What data privacy regulations apply to my business?

Data privacy law used to be a big-company problem. That’s no longer the case. If you collect customer names, email addresses, purchase history, or really any personal information, there’s a growing web of regulations you need to understand. Let’s cut through the complexity and focus on what actually matters for your business.

Why Should Small Businesses Care About Data Privacy?

Three reasons this isn’t something you can ignore:

1. The fines are real. CCPA violations can cost $7,500 per intentional violation. GDPR fines can reach 4% of global annual revenue. These aren’t theoretical — regulators are actively enforcing.

2. Customers care. Consumer surveys consistently show that a large majority of people are concerned about how companies use their data. Privacy practices are becoming a competitive differentiator.

3. The trend is only going one direction. More states are passing privacy laws every year. If you build good practices now, you’ll be ready no matter what comes next.

CCPA / CPRA: California’s Privacy Framework

Full name: California Consumer Privacy Act (as amended by the California Privacy Rights Act)

Effective: January 1, 2020 (CCPA); January 1, 2023 (CPRA amendments)

Enforcement: California Privacy Protection Agency (CPPA)

Does CCPA Apply to You?

CCPA applies if you do business in California AND meet any one of these thresholds:

• Annual gross revenue over $25 million
• Buy, sell, or share personal information of 100,000+ California residents, households, or devices
• Derive 50% or more of revenue from selling or sharing personal information

Key point

“Doing business in California” is interpreted broadly. If you have California customers and meet a threshold, you’re likely covered — even if your office is in another state.

What CCPA/CPRA Requires

• Right to know — consumers can request what personal data you collect and how you use it
• Right to delete — consumers can request deletion of their personal data
• Right to opt-out — consumers can opt out of the sale or sharing of their personal data
• Right to non-discrimination — you can’t treat consumers differently for exercising privacy rights
• Right to correct — consumers can request correction of inaccurate personal information
• Right to limit — consumers can limit the use of sensitive personal information
• Privacy policy — publicly available policy explaining your data practices
• Data minimization — only collect data that’s reasonably necessary for the stated purpose
• “Do Not Sell or Share” link — prominent link on your website if you sell or share personal information

CCPA Penalties

Violation Type	Penalty
Unintentional violation	$2,500 per violation
Intentional violation	$7,500 per violation
Data breach (private right of action)	$100 - $750 per consumer per incident

Those “per violation” numbers add up fast. If a single data practice violates the law and affects 10,000 consumers, the math gets very uncomfortable very quickly.

The State Privacy Law Landscape

The US doesn’t have a single federal privacy law (yet), but states are filling the gap rapidly. Comprehensive privacy laws are active or enacted in more than 20 states:

State	Law	Effective Date	Key Threshold
California	CCPA/CPRA	2020/2023	$25M revenue or 100K consumers
Virginia	VCDPA	Jan 2023	100K consumers or 25K+ with 50% revenue from data sales
Colorado	CPA	Jul 2023	100K consumers or 25K+ with revenue from data sales
Connecticut	CTDPA	Jul 2023	100K consumers or 25K+ with 25% revenue from data sales
Utah	UCPA	Dec 2023	$25M revenue and 100K consumers
Texas	TDPSA	Jul 2024	Doing business in Texas (no revenue threshold)
Oregon	OCPA	Jul 2024	100K consumers or 25K+ with 25% revenue from data sales
Montana	MCDPA	Oct 2024	50K consumers (lower threshold)
Florida	FDBR	Jul 2024	$1B revenue and specific data activities
Delaware	DPDPA	Jan 2025	35K consumers (lower threshold)
New Jersey	NJDPA	Jan 2025	100K consumers or 25K+ with revenue from data sales
Iowa	ICDPA	Jan 2025	100K consumers or 25K+ with 50% revenue from data sales
Tennessee	TIPA	Jul 2025	$25M revenue and 175K consumers
Indiana	IDPA	Jan 2026	100K consumers or 25K+ with 50% revenue from data sales

And more states are adding laws every legislative session. If your business serves customers across multiple states, you may be subject to several of these simultaneously.

