I had a conversation last month with a business owner who told me, “We’re a small company in Texas. European privacy law has nothing to do with us.”
Two weeks later, he found out that one of his SaaS tools had been collecting data from website visitors in Germany. He was technically in scope for the GDPR and had been for years. No privacy notice. No consent mechanism. No idea.
That’s the reality for a lot of business owners right now. Data privacy laws are everywhere, they’re getting more aggressive, and most people running companies have a vague sense that they should be paying attention without really understanding what applies to them or why.
So let’s fix that. I want to break down the two biggest privacy frameworks shaping how businesses operate today, GDPR and CCPA, and then talk about the broader landscape of state and international laws that every business owner should have on their radar heading into 2026.
GDPR: It’s Not Just a European Problem
The General Data Protection Regulation has been in force since May 2018, and it remains the gold standard for data privacy worldwide. If you process the personal data of anyone located in the European Union, the GDPR applies to you. It doesn’t matter where your company is headquartered. It doesn’t matter if you have zero offices in Europe. If your website, app, or service reaches EU residents, you’re in scope.
The core principles are straightforward: be transparent about what data you collect and why, get valid consent when it’s required, give people real control over their information, and protect it with appropriate security measures. But the devil is in the details.
Since enforcement began, regulators have issued cumulative fines exceeding €5.88 billion across more than 2,200 recorded penalties. Spain alone has issued over 900 fines. Ireland’s Data Protection Commission has handed out €3.5 billion in penalties by value, largely targeting major tech companies. But it’s not just Big Tech getting caught. Small and medium enterprises in sectors like healthcare, retail, and employment services have been on the receiving end of enforcement actions, with healthcare violations averaging around €203,000 per penalty.
In 2026, the GDPR landscape is evolving further. The European Commission has proposed a “Digital Omnibus” package aimed at simplifying certain requirements, especially for smaller companies. The proposal includes easing record-keeping obligations for businesses with fewer than 750 employees and clarifying some rules around cookies and consent. But don’t mistake simplification for relaxation. Enforcement is getting more coordinated, cross-border cases are moving faster, and regulators are increasingly scrutinizing AI systems, dark patterns in consent interfaces, and data retention practices.
What GDPR Actually Requires From Your Business
If you’re subject to the GDPR, here’s what you’re expected to have in place:
A lawful basis for processing. Every time you collect or use personal data, you need a legal justification. The most common are consent (the individual agreed), contractual necessity (you need the data to deliver a service), and legitimate interest (you have a valid reason that doesn’t override the person’s rights). Getting this wrong is the single most common reason regulators issue fines.
Clear, honest privacy notices. You have to tell people what data you’re collecting, why, how long you’re keeping it, who you’re sharing it with, and what rights they have. This needs to be written in plain language, not buried in legal jargon.
Consent that actually means something. Pre-checked boxes don’t count. Cookie walls that force people to accept tracking don’t count. Consent has to be freely given, specific, informed, and unambiguous. And you need to be able to prove it.
Consumer rights infrastructure. People have the right to access their data, correct inaccuracies, request deletion, restrict processing, and port their data to another service. You need systems and processes in place to handle these requests within the timelines the law mandates.
Data Protection Impact Assessments. For high-risk processing activities, like using AI systems, handling biometric data, or large-scale profiling, you’re required to assess and document the risks before you start.
72-hour breach notification. If you experience a data breach that poses a risk to individuals, you have to notify your supervisory authority within 72 hours. Not 72 business hours. 72 actual hours. That means your incident response plan needs to be ready before something goes wrong.
CCPA: California’s Privacy Law Just Got Tougher
The California Consumer Privacy Act, as expanded by the California Privacy Rights Act (CPRA), is the most comprehensive privacy law in the United States. And as of January 1, 2026, it entered a new phase of maturity with significant regulatory updates that affect businesses of every size.
The CCPA applies to for-profit businesses that do business in California and meet at least one of these criteria: annual gross revenue exceeding roughly $26.6 million, processing the personal information of 100,000 or more California consumers, or deriving 50% or more of annual revenue from selling or sharing consumers’ personal information.
Here’s what changed in 2026:
Mandatory risk assessments. If your data processing presents “significant risk” to consumer privacy, such as selling personal information, processing sensitive data, using AI for significant decisions, or deploying biometric identification, you must now conduct formal privacy risk assessments before engaging in those activities. For processing that began before 2026 and continues today, those assessments must be completed by December 31, 2027.
Cybersecurity audit requirements. Businesses whose processing poses significant security risks face mandatory cybersecurity audits. These aren’t self-assessments. They require an internal or external auditor who evaluates 18 specific components of your cybersecurity program, from network segmentation to incident response to multifactor authentication. The first audit certifications are due to the CPPA by April 2028 for companies with revenue above $100 million, with smaller businesses following in 2029 and 2030.
Automated decision-making technology (ADMT) rules. If your business uses AI or automated systems to make decisions that significantly affect consumers, like credit decisions, hiring, or insurance pricing, new rules require you to provide opt-out mechanisms, inform consumers about the technology, and ensure human oversight of those decisions. Compliance with ADMT requirements kicks in on January 1, 2027.
