Although California’s Online Privacy Protection Act establishes in practical effect a national baseline for privacy policies, numerous other state laws, federal laws, compilations of industry best practices impose still other obligations on businesses and their privacy policies.
And many federal laws could apply if your business model has changed. For example, if your website now collects data about persons and discloses personal information to others, have you considered whether that information may constitute a “credit report” under the Fair Credit Reporting Act? The Federal Trade Commission has brought several cases in the past year against “personal data” websites that crossed the line into “credit reporting agencies.”
Finally, a number of “best practices” codes have been developed for particular industries. If your company subscribes to such a code, it is expected to live up to the code’s requirements. Failure to do so could trigger liability under federal or state consumer protection laws. Some codes often expect companies to mention their participation in a code in their privacy policies.