California keeps raising the bar on data privacy and security. The CPRA gave the state's privacy rules real teeth. The California Privacy Protection Agency is staffed up and actively enforcing. And if you've been watching the legislative calendar, you know there are proposals circulating that would extend formal audit obligations beyond big tech and into the broader business community.

Small businesses aren't the primary target. Yet. But the direction is clear, and the businesses that scramble to catch up after a mandate lands are the ones that spend the most money doing it badly.

Here's how to get ahead of it without hiring a Big Four consulting firm.

What Regulators Are Actually Watching

California already requires businesses that collect personal data to implement "reasonable security measures." What's shifting is how "reasonable" gets defined, and who's checking.

The CPRA already requires annual cybersecurity audits for businesses with high-risk data processing — we covered what the 2026 CCPA changes mean for small business websites in a separate post. The CPPA is still finalizing the implementing regulations, so how you demonstrate compliance isn't fully settled, but the obligation itself is on the books. And the FTC's updated Safeguards Rule, which applies nationwide, has already forced audit-style documentation on companies in financial services.

HIPAA started with healthcare providers. The FTC Safeguards Rule started with financial services companies: lenders, mortgage brokers, tax preparers, anyone touching financial data. Both eventually reached small businesses that process a handful of transactions a month.

You don't need a compliance attorney right now. You need a clear picture of where you actually stand.

The 10-Point Checklist

Run through this yourself. It takes a few hours and costs nothing except your time.

  • Password policies. Are you using a password manager (1Password, Bitwarden) across all accounts? Is multi-factor authentication enabled on email, banking, and any platform that holds customer data? If the answer to either is no, stop here and fix it before anything else.
  • Check every device used for business: Windows Update, macOS Software Update, browser extensions, plugins on your website. Unpatched software is how most breaches start. Not sophisticated attacks. Just known vulnerabilities nobody bothered to close.
  • When did you last restore from backup? Pick a non-critical file, delete it, and confirm you can get it back. If you haven't done that recently, you don't actually know whether your backups work. A backup you've never tested is a guess.
  • Access audit. Make a list of everyone with admin access to your website, your CRM, your email platform. Remove anyone who doesn't still need it: former employees, old contractors, that agency you stopped working with in 2023. All common sources of exposure.
  • Run your domain through Qualys SSL Labs right now. An A or A+ rating means your certificate is properly configured. Anything lower needs attention, especially if you're collecting form submissions or processing any payments.
  • SPF, DKIM, and DMARC are three DNS records that stop someone from spoofing your email domain. Your registrar can verify them in five minutes, or check free at MXToolbox. If you're still sending from a free Gmail address, switching to a branded business domain email is the prerequisite step.
  • Vendor review. List every third-party tool that touches your customer data: your CRM, email platform, booking software, payment processor. Check that each has a current privacy policy and, ideally, a SOC 2 report or equivalent. You're responsible for what your vendors do with data you share with them.
  • If someone called you right now and said your customer database leaked, what would you do in the first 60 minutes? California law (Civil Code 1798.82) requires breach notification "in the most expedient time possible and without unreasonable delay." That's deliberately vague. Know the answer before you need it.
  • Phishing is still the top way attackers get in. If your team can't spot a convincing phishing email, none of the other controls matter much. KnowBe4 has solid SMB-tier pricing and is worth the investment. Even a 30-minute annual session beats nothing.
  • Data inventory. What personal information do you actually collect and store? Where does it live? Most small businesses don't know the full answer. A spreadsheet listing data type, storage location, and retention period is enough to start. It's exactly what a regulator would ask for first.

What It Actually Costs

The DIY version of this checklist costs you an afternoon. Most of the tools involved are free or already part of software you're paying for.

Where people overspend is on formal third-party audits before they've done the basics. A penetration test from a reputable firm runs $5,000-$15,000 for a small business scope. That's worth it once you've worked through this checklist and closed the obvious gaps. Not before.

Mid-range options worth knowing: Drata and Vanta are compliance automation platforms that can pull together SOC 2 or ISO 27001 documentation. Pricing typically runs into five figures annually for small business scope; verify current pricing before budgeting, as both vendors update their tiers frequently. They're overkill for most small businesses right now, but if you're selling to enterprise clients in California who are asking about your security posture, they pay for themselves fast.

The honest answer for most small businesses: the checklist above, a solid password manager ($3-5 per user per month), and a security-conscious hosting setup is a strong foundation for demonstrating reasonable security measures under current California law, though what qualifies is fact-specific and determined case by case. (This isn't legal advice.) The goal isn't to build a security operations center. It's to not be the easy target.

How Marshland Helps

When we build and host sites for clients, security defaults are part of the setup, not an add-on. SSL is provisioned and auto-renewed, backups run on a defined schedule with verified restore points, and servers are hardened at the infrastructure level rather than depending on someone remembering to run updates.

It doesn't cover everything on this list. Employee training and your vendor relationships are yours to manage. But it handles the infrastructure layer: the stuff most small business owners aren't thinking about until something breaks. If you're a California-based business and you're not sure what your current hosting setup actually includes, that's a good conversation to have before the regulatory environment tightens further.

Reach out to Marshland and we can walk through what you have now and what gaps are worth addressing.

Do This Today

Go to Sucuri SiteCheck and scan your website. It's free, takes under a minute, and will flag malware and blacklist status across major security databases. You might find everything is clean. Good to know. Or you'll find something that's been sitting there unnoticed. Either way, you'll have an actual answer instead of an assumption.