Privacy Basics for Business Owners

You run a HVAC company in Beaumont. You have 12 employees. You collect customer names, phone numbers, addresses, and payment information. You send marketing emails. You keep records for years.

You're not "big tech." You don't have a data scientist. You definitely don't have a Chief Privacy Officer.

You still have privacy obligations.

What this solves (in real business terms)

Privacy law compliance answers:

• What data you can collect
• How you must protect it
• What you must tell customers about it
• When you must delete it
• Who you can share it with

Ignoring this doesn't make it go away. It just means you'll figure it out the hard way—when you're writing a check to the state AG's office.

What can go wrong

The Texas dentist. A solo practitioner in Houston sent appointment reminders via unencrypted email. A patient's ex-spouse intercepted emails and used health information in a custody dispute. The dentist faced HIPAA violations, a state board inquiry, and a civil suit. Settlement: $80,000.

The auto dealer fine. A Louisiana car dealership collected driver's license numbers for test drives and kept them indefinitely. When they were breached, the AG found the data was retained longer than necessary and lacked basic security controls. Fine: $150,000.

The marketing email gone wrong. A Florida business sent promotional emails without an unsubscribe link. A customer complained. The FTC fined them $10,000. The unsubscribe link would have cost $0.

CCPA exposure. California's privacy law applies to any business that collects data from California residents, regardless of where your business is located. If you have customers, website visitors, or email subscribers in California—and you do—you may be covered.

What privacy laws actually apply to you

Federal laws (if applicable):

• HIPAA: if you offer health services, wellness programs, or collect health information
• GLBA: if you're a financial institution (including many tax preparers and insurance agents)
• COPPA: if you collect data from children under 13 (website terms, apps)
• FACTA: if you accept credit cards and don't dispose of receipts properly

State laws you might be subject to:

• CCPA/CPRA (California): if you have California customers or website visitors
• VCDPA (Virginia), CPA (Colorado), CPA (Connecticut): similar to CCPA
• Texas Data Privacy and Security Act (effective July 2024): covers Texas residents
• Louisiana Data Privacy Act (effective July 2024): covers Louisiana residents

Even if these don't technically apply: bad actors know that small businesses often don't know their obligations. Some lawsuits are about deterrence, not actual harm.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | Privacy policy (website) | $300–$2,000 (one-time) | | Basic compliance program | $2,000–$10,000 | | Full CCPA/GDPR compliance (enterprise) | $20,000–$100,000+ | | Legal review of existing practices | $1,500–$5,000 | | Privacy training for employees | $500–$2,000/year |

Minimum viable implementation

1. Write a privacy policy. Put it on your website. It doesn't need to be 20 pages. It needs to answer: what data do you collect, why, how long do you keep it, who do you share it with, and how can customers contact you about their data.

2. Add an unsubscribe link to every marketing email. If you're using MailChimp, ActiveCampaign, or any serious ESP, this is built in. Use it. Don't make people reply "unsubscribe."

3. Delete data you don't need. Customer addresses from 5 years ago? Delete them. Keep what's necessary for your business operations and legal requirements.

4. Get consent before adding people to email lists. "Optional opt-in checkbox for marketing emails" isn't optional. Pre-checked boxes don't count.

5. Secure your data. Lock your filing cabinets. Password-protect spreadsheets with customer data. Don't send sensitive information via unencrypted email.

6. Create a data request process. When a customer asks "what data do you have on me?" or "delete my information," have a way to respond within 30 days.

Vendor questions (copy/paste)

When working with vendors on privacy compliance:

1. "Do you have a written privacy policy we can review?"

2. "Do you support data subject requests (access, deletion, portability)?"

3. "How do you handle data breaches? What's your notification timeline?"

4. "Do you have SOC 2 or ISO 27001 certification?"

5. "What's your data retention policy? Can we request deletion of our data?"

6. "Do you use sub-processors? Can we see the list?"

When to hire help

Hire help if:

• You collect health information (HIPAA risk assessment required)
• You're processing data for more than 100,000 consumers (CCPA threshold)
• You share data with third parties for cross-context behavioral advertising
• You're in financial services (GLBA Safeguards Rule requires formal program)
• You've received a data request from a customer you can't fulfill
• You've been notified of a potential violation