GDPR, HIPAA, CCPA & PCI: which penalties apply to an SMB
Which data-protection penalties a small business faces depends on the data it holds and whose data it is, not on its headcount. GDPR covers personal data of people in the EU and UK, with administrative fines up to €10M/2% of turnover at the lower tier and €20M/4% at the higher. HIPAA covers US protected health information, with civil money penalties tiered by culpability and capped annually per provision. The CCPA/CPRA covers California consumers and allows statutory damages of $100–$750 per consumer per incident through a private right of action. PCI DSS covers payment-card data and is enforced contractually by the card brands rather than by statute. The crucial distinction running through all of them is that published maximum exposure is not the likely outcome: caps describe a worst case, while real enforcement against small organizations typically lands far lower. This guide maps each regime to the data it protects and the figures it publishes. It is informational, not legal advice — for your obligations, consult qualified counsel.
Match the regulation to the data, not to your size
The first thing to get right is that these regimes are triggered by data and jurisdiction, not by company size. A 15-person clinic is fully subject to HIPAA. A small online store that sells to Californians can be subject to the CCPA and, if it takes cards, to PCI DSS. A small SaaS vendor with EU users is subject to GDPR. Because the triggers overlap, one breach at one small business can implicate several regimes at once, each with its own exposure to estimate. The tools in the compliance-cost pillar are organized this way: one per regime, each driven by the inputs that regime actually uses.
GDPR: a percentage-of-turnover model
The EU and UK General Data Protection Regulation set fines under Article 83, and the defining feature is that the maximum is the higher of a fixed cap or a percentage of worldwide annual turnover. There are two tiers:
- Lower tier: up to €10 million, or 2% of total worldwide annual turnover — whichever is higher. This applies to obligations such as records of processing, security of processing and breach notification.
- Higher tier: up to €20 million, or 4% of turnover — whichever is higher. This applies to violations of the basic principles, lawful basis and data-subject rights.
For a small business the percentage limb rarely bites, because 2% or 4% of a small turnover is well below the fixed cap — so the €10M/€20M figures function as the practical ceiling. But the ceiling is just that. Article 83 requires regulators to set fines that are "effective, proportionate and dissuasive," weighing the nature and gravity of the infringement, whether it was negligent or intentional, the categories of data, and mitigating steps taken. Enforcement against smaller organizations typically results in fines far below the maximum. The GDPR fine estimator computes the statutory ceiling from your turnover and tier; treat it as maximum exposure, not a prediction.
HIPAA: culpability tiers with annual caps
For US protected health information, the Department of Health and Human Services Office for Civil Rights enforces civil money penalties under 45 CFR §160.404. The amounts are inflation-adjusted and structured into four tiers by culpability, with a per-violation minimum and maximum and an annual cap per identical provision:
- Tier 1 — no knowledge: the lowest per-violation minimum, for violations the entity did not know about and could not reasonably have known about.
- Tier 2 — reasonable cause: a higher minimum, where there was a reason the violation occurred but not willful neglect.
- Tier 3 — willful neglect, corrected: higher still, where the entity was willfully negligent but cured the violation within the required window.
- Tier 4 — willful neglect, not corrected: the highest tier, where willful neglect was not timely corrected; the per-violation maximum and the annual cap converge here.
The key mechanic is the annual cap per identical provision: penalties for repeated violations of the same requirement are capped within a calendar year. Because a single breach can be counted as many violations (often one per affected record or per day), the per-violation figures and the cap interact in ways that depend heavily on how OCR characterizes the conduct — which is exactly why maximum exposure and likely outcome diverge so sharply. The HIPAA penalty estimator works the published amounts by tier and violation count, subject to the cap.
CCPA/CPRA: per-consumer statutory damages
California\'s privacy law adds a route that the others largely do not: a private right of action. Under Cal. Civ. Code §1798.150, consumers whose unencrypted, unredacted personal information is breached because a business failed to maintain reasonable security can recover statutory damages of $100 to $750 per consumer per incident, or actual damages if greater. Separately, the California Privacy Protection Agency and the Attorney General can pursue administrative penalties per violation, with a higher amount for intentional violations or those involving minors.
The per-consumer structure is what makes this regime distinctive for cost modeling: exposure scales linearly with the number of affected California consumers, so a breach of even a modest customer base can generate a large theoretical figure. As always, the statutory range is a maximum that courts apply with discretion, and many matters settle well below the per-consumer ceiling. The CCPA/CPRA exposure calculator multiplies affected consumers by the statutory range to bound the exposure.
PCI DSS: contractual, not statutory
Payment-card data sits outside the statutory model entirely. PCI DSS is a security standard, and non-compliance penalties are contractual — levied by the card brands through your acquiring bank under the terms of your merchant agreement, not by a government regulator. After a card-data breach, the costs typically come in three forms: monthly non-compliance fines (reported in tiered ranges), the cost of forced reissuance of the compromised cards, and mandatory forensic investigation by an approved assessor. Because these are private agreements, the published figures are widely reported ranges rather than fixed legal amounts, and the actual bill depends on your acquirer, your merchant level and the breach\'s scope. The PCI non-compliance cost calculator estimates the monthly fines plus reissuance and forensics.
Maximum exposure versus likely outcome
The most important idea in this guide is the gap between the two. The statutory caps — €20 million, the HIPAA annual cap, $750 per consumer — describe the worst case the law permits. The likely outcome for a small business that responds in good faith is far lower, because every one of these regimes builds in discretion: GDPR\'s proportionality factors, HIPAA\'s culpability tiers and cure provisions, the courts\' application of CCPA statutory damages, and the card brands\' negotiation of PCI penalties. Regulators consistently weigh the size of the organization, the sensitivity of the data, the harm caused and the remediation undertaken.
That is why every compliance-cost tool on this site reports exposure as a ceiling shown separately from the operational breach cost, never folded into a single headline. Folding a worst-case fine into an expected cost would produce a number that is both alarming and misleading. The right way to use these figures is to understand the maximum the law allows, recognize it is not a forecast, reduce the underlying risk through reasonable security, and — for any real situation — get advice from qualified counsel. Published thresholds inform planning; they do not predict any specific penalty.
Frequently asked questions
Which regulation applies to my business?
It depends on the data you hold and the people it belongs to, not on your size. GDPR applies if you process personal data of people in the EU or UK; HIPAA if you handle US protected health information as a covered entity or business associate; the CCPA/CPRA if you handle the personal data of California consumers above its thresholds; and PCI DSS, by contract, if you store or process payment-card data. A single small business can be subject to several at once.
What is the maximum GDPR fine?
Under Article 83, the higher tier is up to €20 million or 4% of worldwide annual turnover, whichever is greater; the lower tier is up to €10 million or 2%. These are statutory maximums, not typical outcomes — most enforcement, especially against smaller organizations, lands far below the cap.
Can individuals sue my business under the CCPA?
Yes, in a defined situation. The CCPA private right of action allows California consumers to recover statutory damages of $100–$750 per consumer per incident (or actual damages, if greater) for certain breaches of unencrypted, unredacted personal information caused by a failure to maintain reasonable security.
Are PCI fines set by law?
No. PCI DSS penalties are contractual, levied by the card brands through your acquiring bank, not by a statute. They typically take the form of monthly non-compliance fines plus the cost of forced card reissuance and forensic investigation, and the published figures are widely reported ranges rather than fixed legal amounts.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.