Two Laws Most Small Business Owners Have Never Read

If you’ve heard of GDPR and CCPA, you probably associate them with headlines about Google or Meta being fined hundreds of millions of dollars. It’s easy to assume these laws were written for tech giants and don’t apply to your small business in Chelan or anywhere else. That assumption is worth revisiting carefully, because the reach of both regulations is broader than most people realize.

GDPR stands for the General Data Protection Regulation — a European Union law that went into effect in 2018. CCPA stands for the California Consumer Privacy Act, which took effect in 2020 and was strengthened in 2023 under the California Privacy Rights Act. These two laws have become the de facto baseline for privacy expectations across the web, and understanding the basics can save you from real business problems.

Does GDPR Apply to Your Small Business?

GDPR applies when you collect personal data from individuals in the European Union, regardless of where your business is located. If your website is accessible to EU visitors — which any website on the open internet is — and you process their data, GDPR technically applies to you.

In practice, EU regulators focus enforcement on large-scale data processors and companies with significant EU customer bases. A small local service business in Washington State that occasionally gets a website visit from Germany is unlikely to face GDPR enforcement action. But GDPR compliance is still worth pursuing for two reasons. First, the practices it requires — clear disclosures, honest data collection, user rights — are simply good business hygiene that builds trust. Second, as a condition of using tools you probably already rely on, like Google Analytics or any email marketing platform, GDPR-aligned practices are often baked into their terms of service.

The most relevant GDPR requirement for most small business websites is the obligation to have a clear, accurate privacy policy — and if you use cookies for analytics or advertising, to obtain meaningful consent before dropping those cookies on EU visitors’ browsers. A cookie consent banner that lets visitors accept or decline cookies before they’re set is the practical implementation of this requirement.

Does CCPA Apply to Your Small Business?

CCPA applies to businesses that collect personal information from California residents. However, it includes specific thresholds that exempt most small businesses. As of the current rules, you need to meet at least one of these criteria before CCPA’s full requirements kick in: annual gross revenues over $25 million, buying or selling the personal data of 100,000 or more consumers or households per year, or deriving more than 50 percent of annual revenue from selling consumers’ personal information.

If your business doesn’t meet those thresholds — and most local small businesses don’t — CCPA’s full compliance requirements don’t technically apply to you. That said, CCPA has influenced consumer expectations and inspired similar legislation in more than a dozen other states. Virginia, Colorado, Connecticut, and Texas have all passed comprehensive privacy laws with varying thresholds. The landscape is changing quickly.

The practical implication for small businesses: even if you’re not legally required to comply with CCPA today, building privacy-respecting practices now puts you ahead of regulatory changes rather than scrambling to catch up.

What These Laws Actually Require in Plain Terms

Both GDPR and CCPA are fundamentally about giving individuals control over their own data. The core requirements boil down to a few principles that are not difficult to follow. Be transparent: tell visitors what data you collect, how you collect it, and what you do with it. Collect only what you need: don’t gather information you have no use for. Honor opt-out requests: if someone asks to be removed from your email list or asks you to delete their data, you should be able to do that. Don’t sell data without disclosure: if you share customer data with third parties in exchange for anything of value, that’s considered \”selling\” under CCPA and requires specific disclosures.

For a typical small business website with a contact form, Google Analytics, and an email list, compliance looks like this: a clear privacy policy linked from every page, a cookie consent mechanism for analytics, a working unsubscribe link on all marketing emails, and a way for people to contact you to request their data be deleted. That’s manageable.

The Tools That Make Compliance Achievable

You don’t need to build a compliance infrastructure from scratch. Several tools handle much of the heavy lifting at reasonable cost. Cookiebot and CookieYes are cookie consent management platforms that scan your site, identify the cookies being set, and generate a consent banner that meets GDPR requirements — they integrate directly with WordPress and most major platforms. Termly and Iubenda generate privacy policies and cookie policies tailored to your specific setup, and they update automatically as laws change.

For your email list, any reputable email marketing platform — Mailchimp, ConvertKit, ActiveCampaign — already handles unsubscribes automatically and maintains suppression lists. Make sure you’re not circumventing those systems by manually re-adding people who have unsubscribed.

Google Analytics itself has options for data retention settings and IP anonymization that reduce your GDPR exposure. If you’re using GA4 (which you should be by now, as Universal Analytics has been discontinued), these settings are available in the admin panel. Setting data retention to 14 months and enabling IP anonymization are quick wins worth doing.

The Bigger Picture: Privacy as a Business Value

Beyond compliance, there’s a business case for treating privacy seriously. Consumer awareness of data practices has increased substantially over the past few years. People are increasingly choosing service providers who handle their information with care. A website that’s clearly thought about privacy — with a plain-language policy, a cookie consent mechanism, and an easy way to opt out — signals professionalism and trustworthiness.

This is especially true if your customers are other businesses, or if you work in any field where trust is a core selling point: financial services, health and wellness, legal, real estate. In those industries, demonstrating that you handle customer information responsibly isn’t just compliance theater — it’s differentiation.

The regulatory environment around data privacy is almost certainly going to become more stringent over time, not less. Getting your practices right now — a solid privacy policy, clean data handling, proper consent mechanisms — is significantly easier than retrofitting compliance onto a site and business that was built without thinking about it.

Navigating privacy compliance can feel overwhelming, but it doesn’t have to be. Manson Bay Digital helps small businesses get their websites properly set up with privacy policies, cookie consent, and the technical foundations that protect you and your customers. Let’s talk at mansonbaydigital.com/contact/ or call (509) 800-7735.