AI and data privacy laws: what small businesses need to understand

Most small businesses adopted AI tools faster than they thought about whether those tools created new legal obligations. Staff started using ChatGPT, Copilot, and a dozen other tools on real work, and somewhere in that work was personal data – customer names and emails, employee records, client information covered by a contract. Privacy laws do not have an exception for “we did it through an AI tool.” If a law applied to how you handle personal data before AI, it still applies when an AI tool is the thing doing the handling. This article explains what that means in practical terms for a small business.

This is a plain-language overview of how data privacy laws intersect with AI use, not legal advice. Privacy law is jurisdiction-specific, it changes quickly – especially the newer state-level AI rules – and the specifics of your obligations depend on where your customers are, what data you hold, and your industry. For anything that turns on your actual exposure, you need a lawyer who knows your situation. What this article does is give you enough of the landscape to know what questions to ask, what to document, and where the common gaps are, so that the conversation with counsel is efficient and you are not blindsided by an obligation you did not know existed.

It is written for SMB owners, operations managers, and the in-house IT generalist who has been asked “are we allowed to use AI on this data?” and needs a framework for thinking about it. If you have already built an AI governance framework or written an AI acceptable use policy, this is the legal-context layer that explains why those documents matter beyond good hygiene.

Short answer

Existing data privacy laws apply to AI use the same way they apply to any other way you process personal data – there is no AI carve-out. If you have customers in the EU or UK, GDPR-style rules apply to personal data you put through AI tools. If you have California customers above the applicable thresholds, the CCPA as amended by the CPRA applies. A growing number of US states have passed their own consumer privacy laws and, separately, AI-specific transparency and disclosure rules, and the details vary by state and change often. Putting personal data into an AI tool is “processing” under these laws, which means your existing obligations – lawful basis, transparency, data subject rights, vendor contracts, security – all follow the data into the tool. The practical work is the same regardless of which laws apply to you: know what personal data goes into which AI tools, make sure those tools are covered by appropriate contracts, be able to honor data subject requests even when AI is involved, document your AI data flows, and be careful about employee privacy when you monitor AI use. Because the specifics are jurisdictional and fast-moving, treat this as the map, not the territory, and confirm your actual obligations with legal counsel.

AI and privacy law at a glance

Question	Short answer
Is there an AI exception in privacy law?	No. If a law governs how you handle personal data, it governs AI handling of that data too.
Does GDPR apply to my small business?	If you offer goods or services to, or monitor, people in the EU or UK and process their personal data, generally yes – regardless of where your business is.
Does CCPA/CPRA apply to me?	It applies to businesses meeting California thresholds (revenue or volume of California consumers’ data). Confirm with counsel whether you cross them.
What about state AI laws?	A growing patchwork of state privacy and AI-specific transparency laws exists and changes frequently. Which apply depends on where your customers are. Verify current law.
Is putting data into AI “processing”?	Yes. Inputting personal data into an AI tool is processing under privacy law, with all the obligations that carries.
Do data subject rights still apply?	Yes. Access, deletion, and correction rights apply to personal data even when it sits inside or was processed by an AI tool.
Do I need vendor contracts for AI tools?	Yes. A data processing agreement (DPA) with the AI vendor is typically required when they process personal data on your behalf.
Can I monitor employee AI use?	Often yes, but employee monitoring has its own privacy rules. Be transparent and proportionate, and check local employment law.
What is the most common gap?	No record of what personal data goes into which AI tool – which makes every other obligation impossible to meet.
Where do I get the specifics?	Legal counsel. This article is the framework; your actual obligations are jurisdiction-specific.

The one principle that ties it all together

Before the individual laws, there is one principle that makes the rest make sense: privacy law follows the data, not the tool. The laws were written to govern how personal data is collected, used, shared, and protected. They are deliberately technology-neutral. That means a privacy law does not need to mention AI to apply to AI – it applies because personal data is being processed, and an AI tool is one more place that processing happens.

