Website Legal Requirements for Small Business Sites

This article is general information about common website compliance topics, not legal advice. Laws change and apply differently to every business — for decisions about your situation, talk to an attorney.

Short answer: a large share of small business websites are exposed on at least one of three fronts: a missing or copied privacy policy despite collecting personal information through contact forms and analytics, an inaccessible site that invites ADA demand letters, or industry ruleslike HIPAA that quietly cover things as ordinary as a contact form or an analytics pixel. None of this requires a legal department to get right at small-business scale — most of it is a privacy policy that tells the truth, terms that set expectations, an accessible build, and knowing which extra rules apply to your industry and the states your customers live in. Here is the plain- English tour of what applies, when, and what to do about it.

Does my website need a privacy policy?

In practice, almost certainly yes. If your site has a contact form, uses any analytics, or sets any cookies, it collects personal information — and a growing patchwork of laws requires you to disclose what you collect and what you do with it. California’s CalOPPA has required a posted privacy policy from any website collecting personal information about California residents since 2004, and it has no minimum business size — a one-person shop in North Carolina with a contact form that a Californian fills out is within its reach. The policy has to describe what you actually collect, who you share it with, and how people can reach you about it.

The trap is the copied policy. Pasting another site’s privacy policy is worse than having none if it describes practices that are not yours — a policy that says you do not share data while your ad pixels do exactly that is a false statement to regulators, not a formality. The policy must match the site.

Do I need terms of service?

Usually not legally required for an informational site — but going without them is donating protection you could have for free. Terms are where you state that using the website does not create a client relationship, that content is general information rather than professional advice, who owns the site’s text and images, and what you are not liable for. For service businesses, terms are also where expectation-setting lives: no guaranteed outcomes, written quotes control, that sort of thing. One page, plain language, reviewed once by an attorney — cheap insurance.

When do I actually need a cookie banner?

Less often than the internet makes it look — and more often than ignoring it entirely. There is no federal US law requiring cookie banners. What exists is a patchwork: if your site targets visitors in the EU or UK, their rules require consent before non-essential cookies, which is where the classic banner comes from. In the US, California’s CCPA/CPRA — which applies above certain business-size thresholds — requires notice and an opt-out when personal information is sold or shared for targeted advertising, and a growing list of states (Virginia, Colorado, Connecticut, Texas, and more) have similar laws with their own thresholds.

The practical version for a small business: if you run ad pixels or targeted advertising, you likely need consent or opt-out machinery and should get specific advice. If you run a simple site with cookieless analytics — the way this site is built — there may be nothing to banner about, which is both the cleanest legal position and the best user experience. The worst position is the decorative banner: a consent pop-up that does not actually control anything is itself a misrepresentation.

Can my website really get an ADA lawsuit?

Yes — web accessibility demand letters and lawsuits against small businesses number in the thousands every year, and courts have repeatedly treated business websites as subject to the Americans with Disabilities Act. There is no official federal technical standard for private business sites, but WCAG 2.1/2.2 level AAis what courts, settlements, and the Department of Justice consistently reference. The common failures are mundane: text too low-contrast to read, images without alt text, forms without labels, sites that cannot be used with a keyboard. Accessibility is cheapest at build time — retrofitting a finished site costs multiples of building it right, and overlay widgets that claim to fix accessibility with one script have themselves been named in lawsuits.

HIPAA and industry rules: when ordinary features become regulated

If you are a healthcare provider, your website is not just marketing — it can touch protected health information in ways that surprise people. A contact form that invites visitors to describe their condition, online intake, even analytics and advertising pixels on patient-facing pages have drawn federal attention: regulators have warned that tracking technologies sending visitor data to third parties from health-related pages can violate HIPAA. Healthcare sites need forms that explicitly warn against sending medical details (or properly secured intake tools), restraint with third-party scripts, and business associate agreements where vendors handle anything sensitive.

Other industries have their own versions: attorneys have advertising and solicitation rules, financial services have their own privacy regime, and any site directed at children under 13 triggers COPPA’s parental-consent requirements. The pattern is the same — the rules attach to what your business does, not to how big it is.

The FTC rules everyone forgets

• Truthful claims. Marketing statements need a reasonable basis — “results guaranteed” and invented statistics are enforcement bait.
• Testimonials and endorsements. Real customers, honest experiences, and disclosure of any material connection (free product, payment, family).
• Fake reviews.The FTC’s 2024 rule bans buying, selling, or faking reviews — with civil penalties — and that includes review gating designed to filter out unhappy customers.

