Online advertisers should adopt information practices that treat customers’ personal information with care. They should post and adhere to a privacy policy based on fair information principles, take appropriate measures to provide adequate security, and respect customers’ preferences regarding unsolicited email.

1. Post and Adhere to a Privacy Policy:

   Online advertisers should post and adhere to a privacy policy that is open, transparent, and meets generally accepted fair information principles including providing notice as to what personal information the online advertiser collects, uses, and discloses; what choices customers have with regard to the business’ collection, use and, disclosure of that information; what access customers have to the information; what security measures are taken to protect the information, and what enforcement and redress mechanisms are in place to remedy any violations of the policy. The privacy policy should be easy to find and understand and be available prior to or at the time the customer provides any personally identifiable information. (Click here for examples)

2. Provide Adequate Security:
   Online advertisers should use appropriate levels of security for the type of information collected, maintained, or transferred to third parties and should:

   1. Use industry standard levels of encryption and authentication for the transfer or receipt of health care information, social security numbers, financial transaction information (for example, a credit card number), or other sensitive information,

   2. Provide industry standard levels of security and integrity to protect data being maintained by computers, and

   3. Take reasonable steps to require third parties involved in fulfilling a customer transaction to also maintain appropriate levels of security.

3. Respect Customer’s Preferences Regarding Unsolicited E-mail:

   Online advertisers should accurately describe their business practices with regard to their use of unsolicited e-mail to customers.

   1. Online advertisers that engage in unsolicited email marketing should post and adhere to a "Do Not Contact" policy -- a policy that, at a minimum, enables those customers who do not wish to be contacted online to "opt out" online from future solicitations. This policy should be available both on the website and in any emails, other than those relating to a particular order.

   2. Online advertisers that engage in unsolicited email marketing should also subscribe to a bona-fide e-mail suppression list such as the one offered by the Direct Marketing Association at www.e-mps.org/en/. Additional resources on opt-outs generally, less on email, are offered by the Center for Democracy and Technology at http://opt-out.cdt.org/.