquely identify a broad range of internet-connected devices and build profiles about their users. These single user profiles are sometimes even linked with data obtained from various third-party offline sources.

These technological advances have also caused the FTC guidelines concerning online user data privacy and security compliance to evolve. In this rapidly changing environment, Internet marketers, ad agencies and businesses operating online MUST UNDERSTAND what is required to be disclosed in a privacy policy pursuant to the FTC Act and relevant state laws such as California's OPPA. Understanding all the items that a properly drafted privacy policy should contain can be complicated. However, the following simple and easy to understand basic set of rules can help website operators ensure their site's privacy policy disclosures are compliant in 2019.

1. Personally Identifiable (PII) Information Disclosure

Of course, cardinal rule #1 remains the need to disclose the collection and use of PII by the website operators. This list has increased in recent years and includes basic information such as name, email address, phone number, social security number. But, recently this list has been updated to also include other online contact Information, such as an IM user identifier, a VOIP identifier, a video chat user identifier, or other substantially similar unique identifier, or any photographs, videos, or audio files containing a user's image or voice.

2. Don't Make False Statements

Don't misrepresent your collection and data use/sharing practices. For example, don't proclaim that website users can disable a flash cookie by using their browsers, or can opt out of an information sharing practice when they actually cannot. Don't state the website operators use collected information for analytical purposes only, yet PII is sold to third-parties.

3. Data Security

Website operators must secure user data with reasonable measures. The touchstone of the FTC’s approach to data security is a standard of "reasonableness": that a company’s data security measures must be reasonable in light of the "sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities." (FTC: Beyond Cookies: "Privacy Lessons for Online Advertising". January 21st, 2015). The FTC's Fair Information Practices also require that a mechanism for notification of data breaches is in place.

4. Provide Sensitive Data Opt-Out

Website users must be provided with an "opt-out" when using uber sensitive data they have provided to market to them across the Internet, such as information based upon a medical condition (i.e. "cancer" "aids", etc.).

5. Provide Unexpected Use Opt-Out

Privacy policies should give consumers easy-to-exercise opt-out choices for those practices that would come as a surprise. This is judged given the context and the consumers’ overall relationship with the website operator(s). As an example directly from the FTC, when a consumer purchases a car from an auto dealer, the consumer would expect the dealer to collect and use his information to send a coupon for an oil change. A consumer might be surprised, however, if the dealer sold his data to a data broker that appended it to a larger profile sold to marketers (I know I would be). Ideally, these choices should be apparent at the time the user/consumer provides any subject information.

6. Privacy policies must be complete

Website operators should disclose all subsets of tracking information, not just a single use, and should be precise and complete with information/data use disclosure. For example, website operators should disclose the practice of "history sniffing" to collect information on user visits all across the Internet, and not just for targeted ad purposes. If the site operators track users across multiple devices (cross-device tracking) and compile aggregate use information which is then linked to a single user profile, this should also be disclosed.

7. Always follow COPPA

Provide parental notice of sensitive data collection of child users under the age of 13, and obtain consent before collecting any data! Websites that are targeted towards or that contain content that attracts children under the age of 13, or that knowingly collect information from such children, must be sure to comply with Children's Online Privacy Protection Act (COPPA). This includes publishing a list of all the website operators along with contact information and containing parental consent for child information collection and use, among other requirements.