localwebadvisor
WIKI← Wiki home

Website Privacy Laws Explained: GDPR, CCPA and More

By FayUpdated Jul 9, 2026EVERGREEN
⚡ THE ANSWER

There is no single US privacy law for websites; instead, a growing patchwork of state laws applies based on whose data you collect. California's CCPA/CPRA leads, joined by comprehensive laws in Virginia, Colorado, Texas, and more than a dozen other states, most with revenue or volume thresholds that exempt very small businesses. Europe's GDPR applies only if you offer goods or services to people in the EU. Nearly every business site still needs an accurate privacy policy, because collecting form data and analytics triggers disclosure duties.

CCPA thresholds
Applies to for-profit businesses meeting tests such as over $25 million annual revenue or data on 100,000+ California consumers or households (California Privacy Protection Agency)
State law count
Roughly 20 US states have enacted comprehensive consumer privacy laws (IAPP state privacy legislation tracker)
GDPR maximum fines
Up to 20 million euros or 4% of global annual revenue, whichever is higher (GDPR, Article 83)
Breach notification
All 50 US states have data breach notification laws requiring notice to affected residents (National Conference of State Legislatures)

The Short Answer: Which Laws Apply to a Small US Business #

Privacy law applies based on whose data you collect, not where your office sits. A plumber in Ohio with a contact form collects data from whoever visits, and the applicable rules follow those visitors. The good news for genuinely small businesses: the comprehensive state laws carry thresholds. California's CCPA/CPRA applies to for-profit businesses that exceed $25 million in annual revenue, or handle personal information of 100,000 or more California consumers or households, or earn half their revenue selling or sharing personal data. Most other state laws use similar volume tests, commonly 100,000 residents processed, so a typical small site falls under none of them. What still applies broadly: California's older CalOPPA effectively requires a privacy policy on any site collecting personal information from Californians, all fifty states have breach notification laws, and the FTC can act against companies whose privacy promises are deceptive.

What Personal Data Does a Typical Small-Business Site Collect? #

More than most owners realize, and an honest inventory is the foundation of every other privacy task. Walk through your site as a visitor. Contact and quote forms collect names, emails, phone numbers, and often addresses. E-commerce checkout collects billing and shipping details, and your payment provider handles card numbers. Newsletter signups collect emails and feed them to a marketing platform. Google Analytics or similar tools collect device information, approximate location, and browsing behavior via cookies or scripts. Advertising pixels from Meta or Google share visitor behavior with those companies, which several state laws treat as selling or sharing data. Chat widgets, booking tools, and review plugins each collect their slice. Server logs quietly record IP addresses. Write this inventory down, what you collect, why, where it goes, and how long you keep it, because your privacy policy is essentially this list translated into plain English.

CCPA and CPRA: California Sets the Pace #

California passed the first comprehensive US consumer privacy law, the CCPA, effective 2020, and strengthened it with the CPRA amendments effective 2023, which also created a dedicated regulator, the California Privacy Protection Agency. Covered businesses must tell consumers what personal information they collect and why, honor rights to access, delete, and correct that information, allow opt-outs from the sale or sharing of personal data, including sharing for targeted advertising, and respect opt-out signals like Global Privacy Control in the browser. Sites that sell or share data must post a link commonly titled Do Not Sell or Share My Personal Information. Even if your business sits under the thresholds today, California matters for two reasons: other states copy its structure, and vendors and partners increasingly expect CCPA-style practices contractually. Building your privacy practices to a California-shaped template is the safest long-term posture for a growing US business.

The Other State Laws: Virginia, Colorado, Texas, and Beyond #

Since 2023, comprehensive privacy laws have taken effect in a steady march of states: Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and more, with roughly twenty states enacted at this writing. They share a common skeleton: consumers get rights to access, correct, delete, and port their data, plus opt-outs from targeted advertising, data sales, and significant profiling; businesses must post clear privacy notices, limit collection to what is reasonably necessary, and obtain consent for sensitive data like health information or precise geolocation. Differences hide in the details. Texas applies to nearly any business that is not a small business under SBA definitions, a much lower bar than volume thresholds elsewhere. Colorado and others require honoring universal opt-out signals. Enforcement sits with state attorneys general, usually with a cure period to fix violations first. The practical takeaway: one well-built privacy program can satisfy essentially all of them.

Does GDPR Apply to a US Small Business? #

Usually not, and it is worth being precise, because GDPR anxiety drives many US owners to adopt burdens they do not have. The GDPR applies to organizations outside the EU only when they offer goods or services to people in the EU or monitor their behavior there. The test is targeting, not accessibility: the mere fact that Europeans can load your website does not trigger it. Signals that you are targeting the EU include pricing in euros, shipping to EU countries, EU-language versions of your site, or marketing aimed at European customers. A local service business or a store that ships only within the US is almost certainly outside GDPR's reach. If you do serve EU customers, obligations include a lawful basis for processing, consent before non-essential cookies, data subject rights handling, and potentially an EU representative. Fines can reach 20 million euros or 4% of global revenue, but enforcement against small US businesses with no EU presence is, practically, not where regulators spend effort.

