While individual laws are different country to country as good practice you should:
If you share data with third parties (and that includes Google ;) ) it's important you know how the data is being treated and it is at least in part inline with your own.
By using the above you can then, work through the issues such as how are you storing data, who has access etc, and who is enforcing this?
In the UK for example a company should appoint a person who is responsible for enforcement of privacy, though the law was changed so that the person can be the company as a whole (in terms of liability) this is similar in Europe, in US I believe it varies state to state.
As a company going through and saying, why are we collecting x, who is using it, how long are we storing it, do we have to store it can be a painful exercise, especially as even in companies which thought they were doing the right things, often find a large amount of highly personable data sitting in a spreadsheet on a laptop normally of someone who has no need for the data.
One final tip, CEO and other executives even in a small startup have no more need to access data as anyone else, try to avoid having master key holders especially ones with no one looking or auditing them, especially for very sensitive data, same goes (and even more so) for their PAs
I'm not sure if you meant privacy or security (your examples are really more examples of the latter), but as for privacy I would say one of the main things is to protect your user's data. Don't display their email publicly or in a manner that's easily scraped. If you ask for a lot of personal information, make sure they know what it going to be available to others and what is more for internal use only.