The Common Thread

Despite differences in thresholds and details, these laws share common ground:

• Transparency — tell consumers what you collect and why
• Consumer rights — access, delete, correct, and opt out
• Data protection — implement reasonable security measures
• Vendor management — contracts with processors who handle data on your behalf
• Breach notification — timely notification when data is compromised

Why it matters

If you build your privacy program around these shared principles, you’ll be compliant — or very close to compliant — across most state laws without needing a completely different program for each one.

GDPR: When European Rules Apply to You

Full name: General Data Protection Regulation

Effective: May 25, 2018

Enforcement: Data Protection Authorities in each EU member state

Does GDPR Apply to You?

GDPR applies if:

• You have an establishment in the EU, OR
• You offer goods or services to people in the EU (even for free), OR
• You monitor the behavior of people in the EU

The reach is broader than most businesses realize. If you have an e-commerce site that ships to Europe, use analytics that track EU visitors, or store data for even one EU customer, GDPR likely applies.

What GDPR Requires

• Lawful basis for processing — you need a legal reason to collect and use personal data (consent, contract, legitimate interest, etc.)
• Transparency — clearly tell people what data you collect and why
• Right to access — individuals can request a copy of their data
• Right to erasure (“right to be forgotten”) — individuals can request deletion
• Right to portability — individuals can request their data in a portable format
• Right to object — individuals can object to certain types of processing
• Data Protection Impact Assessments — assess risks for high-risk processing activities
• Breach notification — report breaches to authorities within 72 hours
• Data Protection Officer — required for organizations that process personal data on a large scale
• Privacy by design — build privacy into your systems and processes from the start

GDPR Penalties

• Lower tier: Up to 10 million euros or 2% of global annual revenue
• Upper tier: Up to 20 million euros or 4% of global annual revenue (whichever is higher)

EU regulators have fined companies of all sizes, not just tech giants. Small and mid-sized businesses have been penalized for violations like inadequate consent mechanisms, failure to respond to access requests, and insufficient security measures.

Industry-Specific Privacy Requirements

Beyond state and international laws, certain industries have their own privacy requirements that layer on top of general privacy regulations:

Industry	Regulation	What It Covers	Key Privacy Requirement
Healthcare	HIPAA	Patient health information	Authorization for use and disclosure, minimum necessary standard
Financial services	GLBA	Customer financial information	Privacy notices, opt-out rights, safeguards rule
Education	FERPA	Student education records	Consent for disclosure, access rights for parents/students
Children’s data	COPPA	Online data from children under 13	Verifiable parental consent, data minimization
Payment cards	PCI DSS	Cardholder data	Data protection standards, access controls
Life sciences	FDA 21 CFR Part 11	Electronic records and signatures	Data integrity, audit trails, access controls

Key point

If you’re in one of these industries, the industry-specific regulation typically adds requirements on top of general privacy laws. You need to comply with both.

What Personal Data Are We Talking About?

“Personal data” and “personal information” are defined broadly in most privacy laws. It’s wider than you might think.

Obviously Personal

• Names, email addresses, phone numbers
• Mailing addresses
• Social Security numbers
• Driver’s license numbers
• Financial account numbers

Less Obviously Personal

• IP addresses
• Device identifiers and advertising IDs
• Cookie data and browsing history
• Purchase history
• Location data (even approximate)
• Employment and education history

Sensitive Personal Information (Higher Protection)

Most privacy laws create a special category for sensitive data requiring additional safeguards:

• Social Security numbers and government IDs
• Financial account numbers with access credentials
• Precise geolocation data
• Racial or ethnic origin
• Religious beliefs
• Health information (outside of HIPAA)
• Sexual orientation
• Biometric data used for identification
• Children’s data

Sensitive data generally requires explicit consent or a stronger legal basis for collection, and consumers have the right to limit how it’s used.

Practical Compliance Steps

Here’s a roadmap for getting your business into compliance. You don’t need to hire a law firm to get started — though you should consult one for specifics.

