The following measures will help protect you from unnecessary liability and attention from regulators.
1. Collect only the data you need. Dispose of the data you no longer need.
3. Consider when to get consent. Even if the law does not require getting consent for some sensitive information, it is still a good idea to get consent for location-based data and other information that may be used to identify an individual user.
4. Familiarize yourself with license terms of public libraries and all other third-party code you consider using. Do they allow commercial use? What copyright notices must be included if you use the code?
5. Protect the sensitive information you collect. Certain data should be encrypted and access to it should be limited to authorized personnel. Use transit encryption (SSL) to protect login credentials, API keys and any other important data. Appoint a security officer within your company.
6. Children’s privacy. Children’s Online Privacy Protection Act (COPPA) applies to the online collection of personal information from children under 13 years of age. COPPA requires a service operator to seek verifiable consent from a parent or guardian. For many online services, it makes more sense to disallow collection of personal information from those under 13 altogether than to implement the verifiable consent procedures required by COPPA.