CCPA and GDPR in 2026: What Small Businesses Actually Need to Know

Data privacy law used to be a big-company problem. That era is definitively over.

Twenty US states now have comprehensive privacy laws in effect — up from nine just two years ago. On January 1, 2026, Indiana, Kentucky, and Rhode Island joined the patchwork, while California's sweeping new CCPA regulations covering cybersecurity audits, risk assessments, and automated decision-making went live the same day. Across the Atlantic, cumulative GDPR fines have reached €5.88 billion, and European regulators have launched a 2026 coordinated enforcement action focused on transparency — meaning they're actively auditing whether businesses adequately explain how they collect and use personal data.

If you handle personal data — and you do — 2026 is the year the regulatory floor shifted under your feet.

Who Actually Has to Comply?

CCPA/CPRA applies to for-profit businesses that meet any one of these thresholds:

• Annual gross revenue exceeding $26,625,000 (worldwide revenue, not California-specific)
• Processing personal information of 100,000 or more California residents or households annually
• Deriving 50 percent or more of annual revenue from selling or sharing personal information

Critical detail: no physical California presence is required. CCPA jurisdiction extends extraterritorially — a New York SaaS company processing 120,000 California users' data must comply even with revenue under $26M.

GDPR applies to any organization that processes personal data of EU residents, regardless of where the company is based. If EU citizens visit your website, use your service, or appear in your client files, GDPR likely applies to you.

The trap for small businesses: Even if you fall below CCPA's direct thresholds, you may still be caught as a service provider to a covered business. If you work with larger companies as a vendor or contractor, they'll need CCPA-compliant data protection clauses in your contract. Rhode Island's new law makes this especially relevant — its applicability threshold is just 35,000 consumers, one of the lowest in the country.

What Changed in 2026

The CPPA's major regulatory package — approved September 22, 2025 — took effect January 1, 2026. This is the most significant expansion of California privacy requirements since the CCPA's original enactment, and several obligations are now live:

Mandatory cybersecurity audits. Businesses meeting certain thresholds must conduct annual, independent cybersecurity audits and submit certifications to the CPPA. The deadlines are staggered by revenue: April 1, 2028 for businesses over $100M, April 1, 2029 for $50M–$100M, and April 1, 2030 for under $50M. A senior executive must sign the certification under penalty of perjury.

Risk assessments are now required. As of January 1, 2026, businesses must conduct privacy risk assessments before initiating any processing activity that presents "significant risk" to consumer privacy — including selling personal information, using automated decision-making, processing sensitive data, or training AI models. Pre-2026 activities must be assessed by December 31, 2027. The first annual summary report is due April 1, 2028, signed by a member of executive management under penalty of perjury.

Automated Decision-Making Technology (ADMT) requirements. New rules take effect January 1, 2027, governing how businesses use automated systems for decisions affecting financial services, housing, education, employment, or healthcare. Consumers will gain the right to opt out and to access information about how ADMT decisions are made.

Enhanced opt-out confirmation. Businesses must now provide visible confirmation that opt-out requests have been processed — toggles, badges, or messages. Silent processing no longer suffices.

Insurance companies explicitly covered. Entities subject to the California Insurance Code must now comply with the CCPA for any personal information not already regulated under insurance-specific law.

On the GDPR side, the EDPB's 2026 coordinated enforcement action is targeting transparency and information obligations under Articles 12–14. National data protection authorities across Europe will jointly investigate whether businesses are clearly explaining how they collect and use personal data. The EU AI Act also reaches full enforcement on August 2, 2026, adding AI governance obligations that intersect with data protection requirements.

Real Enforcement Is Happening — And Getting Bigger

This isn't theoretical. In July 2025, the California Attorney General's office entered into the largest CCPA settlement to date — $1.55 million — with an online health information publisher for failing to honor opt-out requests and improperly sharing personal data. The Tractor Supply enforcement action in September 2025 resulted in a $1.35 million fine for failures including inadequate vendor contract amendments. Even mid-sized retailers aren't safe — the CPPA fined Todd Snyder nearly $350,000 for a 40-day technical error that prevented users from exercising opt-out choices.

