Your Website Has to Comply with Privacy Laws — Yes, Yours

Most small business owners assume privacy laws don't apply to them. They're wrong. Here's what the laws actually require, what's at stake, and what to do about it.

Compliance & Legal

privacy law

Kyle Van Deusen

OGAL Web Design owner and WordPress educator helping businesses succeed with design, development, and marketing since 2003.

Filed Under: Compliance & Legal

Most business owners hear “privacy laws” and immediately think: that’s for big companies. Facebook. Google. The kind of company that has a legal department and a PR team and enough data to fill a server farm.

Not a ten-person professional services firm with a contact form and a Google Analytics tag.

I get it. But that assumption is wrong — and it’s an expensive assumption to hold onto. If you have a website that collects any information about visitors, privacy laws almost certainly apply to you. The question isn’t whether you need to comply. It’s whether you know what compliance actually looks like.

This post is my attempt to change that.

Why this feels like someone else’s problem

The laws that get the most attention — GDPR in Europe, CCPA in California — were written in response to the behavior of large technology companies. The news coverage focused on Google and Facebook and data brokers. The fines that made headlines were in the millions and billions.

So the mental model most small business owners developed was: these laws exist to regulate big tech. I run a small business. I’m not doing anything sketchy with data. This doesn’t apply to me.

Here’s the problem with that logic. These laws aren’t written to regulate intent — they’re written to regulate behavior. And the behavior they regulate is collecting personal information from website visitors. Which is almost certainly something your website does, whether you realize it or not.

What “collecting data” actually means

You don’t have to run a data brokerage for your website to be collecting personal information. Here’s what counts:

  • A contact form. When someone fills out your contact form, they’re submitting their name, email address, and often a phone number or message. That’s personal data.
  • Google Analytics. The standard Google Analytics tag tracks IP addresses, browsing behavior, and device information. That counts as collecting personal data under most privacy laws — even if you never look at it at an individual level.
  • Newsletter signups. If you have an email list, you’re storing names and email addresses. Personal data.
  • Cookies. Many website plugins set cookies that track visitor behavior. If your site uses them — and most WordPress sites do — you’re collecting data.
  • A booking or appointment system. Names, contact details, sometimes payment information. All of it falls under the scope of privacy regulations.

The realistic picture for most small business websites: you are collecting personal data. Probably in several ways simultaneously. And you may have no idea it’s happening, because a lot of it runs in the background through plugins and third-party tools that were installed without much thought about what they were actually doing.

Which laws actually apply to you

This is where it gets complicated — and where most small business owners give up and decide to ignore the whole thing.

Privacy law isn’t a single federal standard in the United States. It’s a patchwork of state laws, each with their own requirements, thresholds, and definitions. On top of that, international laws like GDPR (Europe) and PIPEDA (Canada) can apply to US-based businesses if their website is accessible to visitors from those regions. Which, if your website is on the public internet, it is.

Here’s what that means practically:

  • GDPR (General Data Protection Regulation) applies to any business that processes personal data of people located in the European Union — regardless of where the business itself is based. It requires explicit consent for data collection, a clear privacy policy, and the ability to honor requests to access or delete personal data.
  • CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) applies to businesses that collect personal data from California residents and meet certain thresholds. California is the most populous state in the country — the odds that none of your website visitors are from California are essentially zero.
  • State-level laws are multiplying fast. As of 2026, over 20 US states have passed comprehensive privacy legislation. Virginia, Colorado, Connecticut, Texas, Oregon — the list keeps growing. Each has slightly different requirements. The trajectory is clear: this is becoming a national standard built law by law.

The uncomfortable reality is that you don’t get to opt out of a law because you didn’t know about it. The laws don’t include an exemption for small businesses who had good intentions.

What compliance actually requires

At a minimum, a compliant website needs:

  • A privacy policy that accurately describes what data you collect, why you collect it, who you share it with, how long you keep it, and what rights visitors have over their data. A generic template you found for free online almost certainly doesn’t meet the current requirements — because privacy laws are updated frequently, and generic templates don’t update with them.
  • A terms of service that governs the relationship between your website and its users.
  • Cookie consent that gives visitors the ability to opt out of non-essential tracking before it happens — not after.
  • A process for responding to data requests. Under most privacy laws, individuals have the right to request access to their data, request that it be deleted, or opt out of certain types of data processing. You need a way to honor those requests.

