Which state privacy laws apply to small businesses in 2026

If you run a small law firm, a solo dental practice, or a ten-person financial advisory office, you may have assumed the wave of state privacy legislation was aimed at large corporations with dedicated compliance teams. That assumption now carries real risk.

Several state and federal privacy laws apply to small businesses regardless of headcount, particularly firms in healthcare, financial services, and law. HIPAA, the FTC's GLBA Safeguards Rule, Illinois' Biometric Information Privacy Act, Washington's My Health Data Act, and all fifty state breach notification statutes carry no meaningful size exemption. Knowing which law applies to your data type—not your employee count—is the starting point for compliance.

Which laws already apply to your firm?

Most of the well-publicized omnibus state privacy laws—California's CCPA, Virginia's VCDPA, Colorado's CPA—include consumer-count or revenue thresholds that effectively exempt the smallest firms. But those laws are not the full picture. Four categories of law have no meaningful size exemption.

Federal sector laws

HIPAA applies to any covered entity—including a solo physician, a two-person dental office, or a medical billing service—and to every business associate that handles protected health information. The FTC's GLBA Safeguards Rule applies to any financial institution regardless of size. That definition is broad: it includes small accounting firms, independent insurance agencies, tax preparers, and mortgage brokers. Neither law offers a small-business carve-out.

State biometric laws

Illinois' Biometric Information Privacy Act (BIPA) applies to any private entity that collects fingerprints, facial scans, or other biometric identifiers. There is no revenue threshold and no employee minimum. If your office uses a fingerprint time clock or a facial-recognition door system, BIPA applies to you if any employee or client is an Illinois resident. Texas has a comparable biometric identifier statute with similarly broad reach.

State consumer health data laws

Washington's My Health Data Act covers any organization that determines how consumer health data is collected or used and that conducts business in Washington or targets Washington residents. There is no headcount or revenue threshold in that definition. Entities already fully governed by HIPAA for the same data carry a partial exemption, but health data that falls outside HIPAA's scope—wellness surveys, appointment-scheduling details, health-related email correspondence—may still be covered.

State data breach notification laws

All fifty states require prompt notification to affected individuals, and in most cases to the state attorney general, when personal information is compromised. These laws apply to every business that handles residents' data, regardless of size. A two-person office that loses a laptop with unencrypted client files is subject to the same notification obligation as a hospital system.

What data actually triggers these obligations?

Consider what your firm handles on an ordinary day:

• Client names combined with Social Security numbers, account numbers, or medical record numbers
• Employee payroll records and direct deposit information
• Any photograph or scan used for time-and-attendance or building access (potentially biometric under state law)
• Appointment records that reveal a client's provider relationship
• Emails containing a client's financial position or health condition

If any of these live in your Microsoft 365 environment—your email, SharePoint, or OneDrive—you have obligations. The question is not whether a law applies. The question is whether you can demonstrate compliance when a regulator or an opposing attorney asks.

What does the minimum compliance floor look like?

You do not need an enterprise security stack to meet baseline obligations. Microsoft 365 Business Premium, the plan most small professional-services firms already use, includes the tools to cover the fundamentals.

Six steps that satisfy most baseline requirements

1. Turn on multi-factor authentication for every account. MFA is a documented compliance expectation under the GLBA Safeguards Rule and appears in most state cybersecurity guidance. M365 Business Premium includes it. If it is not enabled for every user in your tenant, that is the first thing to fix.
2. Run a simple data inventory. List where personal information lives: email folders, SharePoint sites, local drives, cloud backups. You cannot protect data you cannot locate, and you cannot notify affected individuals after a breach if you do not know whose data was exposed.
3. Apply sensitivity labels to files containing personal data. M365 Business Premium includes Microsoft Purview Information Protection. Labeling documents that contain health or financial data takes an afternoon to configure and produces audit evidence that you treat sensitive data differently from routine files.
4. Verify that audit logging is enabled. Microsoft 365's unified audit log records who accessed what and when. In a breach investigation or a regulatory inquiry, this log is your primary evidence trail. It is disabled by default on some configurations—confirm it is on in your tenant.
5. Write a one-page breach response plan. Most state notification laws require action within 30 to 72 hours of discovering a breach. A brief written plan—who contacts whom, who drafts the notification, which regulators receive notice—is the difference between a controlled response and a chaotic one.
6. Review your vendor agreements. If a payroll processor, EHR vendor, or cloud backup provider handles your clients' personal data, your contract needs data protection terms. Under HIPAA, that is a Business Associate Agreement. Under the GLBA Safeguards Rule, it is a service provider oversight requirement. Both apply regardless of how small your firm is.

What is changing in 2026?

Indiana and Kentucky join the list of states with active consumer privacy laws in January 2026. Both include consumer-count thresholds that may not reach the smallest firms directly. What is more significant for a ten-person office is the continued enforcement activity by state attorneys general under existing laws—particularly breach notification statutes and BIPA—and the FTC's sustained focus on GLBA Safeguards compliance at smaller financial-services firms.

The practical risk for a small firm is not a CCPA class action. It is a breach notification failure that draws a state AG letter, a BIPA lawsuit triggered by a biometric time clock, or a GLBA enforcement action following a phishing incident. All three are within reach for firms of any size, and all three are preventable with the steps above.

A dedicated team that knows your environment can assess your current exposure, map your data to the laws that apply, and configure the tools already inside your Microsoft 365 subscription to close the gaps. The compliance floor is lower than most small-firm owners expect—but only if you start before something goes wrong.