Compliance is no longer a Fortune 500 problem.

For a long time, regulators left small businesses alone. That era is over. State attorneys general are actively enforcing the new state privacy laws, the FTC has rebuilt its small-business enforcement program around advertising and data, and consumer-side plaintiffs' firms are running large-scale wiretap, BIPA, and dark-pattern cases. The "we are too small for them to notice" defense does not work anymore.

The right response is not a 200-page compliance binder. It is a focused, risk-prioritized program: privacy policy that actually matches the data flows, a few core operational controls, training for the team members who touch sensitive data, and a breach response plan you can actually execute on day zero.

What we cover

U.S. state privacy laws

California (CCPA/CPRA), Colorado, Virginia, Connecticut, Utah, Texas Data Privacy and Security Act, Oregon, Montana, and the dozen more that have passed since. Applicability analysis, privacy policy, consumer-rights workflow, opt-out signals, and DPA templates.

GDPR & UK GDPR basics

For any business taking EU/UK customers - applicability, lawful basis, Article 28 processor agreements, international transfer mechanisms (SCCs, UK IDTA), and DSR workflow.

FTC advertising & consumer protection

Endorsement and testimonial rules, native and influencer marketing disclosures, dark patterns, free trial and subscription auto-renewal compliance under FTC and state law, made-in-USA claims, and Section 5 generally.

COPPA (kids under 13)

Applicability analysis, parental consent mechanisms, data minimization, and the operational design needed to keep mixed-audience services on the right side of the line.

HIPAA basics & healthcare-adjacent

Business Associate Agreements, HIPAA applicability for digital health and wellness products, and the increasingly important boundary between PHI and general health-related data under FTC Health Breach Notification Rule.

Fintech basics

Money transmission analysis, Reg E and consumer protection for payments-adjacent products, GLBA Safeguards Rule, and the early-stage regulatory architecture for fintech and embedded finance startups.

Data security & breach response

Written information security program, vendor diligence, incident response playbook, and on-call breach counsel with privileged investigation, notifications, and regulator engagement.

Privacy and compliance program design session at Austin law firm Risk-Prioritized Compliance

Our process

  1. Compliance scoping call. We map your data flows, customer geography, sector exposure, and current state of compliance documentation.
  2. Applicability matrix. Within two weeks you receive a written matrix of which laws apply to you, what they require, and where the gaps are.
  3. Program build. We draft the privacy policy, terms updates, DPA, internal policies, consumer-rights workflow, and breach plan.
  4. Training & rollout. A live session with your team to walk through the new program and the operational steps each person owns.
  5. Ongoing watch. Compliance is not a one-time project - we keep clients on a light retainer to handle new state laws, FTC guidance, and incident response as they come.

Common compliance scenarios

The SaaS company taking its first EU customer

You just signed a customer in Germany. Now you need a GDPR-compliant DPA, an international transfer mechanism, a meaningful privacy policy update, and a story for how you handle data subject requests. We do it in two weeks without slowing the deal.

The Texas Data Privacy Act letter

You received a letter from the Texas Attorney General's office asking about your privacy practices. Texas does not allow a private right of action - the AG is the enforcement body - and a thoughtful, prompt response inside the cure period is the difference between a closed file and an investigation.

The breach at 9 PM on a Friday

An employee clicked a phishing link, credentials were used, customer data was accessed. Within hours we have outside forensic counsel engaged under privilege, the incident scoped, and the 48-hour notification calendar mapped against every state and contract obligation that bites.

Why Sterling & Hayes

Compliance counsel that knows the difference between what the statute says and what regulators actually enforce. We give you a program proportional to your size, your risk profile, and your operational reality - not a Fortune 500 binder that nobody reads and nobody follows.

Frequently Asked

Compliance, answered.

Which privacy laws actually apply to my small business?

It depends on where your customers live and what data you collect, not where you are headquartered. California's CCPA/CPRA, the Texas Data Privacy and Security Act, and an expanding list of other state laws each have their own thresholds and obligations. Most Austin small businesses serving U.S. consumers end up subject to at least two or three state regimes simultaneously, plus GDPR if any users come from the EU/UK. We run an applicability matrix as the very first step.

When is a privacy policy required?

In practice, always. Even before any state privacy law applied, the FTC has treated the absence of a privacy policy as a deceptive practice under Section 5 if you collect personal information. California's CalOPPA has required one since 2004 for any commercial website that collects personally identifiable information from California residents. We treat a current, accurate privacy policy as table stakes for any business with a website and any data collection.

When did the Texas Data Privacy and Security Act take effect?

The Texas Data Privacy and Security Act took effect on July 1, 2024, with the cure period and certain provisions phasing in. It applies to businesses that conduct business in Texas or produce products or services consumed by Texas residents, with a small-business carve-out keyed to the federal Small Business Administration definition. The Texas Attorney General has enforcement authority and a 30-day cure period applies - private rights of action are not allowed under the statute.

Does COPPA apply if my product is for adults but kids use it?

COPPA applies if your service is directed to children under 13 or if you have actual knowledge that you are collecting personal information from children under 13. Mixed-audience services - those directed at both children and adults - can be subject to COPPA for the under-13 portion of the audience and have to implement age screens and parental consent for those users. The consequences are significant, with per-violation penalties and lengthy FTC consent decrees, so this is a question to answer with counsel before launching.

What is the right immediate response to a suspected data breach?

Within the first 24 hours: contain the incident, preserve forensic evidence, and engage outside counsel under privilege to direct the investigation. Inside the first week: scope the affected data, identify legal notification triggers under state breach laws and any contractual obligations, and prepare notifications. Most state breach notification laws have specific timelines (often 30-60 days) and content requirements - missing them compounds the regulatory exposure on top of the breach itself.

Do I really need a Data Processing Agreement (DPA) with every vendor?

With every vendor that processes personal data on your behalf, yes. CCPA, the Texas DPSA, Colorado CPA, Virginia VCDPA, and GDPR all require specific contractual terms between controllers and processors. Most vendors have a standard DPA you can sign and that gets you most of the way there - but we still recommend a legal review for any vendor handling sensitive categories of data or significant data volume.

What is your privacy and compliance posture, really?

Schedule a 30-minute applicability call. We will tell you which laws apply, where the gaps are, and what to fix first.

Schedule Consultation