The rules are the same as they are for paper. What information you collect and how is largely your choice.
Now that content has been addressed you need to look at security. How will you get and transfer this information to your site? https - s being secured, is a good first step. Protect the data.
Next you need to look at how and when you receive it and process it. And look at backup systems too. What disclosures are triggered, how much information will you gather, will you open new relationships this way, how will you CIP them, etc.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell