-What information is collected?
-Do you make sales?
-Collect payment information? Is it stored?
-Do you save inquiries?
-Do you have a web site? Are Internet cookies used? How long are the web log files maintained?
-Is information combined to create a profile? Does this include combining third party information?
-Do you report information to third parties?
-Do you distribute information to third parties?
-Do you have third parties use information for marketing campaigns?
-Do you conduct telemarketing or fax marketing to current or perspective cutomers?
-Do you conduct e-mail marketing?
-Do you have third party e-mail marketers? Do you know what they are doing?
-Do you have affiliates/partners conducting marketing?
-Are there long term plans to sell/merge the company and transfer the data to the new owners?
-Is your service used by children? Have you considered children who use your web site?
Do users have control over the information:
-Is there reasonable contact information?
-Is a user’s information reviewable?
-Can a user correct information?
-Can a user review the third party information and correct that?
-Can a user review any information distributed to third parties?
-Can a user opt-out of marketing? How are third party marketers notified? Will a user’s information continue to reappear on marketing lists after removal requests? Do you have control/knowledge about what third party marketers are doing?
-Are deceased prior customers easily removed?
-Are do not call lists maintained for telemarketing?
-Is the National Do-Not-Call registry used?
-Are the Direct Marketing Association’s do-not mail/e-mail/call lists honored?
What laws affect your operation?
-Data retention laws?
-Do not call laws (state/federal)?
-Do not spam laws?
-Could your activities put your web site or e-mail on Internet “blacklists”?
-Credit laws? Are credit reports accessed? Are collection actions taken?
-Could law enforcement request information you have in an emergency?
-Are you a government entity or doing work on behalf of one?
-Do you transfer information to other countries that have legal requirements?
-Is the Federal Privacy Act or other similar laws relevant?