What Your Local (Plumber, Florist, Gym, etc.) Clients Need To Know About Privacy

A plumber, florist, and gym owner walk into a web agency… Unfortunately, that’s about as amusing as this scenario gets.

That’s because all three of those potential customers already KNOW three things:

1. They need a simple website;
2. They need it for $55 since it’s so simple;
3. It’ll be a simple way to get a great portfolio piece for your agency.

The problem is simple… Well, no. I meant to say it’s complicated because it’s simple. Wait, no. *deep breath* The problem starts with how small business owners still think of the word ‘simple’ when it comes to websites.

‘Simple’ isn’t simple anymore

‘Base’ cars in 2026 have heated seats.

Non-Pro smartphones in 2026 have well over 100,000 times the processing power of the computer that landed a man on the moon.

There used to be just 6 Power Ranger colors. In 2026, there are 20-ish colors and dinosaurs for some reason.

Good news: 

You probably don’t have to explain to customers why there’s now a “champagne” Power Ranger.

Bad news:

You will have to start the privacy conversation with small business clients by explaining that it’s not as simple as they’d like it to be.

In 2026, the ‘simple’ website every small business owner asks is actually:

• A contact form
• A quote request form
• A booking calendar
• An analytics tool
• A newsletter signup
• A Google Map embed
• A chat widget
• An advertising pixel

In other words, their “simple website” is collecting, storing, and sharing personal information before their extra-large logo has had time to load onto the homepage.

Most small business owners have no idea this is a thing. Unfortunately, much like getting a speeding ticket, simply not knowing about the speed limit doesn’t get you out of trouble… EVEN IF IT MAKES NO SENSE TO GO FROM 55 TO 35 AND BACK TO 55 JUST BECAUSE YOU PASSED THE WORLD’S SMALLEST TOWN, WHOSE ONLY THREE BUILDINGS ARE ALL STATIONS (police, fire, gas).

Sorry, where was I? Oh, yes. Size doesn’t matter. 

Small business does not mean small obligations

Alright, so you’ve explained that “simple” websites aren’t so simple when it comes to data collection. Congratulations, you’ve now unlocked the next part of the conversation:

“Yeah, but they won’t come after me when Google and Meta exist.”

One of the biggest misconceptions local business owners have is that privacy laws are a “big company problem.”

You know, the kind of thing that applies to massive tech companies, eCommerce behemoths, or that weird app you downloaded that is currently asking for permission to access your microphone, contacts, photos, and childhood memories.

That’s because the multi-million-dollar fines associated with these large companies make for far better headlines than the local grocery store getting hit for $150,000. However, for that grocery store, $150,000 could do way more damage than Facebook having to pay $150 million. 

Privacy laws do not care about the size or location of your business. They just care about the data you collect, who it belongs to, and what you do with it. To drive this point home, let’s take three imaginary small business owners in three different industries.

“But I’m just a plumber”

Meet Dave. Dave fixes pipes and doesn’t wear a belt. He’s “just a plumber” who needs a simple website.

Let’s learn more about Dave:

Location: 

• Dave lives in Nevada near the California border; 
• He is licensed for both states and takes on projects in both areas; 
• The majority of his website traffic comes from these two states; 
• Anyone from anywhere can visit his website (Dave hasn’t used any geolocation tools to block people from certain areas from accessing his website).

Website: 

• Dave’s website has a contact form, a quote form, and a Google Maps embed to show people his work area;
• His website has Google Analytics installed by his web designer, though he has no idea how to even login to his account;
• He has an old Facebook pixel on his website from back when he got started and had to run ads, but he doesn’t anymore;
• He doesn’t have any eCommerce options on his website. He still gets paid via cash or checks. 

Pretty standard plumber stuff, right? Nothing sketchy about Dave, right? He’s not collecting social security numbers, financial information, medical history, or asking for your DNA.

He is just collecting simple information like:

• Names (contact form, quote form);
• Phone numbers (contact form, quote form);
• Email addresses (contact form, quote form);
• Physical address (quote form);
• IP address (Google Analytics, pixels);
• Information on how website visitors are interacting with his website and advertisements (Google Analytics, pixels).

What Dave and most small business owners don’t know is that this is exactly the kind of information that privacy laws are designed to protect. This personal information belongs to the user visiting a website, not the website. Therefore, they have certain privacy rights that are protected by these laws.

Being on the Nevada and California border is also a big factor. Both of these states have privacy laws that require small businesses to have a Privacy Policy. Even though Dave is physically located in Nevada, he still collects information from residents of California, meaning California’s privacy laws (CalOPPA and CIPA) may apply to his website.

He may also have to comply with European and UK privacy laws (GDPR and UK DPA). While it’s not likely Benoit from France will be reaching out to Dave to fix his bidet, Dave’s website isn’t using geolocation to actively block people from these countries from stumbling upon his website. So, it’s possible Benoit could arrive by accident and have his personal information collected by Dave’s website and be tracked through analytics and advertising tools.

“But I’m just a florist”

Meet Linda. Linda runs a flower shop. She sells arrangements for birthdays, weddings, funerals, apologies, meeting the inlaws, and the occasional, “I forgot our anniversary and I need these delivered by EOD.”

Linda wants a simple website so people can order flowers online and maybe sign up for a newsletter about seasonal arrangements.

Let’s learn more about Linda:

Location:

• Linda’s shop is located in Texas;
• Linda ships flowers all across the U.S. and Canada

Website:

• Linda has a simple eCommerce website that allows people to order/pay directly on her site;
• Her website lets people create accounts so that they can save their orders/payment information for quicker checkouts;
• She is actively advertising on LinkedIn, Facebook, Instagram, and Reddit. She uses their pixels to keep track of ad performance.

