<a href="https://softwareengineering.stackexchange.com/questions/2905" rel="nofollow">https://softwareengineering.stackexchange.com/questions/2905</a>...
<a href="http://web.archive.org/web/20130326235146/http://www.theeuco" rel="nofollow">http://web.archive.org/web/20130326235146/http://www.theeuco</a>...
Basically from what I can tell, anything you are using to track the user from your server you need to disclose. If you are storing identity info to allow the user to login that needs to be disclosed as essential.
Reminds me of the spam I got in Spanish the other day from the electric company because I applied for a job there 3 years ago and they had a privacy problem and the parent company had a data breach.<p>(I learned my Spanish from Home Depot and Don Quioxite and I still map ll -> y compulsively.)