In the Zappos case, 24 million consumer email addresses where stolen by hackers. Zappos went to arbitration and settled the case. The judge in the case threw out the arbitrated settlement for two reasons.
Go look at your website, and register. Is there a clickwrap? How about if the consumer fills out a form?
In truth, you should speak to your lawyer about what is best in your State to comply with State and Federal Laws. I know that Larson Sobodka LLC and Privacy Solutions both have deep experience in these areas of law and they get real estate. If you contact the firm, start with Brian Larson at Larson Sobodka or Darity Wesley at Privacy Solutions. They may pass you along to one of their Associates in the firm – but do not worry about that. They have done this sort of work before and are saving you money by having a lower paid lawyer get you fixed up.
It should look like this (Image courtesy of RE Technology – Privacy Audit performed by Privacy Solutions)