Just a thought, from RESULTS ORIENTED
Personal Information Protection and Electronic Documents Act
PIPEDA is a Canadian federal initiative coming into force on 2004 January 1st. Federally regulated organizations were required to implement privacy rules in 2001. Now, all provincially regulated organizations have to follow suit.

Clear processes will need to be in place to ensure consistency in collection and storage of personal data. Organizations will need to obtain consent before information gathering, and be able to provide all of the stored information within 30days of a request. This includes information transferred to a 3rd party for processing. Even information sent across the border.
If you are one of the 80% of small businesses that the 2003Nov28 edition of 'Computing Canada' labels as unprepared, you will need to conduct a Privacy Impact Assesment (PIA).
A guide to the PIA principles can be found at this government site.

NOTE: There may be provincial legislation to consider. Quebec has a privacy act in place, while Alberta and BC are close to implementing their's.