I understood (by information from my country), any website need be very expicit with privacy policy. How the website intend to do with that data information of users, and that need be very, but very explicit, and very, very simple (short as possible with good visibility), to users understand. Indeed, the admin of website, need to inform all users if something happened with that data information, and if admin not did that in some period of time will be punished with heavy fines. And the priority is really inform the entities regulators of the same problem as soon as possible, or can be a much more huge problem.
Why exists other rules beyond these? On my country I don't see any other revelant new rules.
If admin need export user information data to other companies, or other situation, before any registrations of users, need contain that information to users agree. Of course, you as admin cannot use that information data, if before your users are already registered without that previous information on register form. On my opinion, old users need edit your user profile and agree with new rules, or they cannot post ads. A simple function can do that, to redirect to profile settings page and display a flash message, Just a example. User will decide, and he have a button to remove own account too, it make part of the rules.
For non register users, to publish new ads he need agree with a checkbox, and just that.
A simple plugin can do that using hooks, is not need change any theme.
Edit:
Another priority things:
On user profile need existing options to user choose, if will be public or not on public profile, like: real names, real location, fiscal number, and others to reveal a entity of a real person.
The rules want protect user information data, and what admin and companies intent to do with that content, the need be explicit in public. The responsability is totally of companies to keep safe the content data of users.
Regards
