Privacy Policy & AI Data Law

Unlike the EU's unified GDPR, the U.S. has a patchwork of state-level privacy laws, each with different thresholds and requirements:

• California (CCPA/CPRA): Applies to businesses that collect data from California residents and meet at least one of: $25M+ annual revenue, data on 100,000+ consumers/households, or 50%+ revenue from selling data. Enforcement by California AG + California Privacy Protection Agency. Fines up to $7,500 per intentional violation.
• Texas (TDPSA): Applies to businesses that conduct business in Texas or target Texas residents, with exemptions for small businesses. Effective July 2024.
• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): All effective and actively enforced. Similar rights (access, deletion, correction, portability, opt-out of sale/profiling).
• Florida, Montana, Oregon, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland: Additional state laws effective or taking effect in 2024–2025.

Common thread: All state laws require a clear, comprehensive privacy policy, a mechanism for users to exercise rights (access, deletion, opt-out), and restrictions on selling or sharing personal data without consent.

Even if your business is small and doesn't meet CCPA thresholds, the FTC Section 5 prohibition on unfair or deceptive trade practices applies to any privacy policy that misrepresents what data you collect and how you use it.

• What data you collect — name, email, phone, IP address, cookies, device identifiers, location, call recordings, payment data
• How you collect it — forms, analytics, cookies, call tracking, AI chatbots, third-party integrations
• Why you collect it — purpose limitation is a core principle: data collected for service delivery shouldn't be repurposed for advertising without disclosure
• Who you share it with — analytics providers (Google Analytics 4), CRMs, email platforms, call tracking vendors, AI service providers, payment processors
• How long you retain it — a retention schedule is required under most state laws
• How consumers can exercise their rights — a dedicated email address or webform for data requests (access, deletion, correction, portability)
• Whether you "sell" or "share" data — under CCPA, sharing data with advertising platforms (Google, Meta) for targeted ads may constitute a "sale" requiring opt-out
• Cookie/tracking disclosure — cookie consent banners are now required if you have European visitors; disclosure is required everywhere

AI has created new privacy obligations that most privacy policies don't address:

• AI chatbots collect data. If you use an AI chat widget (built on ChatGPT, Claude, or similar), every conversation is data. That data may be used to train the underlying model. Your privacy policy must disclose this — and your terms of service should address what users can and can't share in chats.
• Automated profiling. Several state laws (Colorado, Connecticut, Virginia) give consumers the right to opt out of profiling for significant decisions. If your CRM or marketing automation scores leads, segments customers, or makes automated recommendations, you may need to disclose this and provide opt-outs.
• AI content disclosure. The FTC has issued guidance that AI-generated content — particularly AI-generated testimonials, reviews, or endorsements — must be disclosed. Undisclosed AI-generated endorsements violate FTC rules.
• AI call recording and transcription. AI call recording and transcription tools (used for coaching, lead scoring, and CRM population) create consent obligations. In two-party consent states (California, Florida, Illinois, and others), both parties must consent to recording before it begins.

See the full picture in AI & the New Compliance Landscape.

The EU's General Data Protection Regulation (GDPR) applies to any organization that processes personal data of EU residents, regardless of where the business is located. If your website is accessible globally (it is), and you have EU visitors, you technically fall under GDPR.

For most small U.S. trades businesses, municipalities, and schools that don't actively market to EU residents and don't process EU customer data, the practical enforcement risk is low — but not zero. At minimum:

• Google Analytics should be configured to respect consent preferences
• Cookie consent banners should offer a genuine opt-out for non-essential cookies
• A data processing mechanism should be in place if you have EU customers or employees

Trades businesses

Trades businesses collect customer home addresses, service history, payment data, and call recordings — all sensitive data that must be disclosed in your privacy policy. If you use AI for lead scoring, call transcription, or appointment optimization, those tools must be disclosed.

K–12 schools

Schools are subject to FERPA (Family Educational Rights and Privacy Act) for student records, COPPA (Children's Online Privacy Protection Act) for data collected from children under 13, and applicable state privacy laws. AI tools used in classrooms must be vetted for FERPA/COPPA compliance — many popular AI tools are not FERPA-compliant by default.

Municipalities

Government entities collecting personal data through digital services (permit applications, utility payments, public meeting registration) must comply with state open government and privacy laws, as well as federal privacy frameworks. Public-facing AI systems may be subject to additional state AI transparency requirements.