This is the mental shift that matters. A business owner often thinks of AI as a special new category that the rules have not caught up to yet. In reality, the opposite is true for most privacy obligations: the rules already cover it, because they cover the data wherever it goes. When a staff member pastes a spreadsheet of customer contact details into a chatbot to clean it up, that is a processing activity involving personal data, and every obligation that attaches to that data – having a lawful reason to process it, telling people you process it, keeping it secure, being able to delete it on request – travels with it into the tool.

The genuinely new part is narrower than people expect. It is the AI-specific transparency and disclosure rules that some jurisdictions have started adding – requirements to tell people when they are interacting with an AI system, or when an AI system is making or materially assisting a significant decision about them. Those are new obligations layered on top of the existing privacy framework. But the foundation – the data-protection obligations – is not new. It already applied. AI just created a lot of new ways to trigger it.

How GDPR applies to AI use

The EU General Data Protection Regulation and the UK’s equivalent are the most demanding privacy regimes most small businesses encounter, and they reach further than people expect. GDPR can apply to a US-based small business if that business offers goods or services to people in the EU or UK, or monitors their behavior, and processes their personal data in doing so. You do not have to have an office in Europe. If you have EU or UK customers and you put their personal data through AI tools, GDPR-style obligations are in play.

What that means in practice for AI use:

• You need a lawful basis to process the data. GDPR requires a legal reason for every processing activity. Running personal data through an AI tool is a processing activity. If your basis for holding the data did not contemplate this use, you may need to revisit it.
• Transparency obligations apply. People have a right to know how their personal data is used. If AI processing is a meaningful part of how you handle their data, your privacy notice should reflect it rather than hiding it.
• Data subject rights follow the data into the tool. EU and UK residents can request access to their data, ask for it to be deleted, or ask for it to be corrected. You have to be able to honor those requests even when the data passed through an AI tool, which is hard if you have no record of what went where.
• You need a contract with the vendor. When an AI vendor processes personal data on your behalf, they are a processor under GDPR, and you generally need a data processing agreement with them. The business tiers of major AI vendors typically offer one; the free tiers usually do not.
• International data transfers have rules. Sending EU personal data to a vendor that processes it outside the EU carries its own requirements. Where the AI vendor hosts and processes data matters, which is one reason the tool evaluation question of where your data goes is not just a security question.
• Automated decision-making has special protections. GDPR gives people specific rights where decisions with legal or similarly significant effects are made solely by automated processing. If you use AI to make consequential decisions about EU residents with no human involvement, that is a higher-risk area to discuss with counsel.

None of this means a small business with a handful of EU customers cannot use AI. It means the AI use has to fit inside the same GDPR framework that already governs how you treat those customers’ data, and the contracts and records have to exist.

How CCPA and CPRA apply to AI use

In the United States, California’s privacy law – the CCPA, as amended and expanded by the CPRA – is the most established state regime and the one most likely to reach a small business with national customers. Whether it applies to you depends on thresholds tied to revenue and the volume of California residents’ personal information you handle, plus a few other triggers. A small business should not assume it is exempt without checking, and should not assume it is covered without checking either. That threshold question is exactly the kind of thing to confirm with counsel rather than guess.

If California’s law applies to you, the AI-relevant points are:

• Inputting personal information into AI is a use of that information. California consumers have rights over their personal information including the right to know what you collect and how you use it, the right to delete it, and the right to opt out of certain sharing. AI use has to fit within the disclosures you make and the rights you honor.
• Your privacy policy has to be accurate. If you process Californians’ personal information through AI tools in a way your privacy policy does not describe, the policy is out of date. Privacy policies are one of the first things regulators and plaintiffs’ lawyers read.
• Deletion requests reach AI-processed data. If a consumer asks you to delete their personal information, you need to be able to do it – which again depends on knowing where the data went, including into which AI tools and what those tools retain.
• Service provider contracts matter. California law has its own contract requirements for the vendors that handle personal information on your behalf. An AI vendor processing your customers’ data should be under a contract that meets them.

The recurring theme across both GDPR and CCPA is that the obligations are not new because of AI – they are the same obligations you already had, now triggered by a new processing channel. The risk is that the AI use happened informally, outside the systems where you track data, so the obligations are being triggered without anyone recording it.

