Best Practices when Collecting Customer Data


Overview of Samantha Peaslee’s Webinar, Dealing with Data  

Chances are that as a business owner, you are collecting some kind of information about your customers. Maybe it is their payment information when they make purchases on your website, maybe it is their address to deliver your product to, or maybe it is just their email address to add to your newsletter. Whatever it may be, as a business owner you need to be aware of the laws surrounding data collection and how they impact your business. What are the best practices to keep your business safe? Keep reading for information from Samantha Peaslee’s recent webinar session, Dealing with Data.

Who does the law apply to?

First, let’s start with who the laws apply to. Each state has a different set of rules governing commerce in their state. This post is primarily concerned with Colorado’s laws, but the California Consumer Privacy Act is the strictest set of rules in the country, so if you conduct business outside of Colorado and want to be safe, you can use California’s standards. Currently in effect are the Colorado Consumer Data Security Laws which impacts any business that maintains, collects, or owns Personally Identifiable Information of Colorado residents in the course of its business.

Personally Identifiable Information (PII) has many definitions depending on the particular law, but according to Samantha, PII is is generally information that if someone else had, they could steal your identity, take money from your bank account, conduct fraud, get into your email, etc.

Another category of customer data that is important to be cognizant of, but is not as strictly protected, is Personal Information. Most small businesses are collecting Personal Information more often than PII and it is important to know what you are responsible for depending on the type of information you are collecting. Some examples of PII and Personal Information are in the table below.

 PII Personal Information
Social Security Numbers/ Personal Identification Numbers First Name + Last Name with a piece of PII
Passwords/Passcodes Username or email address with password security question and answer
Driver’s License Numbers/Passport Numbers Account number or credit/debit card number with a security code/password
Financial Account Numbers  

Note: Information that is lawfully available to the general public is not protected under PII or Personal Information. 

What are Consumer Rights?

  • Opt-Out Right: Consumers have the right to say how their personal data will be used and your business must offer a clear way for customers to opt-out of giving their personal data for certain uses. This must be written in your privacy notice as well as in a readily accessible location outside of your privacy notice.
  • Unsubscribe: Consumers must be able to easily unsubscribe from your communications.
  • Access: Consumers have the right to confirm whether your business is processing any of their personal data and can ask to be told what data your business has on file for them.
  • Correction: Consumers have the right to correct inaccuracies in their personal data.
  • Deletion: Consumers have the right to ask your business to delete the personal data you have on file for them.
  • Data Portability: Consumers can ask you for a copy of the data your business has on file for them up to two times per calendar year, according to the Colorado Privacy Act effective July 2023.

What are your Obligations? 

  • Internal Privacy Policy: Your business is required to have a written policy ensuring PII is properly disposed of when it is no longer needed and you must have security measures in place to protect PII based on the nature and size of your business as well as the type of PII collected.
  • External Privacy Policy: Your privacy policy cannot be within your terms and conditions if customers only interact with the policy through your website. The policy must be written so that it is clear, meaningful, and reasonably accessible. It must include categories of personal data collected or processed, the purposes for processing personal data, how and where consumers can exercise their rights, how to appeal company’s actions, the personal data shared with third parties (and who those third parties are), and must include a disclosure of sale or processing of personal data.

What are your Duties and Best Practices? 

  • Be transparent: Specify why you are collecting the data and how you will use it.
  • Minimize collection: Only collect data that your business needs and has a purpose for.
  • Avoid secondary use of information: Don’t bait and switch your customers (e.g. using an email for a newsletter if you haven’t disclosed using their information in that way).
  • Obtain consent: Process sensitive data only with consumer consent.
  • Maintain your policies: Follow your internal and external privacy policies.
  • Third party vendors: Know what third party vendors you are using. 
  • Give customers options: Provide the ability for customers to easily opt-out, unsubscribe, change, or limit their information..

Where To Go From Here

Have more questions about your privacy policies, how you handle customer data, or what you need to do to be ready to comply with the new Colorado Privacy Act? Reach out to schedule an appointment with an SBDC Legal Consultant here! You can also check out Samantha’s full presentation for more details on our YouTube channel here. 


Recent Posts

Sign up to stay in touch!

Get relevant news and updates regarding small business delivered to your inbox.

For security verification, please enter any random two digit number. For example: 42

Front Range Community College
3645 W. 112th Ave.
Westminster, CO 80031
Room C2061

720-893-1589 (hotline) 

303-460-1032 (office voicemail)

The Colorado Small Business Development Center Network (SBDC) is funded through a cooperative agreement with the U.S. Small Business Administration (SBA). The SBDC Network is a partnership between the State of Colorado, Colorado Office of Economic Development and International Trade, the Small Business Administration (SBA), Colorado’s institutions of higher education, local economic development organizations and local chambers of commerce. 

We are strongly committed to protecting your privacy and providing a safe online experience for all of our users while offering the highest quality user experience. View the North Metro SBDC Privacy Policy here. 

Skip to content