Once again, Linda isn’t doing anything sketchy. She isn’t selling the information she collects to “Big Floral” so they can track how likely you are to die, so they can advertise funeral arrangements to your loved ones.

Linda is just running her business as any florist would. Yet, like Dave, that means she is collecting a bunch of protected personal information, such as:

• Names (eCommerce, newsletter, account creation, order form);
• Email addresses (eCommerce, newsletter, account creation, order form); 
• Physical addresses (order form);
• IP Addresses (Account login and Pixels for digital ads)

While Texas has a privacy law, it does exempt small businesses. Unless Linda’s website has some serious traffic making her some serious profits, she’s probably ok in her home state.

However, remember how she ships flowers across the U.S. and Canada? This means she is collecting personal data from all over and will need to comply with several state laws as well as Canadian privacy laws. For example, Canada’s PIPEDA applies to anyone collecting personal information of residents of Canada, like Linda who collects personal information through ordering flowers, signing people up for her newsletter, and through advertising.

And before you ask, “why would someone come after a little ol’ florist like me?” Laws like CIPA are specifically targeting small business websites across the U.S. that track California residents without first getting consent via a proper Cookie Consent Banner. Laws like these have a private right of action, meaning anyone can sue a business directly for violating their privacy rights. Small, innocent businesses like a florist are an easy target to scare with a demand letter from an attorney’s office.

“But I’m just a gym owner”

Meet Carlos. Carlos owns a gym, and like all gym owners, he spends half his life motivating people and the other half making it really, really, ridiculously hard to end your membership.

Carlos wants a simple website for memberships, class signups, personal training inquiries, and to promote his online workout course.

Let’s learn more about Carlos:

Location:

• Carlos lives and owns a gym in Miami, Florida;
• Carlos gets website traffic from all over due to his online courses and TikTok tips.

Website:

• Carlos has a membership form;
• He has a class signup form;
• He has an email newsletter subscription form;
• He sends automated SMS reminders via his website to class participants;
• He uses Google Analytics;
• He uses pixels to keep track of digital ads across social platforms.

Like our plumber and florist friends before, Carlos is tracking a bunch of personal information across the U.S. and maybe other countries. So similar privacy-law rules may apply even though his home state of Florida doesn’t currently have a privacy law that would apply to a small business.

In addition to that kind of data collection, Carlos is also offering health and fitness advice via classes on his website. So, not only will he likely need policies and a cookie consent banner in place, but he may also need a strong Terms of Service and Disclaimer as well. 

What Dave, Linda, and Carlos all have in common?

None of them are bad actors. None of them sat down one day and thought, “you know what would be fun? Collecting and mishandling personal data.” They just wanted websites. Functional, professional, simple websites.

But simple websites in 2026 often come with data collection built in — and data collection comes with legal obligations that don’t disappear just because you don’t know they exist.

Here’s the part that’s relevant to you, the web agency reading this:

You built those websites (or you’re about to)

That doesn’t make you responsible for their compliance, because you’re not (unless your contract with the client states otherwise). That’s 100% on the client. You should also make this clear to each of your clients by having them sign a Website Policies Waiver.

But it does mean that you’re the most qualified person in the room to start the conversation. You know what’s installed on the site. You know what tools are firing. You know that Dave has a zombie Facebook Pixel from 2021 that’s still sending data to Meta like it never got the memo.

Your clients don’t know what they don’t know. That’s exactly why they hired someone who does.

What Do They Actually Need?

Here’s the practical part. When you’re onboarding a small business client like our friends above (or in any other industry) there are a few things worth walking them through:

1. A Privacy Policy that actually reflects their website – Not a template from 2019. Not something they copied from a competitor. A Privacy Policy that is based on the privacy laws that actually apply to them. One that describes what data they collect, why they collect it, who they share it with, and what rights their visitors have. This document must also update as laws change, as new privacy laws are regularly going into effect. 

2. A cookie consent solution (where applicable) – Some of their tools are dropping cookies before visitors have a chance to say anything about it. Depending on where their visitors are located, that may require a consent mechanism upfront.

3. An audit of what’s actually on their site – Dave’s unused analytics and pixels. Linda’s newsletter unsubscribers. Carlos’s online course attendees from 7 years ago. A quick website audit can help small business owners get rid of personal data that they might not be using or needing. This will help limit their liability as much as possible. 

4. A tool that works – Tools like Termageddon are designed to help small businesses get through the complexities of privacy laws, find out what they specifically need for their own website, help them generate those policies (and consent banner), and then automatically update those documents as laws change or new laws apply to the small business. 

The Bottom Line

The plumber, the florist, and the gym owner walked into your agency. They all ask for something simple. There it is! The punchline.

Websites in general aren’t simple to make. Privacy is certainly not a simple topic to get one’s head around. You’ll notice in this blog (which isn’t legal advice, btw), there’s a bunch of “may” apply, or “might need” to comply with, or “could possibly one day” consider needing a cookie consent banner. That’s because so much of privacy law depends on the specific business.

Fortunately, the solution (*cough Termageddon) can be simple.

It’s taking a complex topic and convincing a busy small business owner that it’s worth their time that is difficult. Waving fines and lawsuits in their face only goes so far. Telling them that privacy is a competitive advantage only goes so far.

Luckily, you don’t have to be an attorney to get this point across; you just have to be a person who knows that protecting people’s privacy is important and that it pays off in the end.