The state-level AI law patchwork

Beyond the established consumer privacy laws, US states have begun passing rules aimed specifically at AI – transparency requirements, disclosure obligations when AI is used in certain contexts, and rules around automated decision-making in areas like employment and consumer-facing decisions. This is the fastest-moving part of the landscape, and it is genuinely a patchwork: different states, different scopes, different effective dates, and frequent change.

Because this area is changing so quickly, the responsible thing in an article like this is to describe the shape of it rather than assert specific statutes, thresholds, or dates that may be out of date by the time you read this. The shape is this:

• More states are passing comprehensive consumer privacy laws modeled loosely on California’s, each with its own thresholds and details. Which ones reach your business depends on where your customers live.
• Separately, AI-specific transparency rules are emerging. The common themes are disclosure (telling people when they are interacting with AI or when AI was used in a decision about them) and accountability for automated decisions in sensitive areas like hiring, lending, and housing.
• Sector-specific and employment-specific AI rules are appearing, particularly around using AI in hiring and personnel decisions, which carries its own notice and sometimes audit obligations.

For a small business, the practical takeaway is not to memorize fifty states’ laws. It is to know that this layer exists, that it is expanding, and that if you operate across state lines or use AI in sensitive decision contexts like hiring, you should have counsel check current obligations in the states where your customers and employees are. The cost of being wrong here is rising as enforcement matures. Do not rely on this article, or any article, for the current state of a specific statute – verify it.

What “processing personal data with AI” actually obligates you to do

Strip away the individual laws and the common obligations across all of them look similar. If personal data goes into an AI tool, you should be able to answer yes to these:

• Do you have a lawful reason to use the data this way? The reason you collected the data has to cover using it in an AI tool, or you need a separate basis.
• Have you told people, where required? Your privacy notice should reflect how you actually use personal data, including AI processing, where the law requires disclosure.
• Is there a contract with the vendor? A data processing agreement or equivalent should be in place with any AI vendor processing personal data on your behalf. Free consumer tiers generally do not provide one, which is one more reason they are unsuitable for personal data.
• Can you honor data subject rights? Access, deletion, and correction requests have to be answerable even when AI was involved, which requires knowing what data went where.
• Is the data secure in the tool? Security obligations apply inside the AI tool the same as anywhere else – which connects directly to the security risks of AI tools and to retention and deletion behavior.
• Have you assessed higher-risk uses? Some laws require a formal assessment before high-risk processing, which can include certain AI uses. Whether yours qualifies is a counsel question.

This list is also, not coincidentally, most of what a good AI governance framework produces. The governance work and the privacy-law compliance work are largely the same work seen from two angles.

Employee privacy when you monitor AI use

There is a second privacy dimension that catches businesses off guard: when you start monitoring how employees use AI tools, you are processing employees’ personal data, and that has its own rules. The instinct after reading about shadow AI is to monitor everything – log every prompt, watch every tool. That instinct runs straight into employee privacy law, which varies significantly by jurisdiction and is often stricter than people expect, particularly in the EU and UK and in some US states.

The principles that keep monitoring defensible:

• Be transparent about it. Covert monitoring of employees is the fastest way to a legal problem. Tell staff what is monitored and why, ideally in the AI acceptable use policy they sign.
• Be proportionate. Monitor what you need to manage real risk, not everything because you can. Blanket surveillance is harder to justify than targeted, risk-based logging.
• Mind the data you collect by monitoring. Monitoring logs are themselves personal data about employees, with their own retention, security, and access obligations.
• Check local employment law. Employee monitoring rules are jurisdiction-specific and sometimes require consultation or notice beyond what consumer privacy law demands.

The goal is to govern AI use without creating a new privacy problem in the process. Transparent, proportionate, documented monitoring tied to a policy staff have seen is defensible. Silent, total surveillance is not.

How to document AI data flows for compliance

Almost every obligation above depends on one underlying capability: knowing what personal data goes into which AI tools. Without that, you cannot answer a data subject request, cannot keep your privacy notice accurate, cannot prove you have the right contracts, and cannot demonstrate compliance to a regulator. The good news is that the documentation is not complex – it is just work that has to actually get done.

