AI Compliance

AI and Data Privacy for Small Business: What GLBA, CCPA, and State Laws Actually Require

By Alex Carlson

If you're not in healthcare, it's easy to assume AI compliance rules don't apply to you. They do — just under different names.

If you handle financial data: GLBA

The Gramm-Leach-Bliley Act applies to any business that handles consumer financial information — this includes not just banks, but tax preparers, financial advisors, and increasingly, e-commerce businesses processing payment data. GLBA's Safeguards Rule requires you to have a written information security program. If an AI tool touches customer financial data, that tool needs to be included in your safeguards documentation — not just your core software stack.

If you have California customers: CCPA/CPRA

California's privacy law applies to businesses meeting revenue or data-volume thresholds, regardless of where the business itself is located — if you have California customers, it likely applies. Key AI-relevant obligation: if an AI tool profiles customers or makes automated decisions about them (credit approval, pricing, eligibility), customers have a right to know and, in some cases, opt out.

The state patchwork problem

Beyond California, at least a dozen states (Virginia, Colorado, Connecticut, and a growing list) now have their own privacy statutes with overlapping but not identical requirements. There's no single "AI compliance certification" that covers all of them — the practical approach is a data minimization policy: don't feed AI tools more customer data than the specific task requires, and know which tools store or train on your inputs.

Three actions that cover most small businesses

  1. Read the data retention policy of every AI tool touching customer data — not just the marketing page, the actual DPA (data processing agreement).
  2. Keep a simple internal log of which AI tools touch which data types (financial, health, biometric, general contact info).
  3. If a tool makes automated decisions about a specific customer, be able to explain that decision in plain language if asked.

None of this requires a compliance department. It requires knowing what your tools actually do with data before you turn them on.