Data Privacy Laws and How They Impact Small Businesses

Data privacy laws are rules that govern how businesses collect, store, and use personal information about their customers and website visitors. There's no single federal law that covers every U.S. business, so small businesses face a patchwork of federal sector rules and state laws — and the list keeps growing.

Data privacy laws are legal requirements that control how organizations collect, store, share, and delete personal information. In the United States, there's no single comprehensive federal privacy law that applies to all businesses. Instead, compliance depends on what your business does, where your customers are located, and which sector-specific federal rules apply to you.

The result is a patchwork. At the federal level, the FTC enforces Section 5 of the FTC Act against unfair or deceptive data practices for businesses in interstate commerce. Sector-specific laws add more layers: HIPAA covers health information, COPPA covers data collected from children under 13, and the Gramm-Leach-Bliley Act (GLBA) covers customer financial data held by financial institutions. At the state level, at least 20 states had enacted comprehensive consumer data privacy laws as of 2026, with more pending.

• FTC Act (Section 5) — prohibits unfair or deceptive data practices for businesses in interstate commerce
• HIPAA — governs the privacy of health information held by covered entities and their business associates
• COPPA — requires parental consent before collecting personal data from children under 13
• GLBA — requires financial institutions to safeguard customer financial information
• State laws — California, Virginia, Colorado, and at least 17 other states have enacted their own comprehensive privacy laws

Small businesses are not automatically exempt from data privacy requirements. Many business owners assume these laws only apply to large corporations, but the FTC can pursue civil penalties up to $51,744 per violation against any business engaged in deceptive data practices — regardless of size. State laws add their own penalties on top of that.

The geographic reach of these laws is broader than most people expect. If your website is accessible to California residents, the California Consumer Privacy Act (CCPA) may apply to your business depending on your revenue and data volume. If EU residents visit your site and you track their behavior through cookies, the GDPR can apply even if your business is based in the U.S. Running a business online means your exposure isn't limited to the state where you're registered.

Most small businesses that collect any customer data — email addresses, payment information, browsing behavior — have at least some privacy obligations. The practical starting point is knowing what data you collect and which laws apply to your situation.

Each major privacy law has its own scope, requirements, and penalties. Understanding which ones apply to your business is the first step toward staying compliant.

General Data Protection Regulation (GDPR)

The GDPR is the European Union's data privacy law. It applies to any business that collects or processes personal data from EU residents — including U.S.-based businesses with EU website visitors. If you use cookies to track user behavior and EU residents visit your site, the GDPR likely applies to you.

The GDPR requires businesses to follow 7 core principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. EU residents have the right to know what data you collect, access it, correct inaccuracies, request deletion, restrict processing, transfer their data, and object to automated profiling. Penalties for violations can reach €20 million (roughly $20 million) or 4% of global annual revenue, whichever is higher.

California Consumer Privacy Act (CCPA)

California was the first U.S. state to pass a comprehensive consumer privacy law. The CCPA, enacted in 2018 and later expanded by the California Privacy Rights Act (CPRA), gives California residents rights over their personal data and places obligations on businesses that meet certain thresholds.

The CCPA applies to for-profit businesses that do business in California and meet at least 1 of these criteria: annual gross revenue above $25 million; personal data from 100,000 or more California residents or households processed per year; or at least 50% of annual revenue earned from selling California residents' personal data. The California Privacy Protection Agency (CPPA) enforces the law, with fines up to $2,500 per unintentional violation and $7,500 per intentional violation.

FTC Act and sector-specific federal laws

Even without a comprehensive federal privacy law, the FTC can take action against small businesses for unfair or deceptive data practices under Section 5 of the FTC Act. Civil penalties can reach $51,744 per violation. You don't need to have received prior notice for the FTC to act — if a practice is deceptive or unfair, that's enough.

If your business handles health data, children's data, or customer financial records, sector-specific laws add requirements on top of the FTC baseline. HIPAA applies to covered health entities and their business associates. COPPA applies if you collect data from children under 13. GLBA applies to financial institutions handling customer financial information. A data privacy attorney can help you figure out which of these apply to your specific business.

The growing patchwork of state privacy laws

California isn't alone. As of 2026, at least 20 states have enacted comprehensive consumer data privacy laws, and more are in progress. States like Virginia, Colorado, and others have passed their own frameworks, each with different thresholds, exemptions, and consumer rights. Many of these laws exempt small businesses based on revenue or data volume, but the criteria vary by state.

If your business operates across multiple states, you need to meet the requirements of the most stringent applicable law for each jurisdiction where your customers are located. The practical steps most small businesses need to take include: publishing a clear privacy policy, notifying users about cookie tracking, giving users a way to opt out of data collection, and building a process for handling data access or deletion requests.