None of this has to be complicated. But it does have to be accurate, up to date, and specific to what your website actually does.

What happens if you don’t comply

Enforcement against small businesses is less common than enforcement against large ones — but it happens, and the trend is moving in the wrong direction for people who are hoping to stay under the radar.

GDPR fines can reach €20 million or 4% of annual global revenue, whichever is higher. CCPA violations can be $2,500 per unintentional violation and $7,500 per intentional one. State attorneys general are increasingly active in enforcement.

But the more immediate risk for most small businesses isn’t a regulatory fine. It’s a private lawsuit. Privacy laws in many states include a private right of action — meaning individuals can sue businesses directly for violations without waiting for a regulatory body to act. Class action lawsuits targeting small businesses over cookie consent violations and inadequate privacy policies have become more common, and the legal costs of defending one — even if you win — are real.

The other risk is reputational. More people are paying attention to how businesses handle their data than they were five years ago. A privacy policy that’s clearly a generic placeholder, or a site that drops cookies before asking consent, signals to your visitors that you’re either not paying attention or don’t care.

Neither is a great look for a business trying to build trust.

What you can do about it

The reason most small business owners don’t comply isn’t that they don’t care — it’s that the path to compliance feels impossibly complicated. Hire a lawyer? Which lawyer? How much does that cost? How often do you have to update it?

The good news is that the compliance problem has been largely solved for small businesses, and it doesn’t require a lawyer on retainer.

I use and recommend Termageddon for every website I build. It’s a service that generates privacy policies, terms of service, and other legal documents that are specifically designed to update automatically as laws change. You answer questions about your website and how it operates, and Termageddon generates documents that reflect your actual data practices — not a generic one-size-fits-all template. When a new state passes a privacy law or an existing one gets updated, your policy updates too.

I’ve been using it long enough and recommend it often enough that I’ve gotten to know the team well — the co-founders are sharp people who genuinely care about making compliance accessible to small businesses. It’s one of those tools I’m glad exists because it solves a real problem that was previously either expensive or ignored.

It’s not a magic fix for every edge case — if you’re handling particularly sensitive data or operating in a highly regulated industry, a lawyer is still the right call. But for the vast majority of small business websites, Termageddon closes the gap between “I know I should deal with this” and actually dealing with it.

The bottom line

If you have a website, you’re almost certainly collecting personal data. If you’re collecting personal data, privacy laws almost certainly apply to you. And if you don’t have current, accurate legal documents in place, you’re carrying a risk you probably don’t realize you’re carrying.

The fix isn’t complicated. It just requires deciding to take it seriously.

If you want help making sure your website is set up correctly — from the technical side of cookie consent to the policies themselves — get in touch. It’s one of those things that’s much easier to do right from the start than to fix after something goes wrong.

More Resources & Insights to Help Grow Your Business

We believe informed website owners make better decisions — so we are dedicated to providing ongoing education to help you succeed online!

Your Responsibility in Operating a Privacy-Focused Website

Discover your business’s responsibility in operating a privacy-focused website. Learn practical steps to protect user data and comply with privacy laws.

What the New DOJ Ruling Means for Your Website

Understanding the DOJ’s Latest Guidelines and Steps to Ensure Your Website is Accessible to All

Close up of a computer keyboard with someone pressing a key labeled "accessibility".

Web content accessibility guidelines to make your website ADA compliant

ADA law requires all businesses to build an accessible website. Meet ADA compliance standards by following these rules of website accessibility requirements.

How much does a website cost? Find out in minutes.

Get a Free Instant Estimate

Services

New Website Builds

Performance-First Websites

Website Refresh

Website Tune-Ups

Ongoing Website Management

Convert to Blocks

About

About

Frequently Asked Questions

How We Work

Pricing

Our Commitments

The Straight-A Guarantee

Contact

(804) 924-9924

office@ogalweb.com

PO Box 73921 Richmond, VA 23235

© 2016 - 2026 OGAL Web Design. All rights reserved.

Privacy Policy

Terms of Service

Cookie Policy

Change Privacy Settings

Accessibility Statement