How to Protect your Customers' Personal Information

How many times have you been asked for your email, phone number, address or even your date of birth when shopping or browsing on the web? As an entrepreneur, you may already be collecting this information from your customers.

The explosion of products and services available online has caused a dramatic increase in the demand for users’ personal information (Consumer guide – Consumer Privacy). This information may be used for many purposes such as statistics, account creation, delivery address, advertising, etc. However, the tremendous ability to collect customers’ data brings with it many risks that too many businesses fail to account for.

As we’ve previously discussed (see our article on the essentials of your business), it is important to draw up certain documents that frame the relationship between the users of your site – including their personal information – and your business, to prevent any potential disputes.

In this article, we will provide tips on how to protect the personal information of your customers.



Nowadays, it is essential that entrepreneurs be aware of the legal issues involved in data collection (Link in French only). Gathering personal information is not a task to be taken lightly, even if at first glance it seems relatively benign. Indeed, if the user consents to provide you with information, what’s the crime in that?

In fact, the answer to that question is complex. In Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (hereafter the “Act”) imposes a number of limits and conditions on the collection of personal information. Failure to comply with the Act can result in complaints to the Access to Information Committee (link in French only), with fines ranging from 1 000$ to 50 000$ and 10 000$ to 100 000$ in case of recidivism. This may be very difficult to swallow for start-up entrepreneurs. It is therefore very important to pay close attention to the law, in order to understand what can and cannot be done with your clients’ data.



Before asking yourself how you can go about collecting something, you need to know what it is, right? To put it simply, personal information (link in French only) refers to any information that identifies a person. That is a wide range of information. Even relatively trivial information, such as a user’s television preferences is considered personal information according to the Act.

The two most important factors to keep in mind from the Act are (1) the necessity of the personal information collected, and (2) the consent of the concerned party. (Collection of personal in formation (French only))

Concretely, what does that mean?

Firstly, consent implies that you request the information from the user and they agree to provide it willingly. For instance, filling out empty boxes on an online form is sufficient to constitute consent on the part of the user. However, even if the user consents to provide you with information, the Act requires that that information be absolutely necessary for the precise goals for which it is being collected, and that the user is aware of its intended use. For example, asking for the profession, social security number or the colour cat of a user as part of your inscription process would not be legitimate if your business involves the sale and delivery of clothing. On the other hand, their name, address, telephone number, and payment information is.

Despite these restrictions, it is possible to request information for other purposes than direct profits. It is perfectly legitimate to collect information for surveys, statistics, or marketing, for instance, provided these motives are clearly indicated to the user, and that they have consented.

It is therefore important to be prudent in the requests for information (link in French only) you address to your users!



Congratulations, you have legally collected your user’s personal information! However, you are not out of the woods yet. Once personal information is in your hands, the Act provides for how such information is to be handled and stored. As with the collection of fruit from a plant, the storing of the fruit requires even more precaution than its picking.

The law is clear; you must protect the information you collect from users through both physical and virtual means. The personal information of your users must not be visible to all, and even unauthorized employees should not be able to have access. If not, you risk breaking the law.

If the confidential information in your possession is in paper form, you need to ensure its security by filing it in a secure folder, specifically created for that purpose. Conversely, if the personal information is in digital form, you need to ensure that you have the appropriate security measures to prevent a breach: firewall, anti-virus, etc. In addition, your hard drives must be safe from theft.

It is also important to keep mind that it is forbidden to pass this personal information on to third parties, unless you clearly indicated this possibility when you collected the information.

Moreover, even if you are processing the information according to the law, the user will always have a right to their data. Therefore, they are in their right to request all the data you have on them. If you do not provide the user with the information they requested, you will be breaking the law.

What happens if a user deletes their account? Keep in mind that the information you possess must be “necessary” for the purpose you have collected it. Thus, if a user deletes their account, the necessity to hold on to their information may disappear. In that case you must ensure the destruction of their information within a certain delay (often 30 days).

For that purpose you must always provide the coordinates (for example an email) of a person in your company to whom users can direct any requests or questions they may have concerning their personal information. This person must be clearly identified – not just a company email – and available to fulfill these duties.



As we’ve seen, there is an important legal framework surrounding the collection and conservation of personal information. It is therefore crucial to arm oneself with the proper legal tools!

At a minimum, it is necessary to establish a policy concerning the protection of personal information in order to properly regulate the relationship between yourself and your user. This policy will allow you to establish the rules governing your website, and proceed with the collection of data with complete peace of mind. Lex Start offers you a Terms and Conditions Kit that will ensure the security of your users and your business.

If your business sells goods or services online, our Online Sales Kit is an essential legal document, which will help you guard against the dangers of data collection.

If you have other questions, fill out our free submission form and a lawyer will determine your needs to help ensure your future success!

Ulric Caron




Get a $350 refund on your incorporation


Get the offer