Though this is seemingly a commercial based standard, it illuminates areas of data seen as to be protected on average.  This may have been superseded as it is '95 vintage.

The UK and Europe are all party to what is called the EU Data Protection Directive 1995. This Directive set out seven principles of data collection:

• Notice: users should be given notice when their data is being collected
• Purpose: data should only be used for what you say you will use it for
• Consent: user data should not be shared without your users’ consent
• Security: collected data should be kept secure
• Disclosure: users should be informed about who is collecting their data
• Access: users should be allowed to access their data and make corrections to any inaccurate data
• Accountability: users should have a method available to them to hold data collectors accountable for not following the above principles

If you are based in Europe, the UK, Canada, or the US, or collect data from customers internationally, you need to comply with these laws and reflect these principles in your Privacy Policy.

The second aspect of complying with the law is making sure that your users are bound by your legal agreement.