Your landscaping company in Fresno probably doesn't feel like it has much in common with Meta or Google. You're not harvesting behavioral data or training AI models on user profiles. And honestly, most small businesses in California aren't directly covered by the CCPA — the law's thresholds ($25 million in annual gross revenue, data on 100,000+ consumers, or earning more than half your revenue from selling personal data) filter out a lot of Main Street operations.
But "probably not covered" isn't the same as "definitely not covered." And even businesses below those thresholds still face exposure through California's data breach liability rules, which apply much more broadly. If you run a business in California and collect any customer data, even just names and email addresses through a contact form, the way California is tightening its rules is worth paying attention to. A few small adjustments now will save you real money and hassle later.
What's Been Happening with California Privacy Law
The California Privacy Protection Agency (CPPA) has been busy since voters passed the California Privacy Rights Act back in 2020. That law expanded the original CCPA, took effect January 1, 2023, and created the CPPA as a dedicated enforcement body. Since then, the agency has been grinding through rulemaking, proposing and in some cases finalizing rules on opt-out signals, automated decision-making, and cybersecurity requirements.
Some of these rules are settled. Others are still working through the regulatory process. But the direction is clear, and the areas small businesses should be watching are these:
Global Privacy Control Is Already Required, and Enforcement Is Ramping Up
Since 2023, California businesses covered by the CCPA have been required to honor Global Privacy Control (GPC) browser signals automatically. No requiring customers to fill out a separate form or email you directly. If their browser sends a GPC signal, you have to treat it as a valid opt-out of data selling or sharing.
In practice, a lot of businesses just never implemented this. The CPPA has signaled it's prioritizing GPC enforcement, and several early actions suggest the agency is moving from warnings to penalties. If you're running a website with any third-party tracking (Google Analytics, a Facebook Pixel, even some embedded appointment booking tools) you need a mechanism that detects GPC signals and responds accordingly. A basic cookie consent banner that nobody ever configured properly won't cut it.
Several consent management platforms offer free or low-cost tiers that handle GPC detection. Somebody still has to set them up correctly on your site, though.
Automated Decision-Making Rules Are Coming
This one catches people off guard. The CPPA has been developing regulations around automated decision-making technology (ADMT) that would create specific disclosure and opt-out obligations for businesses using these tools. These rules have gone through multiple drafts and public comment periods. Whether they've reached final adoption or are still in review depends on when you're reading this, but the framework is worth understanding now because the direction is clear.
If your business uses any automated system that makes decisions affecting customers (think AI-powered scheduling tools, automated quote generators, lead scoring, or algorithmic pricing) you'd need to tell customers when ADMT is being used, explain what it does in plain language, and in many cases give them the right to opt out.
A roofing contractor in Sacramento using an AI tool to generate instant estimates based on satellite imagery? That would qualify. A salon in San Diego using software that automatically sends different promotions to different customer segments? Same deal.
The goal isn't to ban these tools. It's to make sure you're not using them in the dark. Even before final rules are fully in effect, building transparency into how you use automated tools is smart practice.
Cybersecurity Audit Requirements
The CPPA has also been developing cybersecurity audit regulations that would require qualifying businesses to conduct regular assessments of their security practices. These rules have been in the works since 2023 and have gone through revisions. The specifics (who exactly qualifies, how often, what gets submitted) may still be evolving through the rulemaking process.
What we do know: these requirements would target businesses processing data at significant scale or handling sensitive categories like precise geolocation, health information, or financial data. And they'd layer on top of the CCPA's existing applicability thresholds, so a business would need to meet both the base CCPA criteria and the additional sensitivity/volume triggers.
Worth remembering regardless of whether the audit rules apply to you: all businesses collecting personal information in California are expected to maintain "reasonable security." That's not a new CPPA invention. It comes from existing California law. And if you experience a breach and can't demonstrate you had reasonable protections in place, the enforcement math gets ugly fast.
The Cost of Doing Nothing
The CPPA can levy fines of $2,500 per unintentional violation and $7,500 per intentional one, with the higher amount also applying to violations involving minors' data. When regulators say "per violation," they mean per affected consumer, per incident. A single data breach affecting 500 customers with inadequate protections? You can do that multiplication yourself.
But fines from the CPPA aren't even the most likely problem for small businesses. The bigger risk is California's private right of action for data breaches. Under CCPA §1798.150, if customer data gets exposed because you failed to maintain reasonable security measures, individual consumers can sue for statutory damages of $100 to $750 per person per incident. Running an expired SSL certificate, leaving data unencrypted at rest, that kind of thing. This applies specifically to breaches caused by inadequate security, not to every CCPA violation. But it doesn't require consumers to prove they suffered specific financial harm, which makes these cases easier to bring and harder to dismiss.
For most small businesses, the real threat isn't a CPPA audit. It's a data incident that could have been prevented with basic security hygiene, followed by a lawsuit that costs more to defend than to settle.
These are unforced errors.
What Compliance Actually Looks Like for a Small Business
You don't need a $40,000 privacy consultant or an in-house legal team. For most small California service businesses, compliance comes down to a short checklist:
- An up-to-date privacy policy that references the CCPA as amended by the CPRA. What data you collect, why, and how customers exercise their rights.
- A working opt-out mechanism that actually honors GPC signals, not just a "Do Not Sell My Info" link buried in your footer that goes to a dead page
- SSL/TLS encryption on every page of your website
- Disclosure language wherever you use automated tools that affect customer decisions or outcomes. If you're not sure whether something counts, err on the side of mentioning it.
- A documented process for responding to consumer data requests within the 45-day window
- Keep your CMS, plugins, and hosting environment updated. Known vulnerabilities that go unpatched are the single most common breach story for small business websites, and they're the easiest to prevent.
None of this is exotic. But it does require someone to actually do it and keep doing it as rules evolve. That's where most small businesses get stuck. You set up a privacy policy in 2021 and forget about it. Meanwhile, the law kept moving.
How We Think About This at Marshland
When we build websites for businesses that serve California customers, we try to bake in the basics from the start: enforced HTTPS, sensible defaults around third-party scripts, and guidance on what your privacy policy needs to cover. We're a web development shop, not a law firm, but we stay current on what the regulations expect from a technical standpoint so the sites we build aren't starting in a hole.
We're also happy to look at existing sites and flag the obvious gaps: missing SSL on subpages, cookie consent tools that aren't configured, privacy policies that haven't been touched since 2021. It's not glamorous work, but it's the kind of thing that keeps you out of trouble.
If you're a small business in California and you're not sure whether your current website is keeping up with the regulatory changes, that's a completely reasonable thing to not know. The regulations are genuinely confusing. We're happy to take a look and tell you where you stand.
One Thing You Can Do Today
Pull up your website's privacy policy right now. Search for the phrase "California Consumer Privacy Act." If it's not there, or if the policy still references the pre-2023 version of the law without mentioning the CPRA amendments or the California Privacy Protection Agency, it's out of date. Update it (or have whoever manages your site update it) to reflect current requirements, including your process for handling opt-out preference signals and any use of automated decision-making tools. A current privacy policy won't make you bulletproof, but an outdated one is the first thing regulators and plaintiff attorneys look for.