A workable AI data flow record for a small business captures, per approved AI tool:

• The tool and tier in use (and confirmation it is a business tier with a DPA, not a consumer one).
• What categories of personal data are put into it – customer contact data, employee data, client data under contract, and so on.
• Whose data it is in jurisdictional terms – do EU, UK, or California residents’ data flow through it, which determines which laws apply.
• The lawful basis or purpose for the processing.
• The vendor contract on file (DPA, service provider terms) and where it is kept.
• Retention and deletion behavior – how long the vendor keeps inputs and whether you can delete on request, which ties back to honoring data subject rights.
• Whether the tool is involved in any significant automated decisions, which is the higher-risk category for several laws.

Keep this somewhere central and current, reviewed on the same cadence as your governance framework. It is the single most useful compliance artifact you can produce, because it turns “we use AI somewhere on some data” into a record you can actually act on when a request or an audit arrives. For regulated data specifically, this record sits alongside the HIPAA documentation for healthcare AI use if that applies to you.

Common mistakes small businesses make with AI and privacy law

1. Assuming AI is a legal gray area with no rules yet. The foundational data-protection rules already apply. The gray area is narrower than the comfort of “nobody knows” suggests.
2. Thinking GDPR does not apply because you are not in Europe. GDPR can reach a US business with EU or UK customers. Location of the business is not the test; location of the people whose data you process is closer to it.
3. Using free consumer AI tiers on personal data. Free tiers generally provide no data processing agreement, which makes them hard to square with privacy obligations the moment real personal data is involved.
4. Letting AI use happen outside your data records. Informal, untracked AI use triggers obligations without anyone recording it, which makes every downstream requirement impossible to meet.
5. A privacy policy that no longer matches reality. If you process personal data through AI in ways your privacy notice does not describe, the notice is inaccurate – and it is one of the first documents anyone reviews.
6. Forgetting data subject rights reach AI-processed data. A deletion request covers data that went through an AI tool, including what the tool retained. You need to be able to act on that.
7. Monitoring employees without transparency. Covert or disproportionate monitoring of AI use creates a separate employee-privacy problem on top of the one you were trying to solve.
8. Ignoring where the vendor processes data. International transfer rules and state-specific requirements can turn on where the AI vendor hosts and processes data, not just what it does with it.
9. Treating one consultation as permanent. This area changes fast. A legal answer that was right last year may not be right now, especially on state AI laws.
10. Confusing this article (or any article) for legal advice. Use it to frame the questions. Get the answers, for your specific situation, from counsel.

How long this takes to get a handle on

You will not resolve your privacy-law position in an afternoon, but you can get to a defensible baseline in a few weeks of part-time work. The table below is a realistic sequence for a typical small business.

Phase	What it involves	Time
Inventory AI use	Find which AI tools are in use and what data goes into them	1 week
Map the data and jurisdictions	Identify whose personal data flows through AI and which laws are likely in play	2-3 days
Confirm vendor contracts	Check that approved tools have DPAs or equivalent on file, request where missing	1 week plus vendor turnaround
Counsel review	Have a lawyer confirm which laws apply and where your gaps are	Depends on counsel availability
Document and update	Build the AI data flow record, update the privacy notice and policy	2-3 days
Schedule review	Set the recurring review so the position stays current as laws change	Ongoing

The counsel review is the phase you cannot skip or substitute. Everything else you can largely do in-house, and doing it first makes the legal conversation shorter and cheaper because you arrive with a clear picture of what you actually do rather than asking the lawyer to discover it for you.

What is next in this content series

Privacy law is the legal backdrop; the operational work that satisfies it lives in the other articles in this series. The AI acceptable use policy is where many of these obligations get written down for staff, the AI governance framework is the system that keeps them current, and the tool evaluation checklist is where you confirm a tool can meet them before you approve it. For healthcare specifically, the AI and HIPAA guide covers the strictest version of these rules. Upcoming articles cover how to roll AI out to your team without creating security gaps, and what to do if an employee leaks data through an AI tool.

How Sequentur can help

If you want help mapping your AI data flows, confirming the right tool tiers and contracts, or building the documentation that supports a privacy-law conversation with your counsel, schedule a call.