What Recent FTC Enforcement Actions Mean for Your 20-Person Business

The call that changes a Tuesday

Imagine you run a 22-person specialty retailer in Sacramento. You take customer email addresses at checkout, store credit card info through your payments processor, and run an email list out of Mailchimp. On a Tuesday morning, your operations manager forwards you a letter. It is from the Federal Trade Commission. They are asking questions about how you collect, store, and protect customer data.

You do not have a legal team. You do not have a CISO. You have a bookkeeper, a part-time tech guy who comes in on Thursdays, and a website built by your nephew in 2019. Now what?

This scenario is not hypothetical anymore. The FTC’s enforcement pattern through 2024 and 2025 has shifted in a way that matters for businesses with 10 to 150 employees — the kind of operation that used to fly under the regulatory radar. The agency is not only chasing Equifax-scale breaches. They are going after specific behaviors: collecting data you did not disclose, holding data longer than you said you would, and failing to apply security practices you claimed to have.

What is actually happening in FTC enforcement

Let’s look at the pattern, not the headlines. Across the past two years, the FTC has settled or filed actions against businesses in several categories that should concern owners of smaller operations.

According to the FTC’s own enforcement announcements, the agency has pursued companies for what it calls “unfair or deceptive practices” around data — and the definition of those terms has been expanding. The agency’s 2024 case against Avast resulted in a $16.5 million settlement over claims the company sold browsing data after telling customers it would protect their privacy. The December 2023 Rite Aid action banned the company from using facial recognition technology for five years over allegations of biased deployment and inadequate safeguards. The X-Mode/Outlogic settlement in 2024 prohibited the sale of sensitive location data.

These are large companies. But the FTC’s reasoning in these cases — and the resulting consent decrees — establishes expectations that apply to any business collecting consumer data. The principle is simple: if you said you would do something with data, do that. If you said you would not, do not. If you collected it for one purpose, do not use it for another without consent.

The FTC has also signaled it is looking at smaller actors. Reuters reported in 2024 on the agency’s expanding focus on data brokers and the businesses that supply them. Many of those suppliers are SMBs that do not think of themselves as being in the data business at all.

Layer on California’s CCPA/CPRA, Nevada’s SB 220 amendments, and Washington’s My Health My Data Act — and the result is a compliance environment where a 20-person business in the western U.S. now operates under a stack of overlapping rules that did not exist five years ago.

Why this matters for a 20-person company

Here is the part that gets missed. Large enterprises have legal departments that translate regulatory text into operational requirements. They have GRC teams that build the policies, train the staff, and produce the audit trails. Small businesses do not have any of that — but the rules apply anyway.

The operational gap is real. A business owner reads “reasonable security measures” in a regulation and reasonably asks: reasonable compared to what? The FTC’s consent decrees over the past two years have started to answer that question, even if the agency has not published a checklist. The pattern across recent settlements suggests “reasonable” includes:

• A written data inventory — what you collect, where it lives, who can access it
• A documented retention schedule — how long you keep what, and when you delete it
• Access controls — not everyone in the company should be able to pull customer lists
• Vendor accountability — your payments processor, your email platform, and your CRM are all touching customer data on your behalf
• A breach response plan that exists in writing before you need it
• Truthful privacy disclosures — your privacy policy should describe what you actually do

None of this requires a Fortune 500 budget. All of it requires someone to own it. That is where most SMBs stall.

What to actually do this quarter

If you are a business owner in California, Nevada, Arizona, Washington, or Oregon and you have been putting this off, here is a reasonable sequence. Not perfect — reasonable.

1. Inventory what you have. Sit down for two hours with whoever knows your systems. Make a list of every place customer data lives: your CRM, your email platform, your accounting software, your shared drives, your point-of-sale, your scheduling tool. You cannot protect what you cannot name.

2. Read your own privacy policy. Most SMBs have a privacy policy their website builder generated in 2018. Read it. Does it describe what you actually do? If it says you never share data with third parties, but your email platform is doing exactly that, you have a problem the FTC has explicitly targeted.

3. Tighten access. Does your part-time bookkeeper really need access to your full customer database? Does the marketing intern need admin rights to the CRM? Role-based access is not a fancy concept — it is just deciding who needs what.

4. Talk to your vendors. Your payments processor, your email platform, your CRM, your cloud storage provider — each one has a data processing agreement they will send you on request. Get them on file. If a regulator asks, you will need them.

5. Write down what you would do in a breach. Two pages. Who gets called first. Who notifies customers. Who talks to the lawyer (and who that lawyer is). Most SMBs improvise this in the moment, badly. Writing it down once saves a week of chaos later.

6. Decide who owns this going forward. This is the one that matters most. Compliance work that nobody owns is compliance work that does not happen. For most 20-person businesses, this is either the owner, the operations manager, or an outside partner. Pick someone.

Two minutes to find out where you stand: take our cybersecurity readiness assessment.

Common Questions

Does the FTC really go after small businesses?

The FTC’s largest actions get the headlines, but the agency’s enforcement docket includes plenty of smaller operations. Beyond the FTC itself, state attorneys general — California’s in particular — have shown willingness to pursue SMBs for CCPA violations. Assuming you are too small to matter is the wrong assumption.

What’s the difference between FTC requirements and state privacy laws like CCPA?

The FTC’s authority comes from Section 5 of the FTC Act, which targets unfair or deceptive practices nationwide. State laws like CCPA, Nevada’s SB 220, and Washington’s My Health My Data Act impose specific obligations on businesses meeting certain thresholds — typically based on revenue, data volume, or whether you sell consumer data. A business in California may be subject to both federal FTC scrutiny and state-level CCPA requirements simultaneously.

We use third-party platforms for everything. Aren’t they responsible?

Partially. Your vendors are responsible for their own security practices, and a good vendor will sign a data processing agreement that allocates responsibility clearly. But the FTC has been clear: if you collected the data, you remain accountable for what happens to it, even when a vendor is doing the actual processing.

How fast do we have to notify customers of a breach?

That depends on which laws apply to you. California’s notification timeline is “in the most expedient time possible and without unreasonable delay.” Some state laws specify 30, 45, or 60 days. Some sector-specific rules (like HIPAA for healthcare-adjacent businesses) impose their own timelines. Having a written response plan in advance is how you hit whichever deadline applies.

Do we need a privacy officer if we only have 20 employees?

Under CCPA, no formal privacy officer is required for most SMBs. But someone needs to own the function. In practice, this is often the owner, the operations manager, or an outsourced compliance/IT partner. The title matters less than the accountability.

Want to talk through your specific situation? Schedule a free 30-minute cybersecurity consultation — no pressure, no pitch.

Sources

• FTC Avast settlement details and $16.5M penalty: Federal Trade Commission, “FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million Over Charges the Firm Sold Such Data” (2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over
• FTC Rite Aid facial recognition ban: Federal Trade Commission, “Rite Aid Banned from Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards” (2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without
• X-Mode/Outlogic settlement on location data: Federal Trade Commission, “FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data” (2024), https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data
• FTC focus on data brokers expanding: Reuters, “US FTC bans data broker X-Mode Social from selling sensitive location data” (2024), https://www.reuters.com/technology/cybersecurity/us-ftc-bars-data-broker-x-mode-social-selling-sensitive-location-data-2024-01-09/
• Washington My Health My Data Act overview: Washington State Office of the Attorney General, “My Health My Data Act” (2024), https://www.atg.wa.gov/my-health-my-data-act