Step 1: Map Your Data

You cannot protect data you don’t know you have. Document the following:

• What personal data do you collect? (names, emails, payment info, browsing data, etc.)
• Where does it come from? (website forms, purchases, third parties, employee records)
• Where is it stored? (CRM, email, databases, spreadsheets, cloud apps, filing cabinets)
• Who has access to it? (employees, vendors, partners)
• How long do you keep it? (forever? a defined retention period?)
• Who do you share it with? (marketing platforms, analytics tools, payment processors, partners)

This data inventory is the foundation of your entire privacy program. A spreadsheet works fine. But it needs to be thorough and kept up to date.

Step 2: Write (or Rewrite) Your Privacy Policy

Your privacy policy needs to clearly explain:

• What personal information you collect and the categories of sources
• Why you collect it (the specific business purposes)
• How you use it
• Who you share it with and why
• How consumers can exercise their rights (access, delete, correct, opt out)
• How you protect the data
• How long you retain each category of data
• How to contact you with privacy questions or complaints

Example of what to avoid

Generic, copy-pasted privacy policies that don’t reflect your actual practices. An inaccurate privacy policy can itself be a violation. If your policy says “we don’t share data with third parties” but you use Google Analytics and a third-party email marketing platform, that’s a problem.

Step 3: Build Consumer Rights Request Processes

You need a documented, repeatable process for handling consumer requests:

• Access requests — provide a copy of personal data within the required timeframe (typically 30-45 days)
• Deletion requests — verify the requester’s identity, then delete data across all systems (including backups where feasible)
• Opt-out requests — stop selling or sharing personal data for that consumer, including cookie-based tracking
• Correction requests — update inaccurate records when consumers identify errors

For most small businesses, this doesn’t require expensive software. A dedicated email address (privacy@yourcompany.com), a web form, and a documented internal workflow can suffice. What matters is that you have a process, you follow it consistently, and you meet the response deadlines.

Step 4: Implement Reasonable Security Measures

Every privacy law requires “reasonable” security for personal data. While the exact definition varies, the core expectations are consistent:

• Access controls — limit who can access personal data to those who need it for their job
• Encryption — encrypt sensitive data at rest and in transit
• Multi-factor authentication — especially for systems containing personal data
• Monitoring and logging — log and review access to systems containing personal data
• Patch management — keep systems and software up to date
• Employee training — educate staff on data handling and security practices
• Incident response — have a tested plan for responding to data breaches
• Endpoint protection — deploy EDR or advanced antivirus on all devices

Step 5: Manage Your Vendors

If third parties process personal data on your behalf — and they almost certainly do (email marketing, CRM, cloud storage, analytics, payment processing) — you need:

• Data processing agreements — contracts specifying how vendors can use and must protect the data
• Security assessments — verify that vendors maintain adequate security
• Vendor inventory — maintain a current list of all vendors who access personal data
• Regular reviews — periodically reassess vendor security and compliance

Why it matters

You are responsible for how your vendors handle data you share with them. “We didn’t know our vendor was misusing the data” is not a defense under any privacy law.

Step 6: Set Up Breach Notification Procedures

Almost every privacy law requires notification when personal data is compromised. Before a breach happens, prepare:

• An incident response plan — who does what, in what order, and who makes the call
• Notification templates — pre-drafted notices for consumers and regulators that can be customized quickly
• Regulatory deadlines — know the notification timeframes (72 hours for GDPR, varies by state for US laws — some are as short as 30 days)
• Contact lists — legal counsel, forensics firm, cyber insurance carrier, applicable regulators
• Documentation procedures — record everything about the incident and your response

Step 7: Establish Data Retention and Deletion Policies

Most privacy laws require that you only keep personal data as long as you have a legitimate business need. Define:

• How long each category of data is retained
• What triggers deletion (end of retention period, customer request, contract termination)
• How deletion is verified across all systems (including backups)
• Who is responsible for executing and confirming deletion

Step 8: Train Your People

Your employees handle personal data every day. They need to understand:

• What personal data is and why protecting it matters
• Your company’s data handling and privacy policies
• How to recognize and respond to consumer rights requests
• What to do if they suspect a data breach
• Secure practices (not emailing spreadsheets of customer data, not storing personal data on personal devices, etc.)