Why state lines matter to a one-state business

Privacy law in the US attaches to where your visitorslive, not where your business sits. As of 2026, roughly twenty states have comprehensive consumer privacy laws, each with its own thresholds — most exempt genuinely small businesses through revenue or data-volume floors, but not all obligations have floors. CalOPPA’s privacy-policy requirement and the ADA’s accessibility exposure apply regardless of size. The workable small-business strategy is not tracking fifty statutes; it is building to the strictest common denominator: an honest privacy policy, minimal data collection, no third-party ad tracking you cannot justify, and an accessible site. Do that and most of the patchwork becomes moot.

The five-minute compliance check

• Privacy policy exists, is linked in the footer, and describes what your site actually does
• Terms page sets expectations and disclaimers for your industry
• HTTPS everywhere — no padlock warnings
• Cookie reality check: do you even set tracking cookies? If yes, is there real notice/consent; if no, no theater needed
• Accessibility basics: contrast, alt text, keyboard navigation, labeled forms
• Industry extras: health data warnings on forms, required disclosures for your profession
• Claims audit: no guarantees you cannot keep, no testimonials you cannot back

How AKSIS builds for compliance

We are a web studio, not a law firm — so the honest description is that we build the technical side of compliance in from day one and flag where a lawyer should look. Every AKSIS build ships with a privacy notice and terms written to match what the site actually does, cookieless analytics by default so there is usually nothing to banner about, accessibility checks against WCAG basics, HTTPS, and forms designed for the industry — including health-information warnings for medical clients. For regulated industries we build to the published guidance and recommend attorney review before launch. That combination covers the failures on this page’s list — the ones that come from nobody ever thinking about it.

Common questions

Can I copy a privacy policy from another website?

No — and it is one of the most common mistakes online. A privacy policy is a set of factual statements about what your site collects and what you do with that information, so a copied policy describes someone else’s practices, not yours. If it claims you do not share data while your advertising pixels send visitor data to ad platforms, you have published a false statement — which is exactly what privacy regulators and the FTC act on, and a worse position than having said nothing. There is also a copyright problem: policy text belongs to whoever wrote it. The right approaches are a reputable generator answered honestly question by question, an attorney-drafted policy, or a developer who writes the policy to match the site as built and updates it when the site changes. The policy must track reality — that is the entire point of it.

Do I need a cookie banner in the United States?

Only if you are doing something that requires notice or consent — there is no blanket US cookie-banner law. The banners you see everywhere descend from European rules, which apply when a site targets EU or UK visitors. In the US, state privacy laws like California’s CCPA/CPRA require notice and opt-out mechanisms when businesses above certain size thresholds sell or share personal information for targeted advertising; a growing list of states follows the same pattern with different numbers. A small business running a simple site with cookieless analytics and no ad pixels typically has nothing that needs consent in the first place — which is the cleanest position available. If you do run targeted advertising, take the question to someone qualified, because half-implemented consent — a banner that does not actually block anything — is itself a misrepresentation.

Can a small business really be sued over website accessibility?

Yes — it is one of the most active areas of website litigation, and small businesses receive demand letters regularly, not just national brands. Plaintiffs’ firms run automated scans for detectable failures like missing alt text, low contrast, and unlabeled forms, then send settlement demands that commonly run into the thousands of dollars — often more than fixing the site would have cost. Courts have repeatedly treated business websites as covered by the ADA, and WCAG 2.1 or 2.2 level AA is the standard settlements and the Department of Justice point to. The defensible position is straightforward: an accessible build, verified with real audits rather than a one-script overlay widget — overlays have been named in complaints themselves. Accessibility also overlaps almost entirely with good SEO and usability, so the work pays for itself twice.

Does HIPAA apply to my website’s contact form?

If you are a covered healthcare provider, it can — and this catches clinics constantly. HIPAA attaches to protected health information, and a contact form that invites visitors to describe symptoms or treatment history can collect exactly that. Sending those submissions through ordinary unencrypted email, or letting analytics and advertising pixels watch patient-facing pages, is where the trouble starts: federal regulators have specifically warned that tracking technologies transmitting visitor data from health-related pages to third parties can violate HIPAA. The practical pattern for a small practice is a form that explicitly tells visitors not to include medical details, secured intake tools with a business associate agreement when real patient information must flow, and real restraint with third-party scripts on patient-facing pages. If that describes your website today, this is a conversation for a healthcare attorney, not a checkbox.

General information, not legal advice — consult an attorney for your situation. AKSIS builds modern websites and runs practical SEO for small businesses, with the compliance basics built in from day one. Get in touch for a plain-language site checkup.