Frequently Asked Questions – Privacy & Security Compliance

✅ Yes. Privacy laws like GDPR and CCPA apply to any website that collects personal data, including:

• Email addresses from contact forms
• Cookies and tracking pixels
• Payment information
• User preferences and settings

Even small online shops can face fines if they sell to customers in regulated states or countries.

✅ Missing a privacy policy is one of the most common compliance violations. Regulators and law firms actively look for it. In some states, you can be fined $7,500–$20,000 per violation.

Common consequences:

• Demand letters from law firms
• Regulatory investigations
• Lost customer trust
• Google search penalty

✅ If your site uses tracking tools (Google Analytics, Facebook Pixel, Hotjar, etc.), you need a cookie consent banner for visitors in the EU (GDPR) and California (CCPA).

The banner must:

• Appear before setting cookies
• Allow users to "accept" or "reject"
• Link to your privacy policy
• Be clearly visible and understandable

✅ On January 1, 2025, eight new state privacy laws go live:

• Montana, Oregon, Texas, Delaware
• Iowa, Nebraska, New Hampshire, New Jersey

Fines begin immediately after enforcement. Maximum penalties range from $7,500 to $20,000 per violation.

✅ If your website gets any visitors from states or countries with privacy laws, you're potentially subject to them.

Example scenarios:

• California resident buying from your online store → CCPA applies
• EU visitor reading your blog → GDPR applies
• Texas resident filling out your contact form → TDPSA applies (2025)

Reality: Most websites have visitors from regulated jurisdictions.

✅ SSL (Secure Sockets Layer) encrypts traffic between your website and visitors. Without it:

• Browsers mark your site as "Not Secure"
• Customer data can be stolen
• Google ranks your site lower
• 85% of visitors leave immediately

Good news: Free SSL certificates are available from Let's Encrypt and Cloudflare.

✅ Key security checks include:

• SSL Certificate: Do you have https:// (not just http://)?
• Security Headers: Are HSTS, CSP, X-Frame, etc. enabled?
• CMS Updates: Is your WordPress/Drupal/plugins up to date?
• Admin Protection: Are admin pages hidden or protected?
• Backups: Do you have automated daily backups?

You can run a free ScanComply Security Scan to check instantly.

✅ The top 5 risks we see:

1. Missing or expired SSL certificate - Immediate "Not Secure" warning
2. No cookie banner despite trackers - GDPR/CCPA violation
3. Outdated WordPress plugins/themes - Known exploits exist
4. Exposed /wp-admin login pages - 90,000 brute force attacks/minute
5. No backup system for recovery - 60% of hacked SMBs close permanently

✅ The average cost of a small business breach is $200,000, and 60% of SMBs close within 6 months.

Typical costs include:

• Investigation and cleanup: $50,000-$100,000
• Lost revenue during downtime: $25,000+
• Legal fees and fines: $25,000-$100,000
• Customer notifications: $5,000-$20,000
• Reputation damage: 2-5 years to recover

✅ Use simple tools that automate most of the work:

These tools automate most of the heavy lifting for SMBs at reasonable costs.

✅ The Emergency Action List (can be done in one weekend):

1. Get free SSL certificate from Cloudflare (30 minutes)
2. Add a privacy policy using Termly or similar (30 minutes)
3. Install cookie banner if using Google Analytics (30 minutes)
4. Update WordPress and all plugins (15 minutes)
5. Run a compliance scan to see what else needs fixing

This covers 80% of common violations and reduces your risk significantly. Total cost: $0-50. Total time: 2-3 hours.

✅ Basic compliance is surprisingly affordable:

Compare to: Average privacy fine ($15,000), security breach ($200,000), or lawsuit settlement ($50,000+).