One thing to keep in mind with this kind of information is that protecting personal information is simply good business. You tell your clients how you will treat their information and then you do what you have said. This creates trust and in turn encourages them to do business with you. Simple.
Canadian privacy law is strict but it does provide a mechanism for you to set the terms of how you will do business with your clients. If you intend to market to them - why wouldn't you want them to know in advance and then agree to it? In this way they welcome your message and buy your stuff. Otherwise, you run the risk of having them delete your message unread - since no one complains to the spam sender: it is a guarantee of more spam (it is proof of a working email address!).
What is personal information?
This is a key question. In essence personal information is anything that identifies you and is not available somewhere else. Your name as your name but not your name as your name on your business card. Your health history, your banking information, these are private. It gets more interesting as companies you buy stuff from begin to build your profile. Data mining for these kinds of preferences is worth millions of dollars: but who owns the data? The company because they provide the system to make the purchase or the customer because it is about them?
You want their consent. If you change your purpose for the information - you want their consent again and again. To me this is a powerful opportunity to reconnect with your clients and potential clients. It shows your respect for them as individuals and your desire to have them as clients or customers. We all cherish those stores where the owner knows us, knows our preferences, and is ready to solve our problems. You may not get everyone to agree - but those who do agree are more likely to remain or become your clients.
Canadian privacy law has a problem: it is too strict. Canadian courts are reluctant to find against businesses because the punishment is rather tough. In a way Canadian law is all teeth and no bite.
In the United States there is no comprehensive privacy legislation. The Federal Trade Commission (FTC) has stepped into this gap with an interesting approach. Recognizing that companies freely post their privacy policies the FTC will respond to complaints where it can be shown that the company has not followed its own published policies. Excellent. It is a kind of truth in advertising scenario - even better - it is irrefutable since they can simply point to the published (on their Web site) policies. The fines are, generous, and the loss of reputation a problem.
"Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. "It's not just good business, it's the law," he said. In fact the FTC is showing itself to be surprising nimble in it's approach to the changing nature of the Internet and privacy.
At the moment privacy laws in Canada and elsewhere are a form of soft regulation of the Internet. Since the corporate Web site is such an ideal means of providing the information we can see the association. But other than that - it just makes sense to know what you are going to do with the information people give you.