Compliance is no longer a Fortune 500 problem.
For a long time, regulators left small businesses alone. That era is over. State attorneys general are actively enforcing the new state privacy laws, the FTC has rebuilt its small-business enforcement program around advertising and data, and consumer-side plaintiffs' firms are running large-scale wiretap, BIPA, and dark-pattern cases. The "we are too small for them to notice" defense does not work anymore.
The right response is not a 200-page compliance binder. It is a focused, risk-prioritized program: privacy policy that actually matches the data flows, a few core operational controls, training for the team members who touch sensitive data, and a breach response plan you can actually execute on day zero.
What we cover
U.S. state privacy laws
California (CCPA/CPRA), Colorado, Virginia, Connecticut, Utah, Texas Data Privacy and Security Act, Oregon, Montana, and the dozen more that have passed since. Applicability analysis, privacy policy, consumer-rights workflow, opt-out signals, and DPA templates.
GDPR & UK GDPR basics
For any business taking EU/UK customers - applicability, lawful basis, Article 28 processor agreements, international transfer mechanisms (SCCs, UK IDTA), and DSR workflow.
FTC advertising & consumer protection
Endorsement and testimonial rules, native and influencer marketing disclosures, dark patterns, free trial and subscription auto-renewal compliance under FTC and state law, made-in-USA claims, and Section 5 generally.
COPPA (kids under 13)
Applicability analysis, parental consent mechanisms, data minimization, and the operational design needed to keep mixed-audience services on the right side of the line.
HIPAA basics & healthcare-adjacent
Business Associate Agreements, HIPAA applicability for digital health and wellness products, and the increasingly important boundary between PHI and general health-related data under FTC Health Breach Notification Rule.
Fintech basics
Money transmission analysis, Reg E and consumer protection for payments-adjacent products, GLBA Safeguards Rule, and the early-stage regulatory architecture for fintech and embedded finance startups.
Data security & breach response
Written information security program, vendor diligence, incident response playbook, and on-call breach counsel with privileged investigation, notifications, and regulator engagement.
Our process
- Compliance scoping call. We map your data flows, customer geography, sector exposure, and current state of compliance documentation.
- Applicability matrix. Within two weeks you receive a written matrix of which laws apply to you, what they require, and where the gaps are.
- Program build. We draft the privacy policy, terms updates, DPA, internal policies, consumer-rights workflow, and breach plan.
- Training & rollout. A live session with your team to walk through the new program and the operational steps each person owns.
- Ongoing watch. Compliance is not a one-time project - we keep clients on a light retainer to handle new state laws, FTC guidance, and incident response as they come.
Common compliance scenarios
The SaaS company taking its first EU customer
You just signed a customer in Germany. Now you need a GDPR-compliant DPA, an international transfer mechanism, a meaningful privacy policy update, and a story for how you handle data subject requests. We do it in two weeks without slowing the deal.
The Texas Data Privacy Act letter
You received a letter from the Texas Attorney General's office asking about your privacy practices. Texas does not allow a private right of action - the AG is the enforcement body - and a thoughtful, prompt response inside the cure period is the difference between a closed file and an investigation.
The breach at 9 PM on a Friday
An employee clicked a phishing link, credentials were used, customer data was accessed. Within hours we have outside forensic counsel engaged under privilege, the incident scoped, and the 48-hour notification calendar mapped against every state and contract obligation that bites.
Why Sterling & Hayes
Compliance counsel that knows the difference between what the statute says and what regulators actually enforce. We give you a program proportional to your size, your risk profile, and your operational reality - not a Fortune 500 binder that nobody reads and nobody follows.