AI and Data Privacy for Small Business: What GLBA, CCPA, and State Laws Actually Require
By Alex Carlson
If you're not in healthcare, it's easy to assume AI compliance rules don't apply to you. They do — just under different names.
If you handle financial data: GLBA
The Gramm-Leach-Bliley Act applies to any business that handles consumer financial information — this includes not just banks, but tax preparers, financial advisors, and increasingly, e-commerce businesses processing payment data. GLBA's Safeguards Rule requires you to have a written information security program. If an AI tool touches customer financial data, that tool needs to be included in your safeguards documentation — not just your core software stack.
If you have California customers: CCPA/CPRA
California's privacy law applies to businesses meeting revenue or data-volume thresholds, regardless of where the business itself is located — if you have California customers, it likely applies. Key AI-relevant obligation: if an AI tool profiles customers or makes automated decisions about them (credit approval, pricing, eligibility), customers have a right to know and, in some cases, opt out.
The state patchwork problem
Beyond California, at least a dozen states (Virginia, Colorado, Connecticut, and a growing list) now have their own privacy statutes with overlapping but not identical requirements. There's no single "AI compliance certification" that covers all of them — the practical approach is a data minimization policy: don't feed AI tools more customer data than the specific task requires, and know which tools store or train on your inputs.
Three actions that cover most small businesses
- Read the data retention policy of every AI tool touching customer data — not just the marketing page, the actual DPA (data processing agreement).
- Keep a simple internal log of which AI tools touch which data types (financial, health, biometric, general contact info).
- If a tool makes automated decisions about a specific customer, be able to explain that decision in plain language if asked.
None of this requires a compliance department. It requires knowing what your tools actually do with data before you turn them on.