Connecticut fined ticket reseller TicketNetwork $85,000 for an "largely unreadable" privacy notice with misconfigured opt-out mechanisms. Texas secured over $1 billion in settlements from a major tech company under its privacy law. And state attorneys general are increasingly coordinating enforcement across jurisdictions.

On the GDPR side, recent enforcement includes TikTok's €530 million fine for illegal data transfers to China, Meta's €479 million for consent manipulation, and Vodafone's €45 million for vendor security failures.

The pattern is clear: regulators are no longer issuing warnings. They're issuing invoices — and the amounts are climbing.

Penalty ranges for reference: CCPA violations carry fines of $2,663 per negligent violation and $7,988 per intentional violation. GDPR fines can reach €20 million or 4 percent of global annual revenue, whichever is higher. These accumulate per-record, per-violation.

A Practical 2026 Compliance Checklist

Skip the 200-page compliance manuals. Here's what actually matters now:

1. Map your data — including AI workflows. Know what personal information you collect, where it lives, how it flows through your systems, and who has access. In 2026, this explicitly includes any data used to train AI models or processed by automated decision-making systems. You can't assess risk for processing activities you haven't inventoried.

2. Update your privacy policy for 2026 requirements. It must disclose categories of personal information collected, sources, business purposes, and third-party sharing practices. Under CCPA, it must be reviewed and updated at least annually. Under the 2026 GDPR transparency enforcement push, vague or jargon-heavy privacy notices are a specific target — make yours readable.

3. Implement visible consumer rights mechanisms. Both CCPA and GDPR grant individuals rights to access, correct, delete, and opt out of sale/sharing of their data. New for 2026: opt-out confirmations must be visibly displayed to the consumer. Eight states now require recognition of Global Privacy Control signals.

4. Audit your vendor contracts. Service provider agreements must include prohibitions on using personal information outside contract scope, commitments to honor consumer opt-outs, subcontractor flow-down requirements, and annual compliance certifications. The Tractor Supply case specifically flagged vendor contract failures.

5. Begin your risk assessment process. If your business conducts any processing activity that presents significant risk — selling data, using ADMT, processing sensitive information, profiling consumers — you must now conduct and document risk assessments. Unlike other states, California's requirement extends to employment and B2B data, not just consumer data.

6. Implement data protection at the technical level. Use encryption, access controls, and data loss prevention tools. Under GDPR Article 25, privacy must be embedded at the architectural level. Under the new CCPA cybersecurity audit rules, you'll eventually need to demonstrate that your security posture has been independently verified.

The Cost of Getting It Wrong vs. Getting It Right

Small businesses typically invest $1,000 to $10,000 annually in compliance tools. Mid-size businesses spend $10,000 to $50,000. These numbers look very different next to a $7,988-per-violation fine accumulating across hundreds or thousands of affected records — or a $350,000 penalty for a 40-day technical glitch, as Todd Snyder learned.

The counterargument is often that compliance feels expensive for a small operation. But enforcement trends in 2026 are moving in one direction: more states, more coordination, bigger fines, and lower thresholds for triggering coverage. Rhode Island's 35,000-consumer threshold and Connecticut's removal of the financial institution exemption mean more businesses are in scope than ever.

How Sonomos Simplifies Compliance

One of the hardest parts of CCPA and GDPR compliance is knowing where your sensitive data actually is — and catching it before it leaves your controlled environment. The new risk assessment requirements make this even more urgent: you can't assess risk for data you haven't identified.

Sonomos's Dagger feature provides real-time sensitive data detection that identifies PII, financial records, health data, and other regulated information across your workflows. It runs locally on your device, which means it satisfies GDPR's Privacy by Design mandate by default — no data is transmitted to a third-party processor for analysis. When the EDPB audits your transparency practices, you can demonstrate that sensitive data detection happens without creating new processing activities.

Sonomos's Cloak feature handles the data minimization piece — masking sensitive information before it's shared externally, reducing your regulatory surface area with every interaction. In a landscape where risk assessments must now account for every processing activity that touches sensitive data, fewer exposed data points means fewer assessments required.

For small businesses navigating 20 state privacy laws, expanding GDPR enforcement, and new cybersecurity audit timelines, Sonomos turns what used to require a dedicated privacy team into something that runs quietly in the background — catching problems before they become fines.

Start simplifying your compliance workflow with Sonomos →

---

Last updated: February 2026