Portmint Lighthouse
CoursesAI and the Law: Privacy, Disclosure & Customer Data for Small Business

What Actually Counts as Customer Data

Pip Lesson 4 · taught by Pip · free preview

Before we can talk about protecting customer data, we have to agree on what counts as customer data. Most owners picture credit card numbers and social security numbers and stop there. The real definition is wider — and knowing the full list is what lets you spot a risky moment before it happens.

The plain idea: personal data is any information that can identify a real person, on its own or combined with other clues. Not just the obvious sensitive stuff — the ordinary stuff too.

The list is longer than you'd guess

Yes, it includes the scary items: payment details, government ID numbers, medical information, passwords. But it also includes the everyday things customers hand your AI all day long:

  • A name. An email address. A phone number.
  • A home or delivery address.
  • Their order history, what they browsed, what they complained about.
  • Sometimes even a device ID or the IP address their browser arrives with.

If you could use a piece of information to figure out which actual human it belongs to — directly, or by piecing it together with something else — treat it as personal data. When a customer types "Hi, I'm Maria, my order #4471 never arrived to 12 Oak Street," that one sentence is dense with personal data.

The extra-sensitive tier

Some personal data is treated more strictly because misusing it does more harm. Health details, financial account information, anything about children, race, religion, or other protected characteristics — these sit in a higher-care tier almost everywhere. If your business touches any of these (a clinic, a financial advisor, anything serving kids), your bar for caution rises accordingly, and this is a moment to get specific professional advice.

A special word on children: if your customers might be under 13, there are particularly strict rules in the US about collecting their information at all. If that's even possibly you, don't improvise — get real guidance.

Why this matters for your AI

Every one of those data points can end up in an AI conversation, because customers volunteer information freely when they're chatting. That's not a problem by itself — it's the whole point of a helpful assistant. It becomes a problem only if that information is then stored carelessly, shared where it shouldn't go, or kept forever for no reason. Those are the next few lessons.

For now, the win is simply recognition. You can't protect what you can't see.

Your turn

Picture one real conversation a customer might have with your assistant. Underline, in your mind, every piece of personal data they'd reveal — name, contact, address, the problem itself. That mental highlight is the exact instinct that keeps you out of trouble. The more naturally you spot it, the safer your business is.

🔦 Now that you can recognize personal data, the next question is the big one: what are you actually allowed to do with it?

Stuck or curious?

Ask Pip about this lesson — tap the porthole bottom-right.