What Belongs in Your Privacy Policy? #

A privacy policy is a plain-language disclosure of your actual practices, and accuracy matters more than length: the FTC treats false privacy promises as deceptive practices. Cover these elements: what personal information you collect, including via forms, cookies, analytics, and pixels; why you collect it; who you share it with, naming categories like payment processors, shipping carriers, and advertising platforms; how long you keep it; what rights users have and how to exercise them; how you handle children's data if relevant, since COPPA applies under age 13; your contact information; and an effective date with a change process. Our free Privacy Policy Generator builds a policy from these exact inputs, tailored to what your site actually runs.

Privacy policy skeleton
1. What we collect (forms, cookies, analytics)
2. Why we collect it (orders, support, marketing)
3. Who we share it with (processors, carriers, ads)
4. How long we keep it
5. Your rights and how to exercise them
6. Children's privacy (COPPA)
7. Contact + effective date

Here is a fact that surprises many owners: no US law requires the accept-all cookie banner you see everywhere. Those banners are a GDPR and European import, where prior consent for non-essential cookies is mandatory. US state laws take an opt-out approach instead: you must disclose tracking in your privacy policy and give consumers a way to opt out of targeted advertising and data sales, including honoring browser-level signals like Global Privacy Control in states such as California and Colorado. So a US-only small business generally needs disclosure plus an opt-out mechanism, not a consent wall. When does a consent banner make sense anyway? If you meaningfully serve EU customers, if your ad platforms contractually require consent signals, or if you simply prefer the transparency. If you do deploy one, configure it honestly: banners that say they block trackers while scripts fire anyway create exactly the deceptive-practice exposure they were meant to prevent.

Data Breaches: The Basics Every Owner Should Know #

All fifty states have breach notification laws. The common core: if personal information you hold, typically names combined with Social Security numbers, driver's license numbers, financial account details, or medical information, is accessed or acquired without authorization, you must notify affected residents, and in many states the attorney general, within a defined window, often around 30 to 60 days. Definitions and deadlines vary by state, and you owe notice under the law of each affected resident's state, not yours. Prevention is cheaper than notification: collect only data you need, delete what you no longer use, keep your platform and plugins patched, require multi-factor authentication on admin accounts, encrypt data in transit with HTTPS, and vet the vendors who hold your customer data, because their breach becomes your notification duty. Have a simple written plan naming who you will call, technical help, legal counsel, and your insurer, before you ever need it.

When to Get Help, and a Necessary Caveat #

The sensible sequence for a small business: inventory what you collect, publish an accurate policy, and add an opt-out path if you run advertising pixels. Our free Privacy Policy Generator handles the disclosure step, and our free Website Grader will flag missing HTTPS and other technical basics that privacy laws and common sense both expect. Bring in professionals when stakes rise: you approach state-law thresholds, sell to EU customers, handle health or children's data, or suffer a suspected breach, where notification deadlines make speed essential. Our website security services cover the preventive layer, hardening, monitoring, patching, and access controls, that keeps customer data out of the wrong hands in the first place. The essential caveat: this article is general information, not legal advice, and privacy regulations change frequently, with new state laws taking effect nearly every year, so consult a qualified privacy attorney for decisions specific to your business.

FAQ

My business is tiny. Do I really need a privacy policy?

Almost certainly yes. Even if the comprehensive state laws' thresholds exempt you, California's CalOPPA effectively requires a policy on any site collecting personal information from California residents, and third parties you rely on, Google Analytics, Meta pixels, email platforms, contractually require you to post one. Our free Privacy Policy Generator makes this the easiest compliance task you will complete this year.

Does using Google Analytics mean I am selling data?

It can, under some state definitions. California treats sharing personal information for cross-context behavioral advertising as regulated sharing, and advertising features in analytics tools can cross that line. Standard measurement configured with IP anonymization and without advertising signals is lower risk. Disclose analytics in your privacy policy either way, and if you run ad pixels, provide an opt-out mechanism.

Do I need one of those cookie consent banners?

For a US-only audience, generally no law forces the European-style accept-all banner. US state laws require disclosure and opt-out rights rather than prior consent. You likely want a banner if you serve EU visitors deliberately, if your advertising platforms require consent signals, or as a transparency choice. If you use one, ensure it actually controls the scripts it claims to.

What counts as personal information under these laws?

More than names and emails. State laws define personal information broadly: identifiers like IP addresses and device IDs, geolocation, browsing activity linked to a person or household, purchase history, and inferences drawn from any of it. Sensitive categories, health data, precise location, biometrics, and data about children, carry extra obligations, often requiring consent before collection.

What should I do first if I suspect a data breach?

Move quickly and in order: contain the incident by changing credentials and isolating affected systems, preserve logs rather than deleting anything, and contact legal counsel and your cyber insurer early, because notification clocks in many states start at discovery and can be as short as 30 days. Then determine whose data was involved, since each affected resident's state law governs their notice.

Is the information in this article legal advice?

No. This is general educational information about a fast-moving area, not legal advice, and privacy laws change frequently, with new state statutes and regulations taking effect nearly every year. Thresholds, definitions, and deadlines summarized here can shift. For decisions about your specific obligations, especially near thresholds or after an incident, consult a qualified privacy attorney.

Was this helpful?