Annual training at minimum, with refreshers when policies change or new regulations take effect.

Common Privacy Mistakes Small Businesses Make

1. Collecting Data You Don’t Need

Every piece of data you collect is data you need to protect, manage, and potentially delete on request. Practice data minimization — only collect what you actually need for a specific, stated business purpose. That “nice to have” field on your signup form? Remove it if you don’t have a real use for it.

2. Keeping Data Forever

If you don’t have a retention policy, you’re keeping data indefinitely. That increases your risk surface and your compliance burden. Define how long you keep each type of data and delete it when the retention period expires.

3. Ignoring Website Tracking

Cookies, analytics tools, advertising pixels, and chat widgets all collect personal data. If you use Google Analytics, Meta Pixel, or similar tools, you’re collecting data that privacy laws regulate. Implement a cookie consent banner and honor opt-out requests.

4. Using Personal Devices and Accounts for Business Data

When employees use personal email, messaging apps, or cloud storage for business data, you lose control and visibility. You can’t respond to a deletion request if the data is in someone’s personal Gmail.

5. No Vendor Oversight

You’re responsible for how your vendors handle data you share with them. Conduct due diligence and put data processing agreements in place.

6. Assuming “We’re Too Small”

Enforcement agencies have pursued businesses of all sizes. Consumer complaints don’t filter by revenue. And data breaches don’t discriminate by company size. The Texas privacy law, notably, has no revenue threshold at all.

The Federal Privacy Outlook

As of early 2025, there is no comprehensive federal privacy law in the US. Several have been proposed — the American Data Privacy and Protection Act (ADPPA) came close to passage — but disagreements over state preemption and private right of action have stalled progress.

A federal law would likely:

• Establish uniform national standards
• Preempt some (but possibly not all) state laws
• Provide consumers with consistent rights across all states
• Simplify compliance for businesses operating in multiple states

Planning advice

Don’t wait for a federal law. If you build your privacy program around the core principles that all current laws share — transparency, consumer rights, reasonable security, data minimization, and vendor management — you’ll be well-positioned for whatever comes next.

Privacy Compliance and Your IT Provider

Your IT provider is central to privacy compliance because they manage the systems where personal data lives. Here’s what they should bring to the table:

What Your IT Provider Should Help With

• Data security — implementing technical controls required by privacy laws
• Access management — ensuring only authorized people access personal data
• Encryption — protecting data at rest and in transit
• Monitoring and logging — detecting unauthorized access to personal data
• Data retention automation — implementing scheduled deletion policies
• Breach detection and response — identifying incidents and supporting notification timelines
• Vendor security assessment — evaluating the security posture of cloud and SaaS vendors

Questions to Ask Your IT Provider

1. Can you help us identify where personal data is stored across our systems?
2. How do you ensure data is encrypted at rest and in transit?
3. Can you implement role-based access controls to limit who sees personal data?
4. Do you provide logging and monitoring for data access?
5. What’s your process for detecting and notifying us of potential breaches?
6. Can you support data deletion requests across all our systems?
7. Do you assess the security of our cloud and SaaS vendors?

Red Flags

• They can’t tell you where your data is stored
• They have no encryption strategy
• They don’t offer access controls or audit logging
• They have no breach notification process
• They’ve never heard of CCPA or GDPR

The Bottom Line

Data privacy regulation is here to stay, and it’s expanding. The patchwork of state laws, international regulations, and industry-specific requirements can feel overwhelming. But the fundamentals are consistent and straightforward:

1. Know what data you have and where it lives
2. Tell people what you collect and why
3. Give people control over their data
4. Protect the data with reasonable security
5. Manage your vendors
6. Be ready for breaches
7. Retain data only as long as you need it
8. Train your people

Start with data mapping. Everything else builds from there. And if you’re not sure which laws apply to your specific situation, a consultation with a privacy attorney is money well spent — especially if you serve customers in multiple states or internationally.

---

Need help implementing the technical side of data privacy compliance? centrexIT helps businesses secure personal data, manage access controls, and build the IT infrastructure that privacy regulations require. Contact us for a consultation.