The whole issue of privacy policies, not only on the web but in general, is one of the key problems for any business. The only difference is, it is much easier for a small business to address this issue than it is for a large corporation.
– you ask for only the minimum data that will fulfill the purpose for which that data is being collected;
– you keep the data secure and ensure that it is only used for the purpose for which it was collected;
– you don’t keep the data after you’ve used it;
– you destroy the data in a secure fashion;
– you inform your customers of the steps you are taking to accomplish all of the above.
Once you’ve taken care of your customers’ concerns, you should probably try and make sure your practices are not illegal in the jurisdictions where you have customers. This may eventually become your number one concern but, for the moment, there are no jurisdictions that are actively enforcing very strict privacy laws for out-of-jurisdiction companies although there are several where the practices of many American companies would be illegal and many more where strict privacy legislation is being considered. It is actually not that difficult to keep your privacy policies practices mostly legal. The legislation focuses on four areas:
– you must advise the customer of the purpose for which data is being collected and he must agree to have you collect it for that purpose;
– the data must not be used for any other purpose without getting a renewed agreement from each customer whose data is being used;
– the data must be held securely and access must be restricted to persons who need access to carry out work in accordance with the data’s agreed purpose;
– the data must be securely destroyed when the agreed purpose has been accomplished.