Expanded data access rights. Consumers can now request data going back further than the previous 12-month window. If your business retains personal information for 36 months, a consumer’s request in 2026 must include data going back to January 2022. This has real operational implications for how you store, index, and retrieve historical data.
Penalties that add up fast. Fines under the CCPA run approximately $2,663 per negligent violation and $7,988 per intentional violation as of the latest adjustment. There is no automatic cure period for intentional violations. And the California Privacy Protection Agency has made it clear that enforcement is a priority, with recent settlements exceeding $1.3 million against individual companies.
GDPR and CCPA: Where They Overlap and Where They Don’t
If you’re subject to both the GDPR and the CCPA, the good news is that they share a lot of common ground. Both require transparent privacy notices. Both give consumers rights to access, correct, and delete their data. Both demand security safeguards and accountability measures.
But there are meaningful differences. The GDPR is built around the concept of “lawful basis” for processing. You need a legal justification before you can do anything with personal data. The CCPA is more of an opt-out model: you can process data, but consumers have the right to tell you to stop selling or sharing it.
The GDPR applies to any organization that processes EU residents’ data, regardless of size. The CCPA has revenue and data volume thresholds that can exempt very small businesses. The GDPR mandates Data Protection Officers for certain organizations and requires 72-hour breach notification. The CCPA focuses more on risk assessments, cybersecurity audits, and automated decision-making oversight.
The smartest approach I’ve seen businesses take is to build their compliance program around the strictest standard, usually GDPR, and then layer in the specific requirements of CCPA and other state laws. That way, you’re not building separate silos for each regulation. You’re building one solid foundation that covers most of what every law demands.
The Bigger Picture: 20 States and Counting
GDPR and CCPA get most of the headlines, but they’re part of a much larger wave. As of 2026, twenty U.S. states have comprehensive data privacy laws in effect. Indiana, Kentucky, and Rhode Island all activated theirs on January 1, 2026. Connecticut, Oregon, and Utah are rolling out significant amendments throughout the year.
Each state has its own thresholds, definitions, and enforcement mechanisms. Penalties range from $2,500 to $20,000 per violation depending on the state. Colorado stands out with fines up to $20,000 per offense. Several states have eliminated or shortened cure periods, meaning there’s no grace window to fix a problem once regulators come calling.
And it’s not just the U.S. Globally, Brazil’s LGPD continues to expand enforcement. India’s Digital Personal Data Protection Act is phasing in through 2027 with penalties reaching up to ₹250 crore per violation. The EU AI Act reaches full enforcement for high-risk systems in August 2026, creating new obligations that sit right alongside GDPR compliance.
The common thread across all of these? Regulators are no longer just looking at whether you have a policy. They’re looking at whether you can prove your practices match your promises.
What You Should Be Doing Right Now
I know this can feel overwhelming. Twenty state laws, the GDPR, the CCPA, new rules about AI, and the pace keeps accelerating. But compliance doesn’t have to mean paralysis. Here’s where I’d focus:
Figure out which laws apply to you. This sounds basic, but most businesses haven’t done it rigorously. Map out every jurisdiction where you have customers, employees, or web traffic. Cross-reference against the applicable privacy laws. Don’t assume you’re too small to matter.
Get your data house in order. You can’t comply with any of these laws if you don’t know what data you have, where it lives, how it flows, and who has access to it. A comprehensive data inventory is the starting point for everything else.
Fix your privacy notices and consent mechanisms. These are the most visible and most frequently enforced elements of any privacy program. Make sure they’re current, clear, and functional. If your cookie banner still uses pre-checked boxes or makes it harder to reject than to accept, you’re creating liability every single day.
Build real processes for handling rights requests. Access, deletion, correction, opt-out. These aren’t one-off tasks. You need documented workflows, clear timelines, and trained staff. Manual processes might work at small scale, but they fall apart fast when enforcement comes knocking.
Invest in your cybersecurity posture. Privacy and security are two sides of the same coin. Every major privacy law requires you to implement appropriate technical safeguards. Encryption, access controls, monitoring, incident response planning, vendor security reviews. These aren’t nice-to-haves. They’re the foundation that everything else sits on.
Don’t forget your vendors. Your compliance obligations extend to the service providers, contractors, and SaaS platforms that process data on your behalf. Review your contracts. Make sure they include data governance clauses, security commitments, and flow-down requirements. California’s recent enforcement actions have specifically targeted failures in vendor agreements.
Why This Matters Beyond Compliance
I’ll say something that might sound strange coming from someone in cybersecurity: compliance isn’t the goal. It’s the floor.
The real value of getting your data privacy and security posture right isn’t just about avoiding fines. It’s about earning the trust of the people you serve. In a world where data breaches make headlines every week and consumers are paying more attention to how their information is handled, the businesses that take this seriously are the ones that build lasting relationships.
At Alchanis Technical Services, we’ve spent over 160 combined years working across public, private, and government sectors to help organizations strengthen their cybersecurity posture and meet their compliance obligations. We treat our clients like family, because we know that protecting data means protecting people’s livelihoods, reputations, and futures.
Whether you’re trying to figure out if the GDPR applies to your business, preparing for CCPA’s new risk assessment requirements, or building a compliance program that covers the growing patchwork of state laws, we’re here to help you get it right.
Need help navigating data privacy compliance?
Visit alchanistech.com or reach out to schedu
