With all due reference to Asimov's Three Laws of Robotics. This post was originally published on a prior version of this blog on 2015-08-13.
1 No web site may violate a human being's right to privacy, or through inaction, allow a human being's privacy to be violated.
Inaction includes not taking responsibility for what ad networks are doing with your users' information.
2 A web site must respect a human being's consent with respect to her personal information, unless it conflicts with the first law.
You can't use dark patterns or obfuscation to claim that you have consent, or claim consent where the information may not even be 'consentable'.
3 A web site must protect its own existence as long as such protection does not conflict with the 1st or 2nd law.
A consequence of this will mean complying with legal requests for access to your users' data by law enforcement.
Bonus Guidance: You know you have it right when you confirm that your average user will not be surprised or upset upon finding out ANYTHING about how you process their data or who who share it with.