Portmint Lighthouse
CoursesAI and the Law: Privacy, Disclosure & Customer Data for Small Business

The Simple Rules for Handling Customer Data

Pip Lesson 5 · taught by Pip · free preview

There's a whole industry of privacy lawyers, and the laws fill thick books. But underneath all of it sit four plain ideas that, if you simply follow them, keep a small business out of nearly all the trouble. Learn these four and you've learned the spirit of every privacy law worth knowing.

1. Collect less than you think you need

The safest data is the data you never collected. Before your AI or your forms ask for something, ask yourself: do I actually need this to help the customer? If a question only requires their order number, don't also vacuum up their birthday "just in case." Every extra field is something you now have to protect, store, and eventually delete. Less collected means less to lose.

2. Use it only for what you said

When a customer gives you their email to get a receipt, that's what it's for. Quietly adding them to a daily marketing blast is using their data for something they didn't agree to — and that's exactly the kind of move that turns into complaints and fines. The rule is honest and simple: use customer data only for the purpose you collected it for. Want to do more, like marketing? Ask. A clear "can we email you our weekly specials?" with a real yes/no is all it takes.

3. Don't keep it forever

Data you no longer need isn't an asset sitting in a drawer — it's a liability waiting for a leak. If a chat was just answering store hours, there's no reason to keep that transcript for three years. Decide roughly how long you actually need things (a refund inquiry, say, until the refund is settled and a reasonable window after) and let the rest go. "We keep it only as long as we need it" is a sentence regulators love to hear.

4. Guard what you keep

Whatever you do keep, protect it. For a small business that mostly means common-sense digital hygiene: strong, unique passwords; two-factor login on anything holding customer data; not emailing spreadsheets of customer info around; limiting who on your team can see what. You don't need a security department. You need to not leave the keys in the door.

How this lands on your AI specifically

A well-built AI assistant should respect all four of these by design, not by your remembering to. It should ask only for what a task needs, use answers only for the conversation at hand, not silently hoard transcripts forever, and keep everything behind proper protection. When you evaluate any AI tool, these four habits are your checklist — does the tool make following them easy, or does it quietly work against them?

Your turn

Look at one place you collect customer info today — a form, a booking, a chat. Find one field you ask for but don't truly need, and cut it. That single deletion is the entire spirit of rule #1, and it makes you safer this afternoon.

🔦 You know how to handle data well. Next: the rights customers have over their data — and the requests you must be ready to answer.

Stuck or curious?

Ask Pip about this lesson — tap the porthole bottom-right.