The AI Compliance Squeeze Is Coming for Small Business — Here's What FTC and CPPA Enforcement Actually Means for You

A 40-person staffing firm in Sacramento just got a letter from the California Privacy Protection Agency. They use an AI tool to screen resumes — one of those off-the-shelf platforms that ranks candidates and flags top matches. The owner didn’t build it. He didn’t train it. He pays $89 a month for it. The CPPA wants to know how the model was trained, what data it processes, whether candidates were told an automated system was evaluating them, and what the appeal process looks like.

He doesn’t have answers to any of those questions. Neither does the vendor’s support team.

This is the part of AI governance most small business owners haven’t caught up to yet. The assumption — reasonable, until recently — was that regulators would go after the big platforms first. OpenAI, Google, Meta, the hiring tech unicorns. The companies with billions in revenue and lawyers on staff. SMBs would have years to figure things out.

That’s not what’s happening.

What the FTC and CPPA Have Actually Said

The Federal Trade Commission has been telegraphing this shift for over a year. In a series of business guidance posts and enforcement statements, the FTC has made clear that using AI doesn’t change the underlying obligations a business has under existing consumer protection law. If your hiring tool discriminates, you’re liable — not the vendor. If your chatbot makes claims your business can’t back up, that’s a deceptive practice. If your marketing automation collects data you said you wouldn’t, that’s still a violation.

The agency’s “Operation AI Comply” sweep in late 2024 targeted five companies for AI-related deception, and the messaging accompanying it was unambiguous: enforcement is moving downstream. The FTC’s guidance specifically notes that small businesses using third-party AI tools remain responsible for outcomes, regardless of whether they understand the underlying technology.

California is moving faster. The CPPA finalized its Automated Decision-Making Technology (ADMT) regulations in 2025, with enforcement provisions kicking in on a rolling basis through 2027. The rules require businesses that use ADMT for “significant decisions” — hiring, lending, housing, insurance, education access — to provide pre-use notices, allow consumers to opt out, and conduct risk assessments. The threshold for who’s covered is the same as CCPA generally: businesses with $25 million in annual revenue, or those processing personal information of 100,000+ California consumers or households.

That second threshold is where SMBs get caught. A regional e-commerce business with strong traffic can hit 100,000 unique California visitors in a quarter without realizing it. A B2B SaaS company with a few hundred customers can blow past it through cookie tracking and analytics alone. Once you’re in scope, you’re in scope for everything — including the AI rules.

Why SMBs Specifically Are Exposed

The pattern we’re seeing across California, Nevada, Arizona, Washington, and Oregon: small and mid-sized businesses have quietly adopted AI tools faster than enterprise. They had to. The hiring market is tight, marketing budgets are thin, customer service expectations are high, and AI tools promised to close the gap.

Four exposure points come up over and over:

Hiring and HR tools. Resume screeners, video interview scorers, skills assessment platforms. Most SMBs using these tools cannot answer basic questions about how the model scores candidates, what data it was trained on, or whether it’s been audited for adverse impact. Under California’s ADMT rules, hiring is explicitly listed as a “significant decision” requiring notice, opt-out, and assessment. Federal employment law adds another layer — the EEOC has made clear that algorithmic discrimination is still discrimination.

Customer-facing chatbots. The cheap deployment story — drop a widget on your site, train it on your FAQ, save on support headcount — created a generation of chatbots that confidently make claims about pricing, refunds, product capabilities, and policies that the business can’t actually honor. The FTC treats chatbot statements as company statements. If the bot promises a 30-day refund and your policy is 14 days, you have a deceptive practice problem.

Marketing automation and lead scoring. Many marketing platforms now include AI-driven audience segmentation, lookalike modeling, and predictive lead scoring. These tools ingest customer data, infer characteristics, and make decisions about who sees what offers at what price. The CPPA rules treat this as profiling — and profiling for behavioral advertising triggers opt-out rights and, in some cases, risk assessments.

Document and contract automation. SMBs in professional services especially are running AI over client documents — contracts, financial records, medical files, legal filings. The compliance question isn’t just “is the AI accurate.” It’s “what’s the vendor doing with that data,” “does my client consent cover this use,” and “if a model was trained on my client’s information, can I prove it was anonymized.”

Why This Matters Now, Not Later

Three forces are converging.

First, enforcement timelines have shortened. The CPPA’s ADMT rules don’t have a multi-year ramp the way GDPR did. Pre-use notice requirements kick in for the highest-risk uses in 2026. Risk assessments are due not long after. Businesses that wait until the deadline to start figuring out their AI footprint will be inventorying tools, vendors, and data flows under regulatory pressure rather than ahead of it.

Second, the cost structure of compliance has flipped. For large enterprises, an AI governance program is a line item. For a 50-person business, the cost of a single regulatory inquiry — legal review, data mapping, vendor outreach, response drafting — can easily run $40,000 to $80,000. That’s before any fines. The CPPA can issue administrative penalties of up to $7,500 per intentional violation, and “per violation” can mean per affected consumer.

Third, vendor accountability is weak. The owner of that Sacramento staffing firm called his AI screening vendor and asked for the documentation the CPPA wanted. The vendor’s answer was a security questionnaire and a SOC 2 report — neither of which addressed the substantive questions about training data, bias testing, or consumer notice. This is the norm, not the exception. Small business owners are discovering that the AI tools they bought to save time are now generating compliance obligations they have to meet on their own.

What to Do This Month

Three concrete actions, in order:

1. Inventory every AI tool in use across your business. Not just the obvious ones. Marketing automation platforms with AI features turned on. CRMs with predictive scoring. Hiring platforms. Customer support tools. Document review software. Many businesses are surprised to find 15 to 25 tools in their stack that have an AI component. You can’t govern what you can’t see.

2. For each tool, document four things: what consumer data it processes, what decisions it influences, what notices (if any) consumers receive, and what the opt-out process looks like. If any of those four fields is blank, that’s your priority list.

3. Read your vendor contracts. Specifically, look for the data processing addendum, the indemnification clause, and any language about training data use. Most off-the-shelf AI tools have terms that leave the customer holding the bag for regulatory exposure. Knowing this now is better than learning it during an inquiry.

For businesses in scope of CCPA already, the AI inventory work folds into existing privacy program activity. For businesses that haven’t done a privacy assessment recently — or ever — this is the trigger.

Sources

• FTC Operation AI Comply enforcement guidance (2024): Federal Trade Commission, “FTC Announces Crackdown on Deceptive AI Claims and Schemes” (2024), https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-announces-crackdown-deceptive-ai-claims-schemes
• FTC business guidance on AI accountability: Federal Trade Commission, “Keep your AI claims in check” (2023), https://www.ftc.gov/business-guidance/blog/2023/02/keep-your-ai-claims-check
• CPPA Automated Decision-Making Technology regulations: California Privacy Protection Agency, “CCPA Regulations - Automated Decisionmaking Technology” (2025), https://cppa.ca.gov/regulations/
• CCPA applicability thresholds: California Civil Code Section 1798.140, https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.140.&lawCode=CIV
• EEOC guidance on algorithmic hiring discrimination: U.S. Equal Employment Opportunity Commission, “Select Issues: Assessing Adverse Impact in Software, Algorithms, and Artificial Intelligence Used in Employment Selection Procedures” (2023), https://www.eeoc.gov/laws/guidance/select-issues-assessing-adverse-impact-software-algorithms-and-artificial

Since 2002, centrexIT has been the IT and cybersecurity partner for businesses across the western U.S. AI governance is one of the fastest-moving compliance areas we help clients work through — from tool inventory to vendor review to consumer notice. Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/