The reality is that most websites are collecting information about visitors at all times. If you visit a website, you should expect that certain information is collected about your computer, browser, internet/mobile service, and referring source. Further, the vast majority of online privacy policies and terms-of-use also allow the collector of information, including personally identifiable information, to use that information for almost all purposes and to transfer it to third parties.However, businesses collecting such data through their websites in the U.S. are generally governed by disclosure. It is important to note that this is not true in all parts of the world. For U.S. companies that currently do business only in the U.S., the critical business practice is to publish a clear and prominent disclosure of what is being collected, how it is being used and how (and if) a consumer can opt-out of the collection, sharing, or use of the information. There are a variety of federal and state laws that implement this general requirement and that contain specific disclosure requirements. There are also some specific limitations or prohibitions on transfers of data that are related to the type of data (for example: personal health information).There doesn’t seem to be a current appetite for U.S. Federal legislation on consumer privacy, evidenced by the fact that legislation introduced almost five years ago has gone nowhere. The Federal Trade Commission has, periodically, been very aggressive regarding enforcement under its existing authority – generally saying that companies were deceptive or dishonest in their disclosures. This is one reason why clear, prominent, truthful disclosures are so important.One of the largest non-government advances in the U.S. is the recent surge in ad-blocking software. This is a business driven model, but as it becomes more common, I fully expect we will see a change in privacy practices because of it. Areas outside of the U.S. are also forcing change of U.S. company actions through legislation. The Canadian Anti-Spam Law forced many U.S. companies to change their disclosures at the time of collection of email addresses and the new EU General Data Protection Regulation will likely change U.S. company behavior to some extent once it is implemented.The first questions businesses should ask themselves are: What information are we collecting? What are we doing with it? What do we tell our consumers? Every company needs to understand that the answers are not always obvious. Further, if the company does business, has locations or has customers outside the U.S., it is substantially more complicated because they will need to comply with multiple, conflicting laws.Attorney Jack Gross regularly counsels businesses on internet, advertising, and privacy law.