Calculator · 5 minutes

Privacy Risk Estimator.

Input how your business handles user data. Output your exposure range across HIPAA, GDPR, FTC, and state-level penalties, plus the specific gaps that drive each one.

Back to The Vault

Privacy enforcement in 2026 is not theoretical. The FTC has fined BetterHelp, GoodRx, and Cerebral over $7M each for data-handling that looked routine. The penalty structures are public; nobody runs the math until they get the letter.

This worksheet does not give legal advice. It maps your inputs to the published penalty ranges of each regulator and tells you which actions reduce which exposure.

A BAA is a Business Associate Agreement. Required by HIPAA whenever a vendor (analytics, CRM, hosting) can access PHI on your behalf.

Talk to Will directly

Want me to walk you through your specific result?

Drop your name and how to reach you. I will review your worksheet inputs and reach out within a business day with what I would actually do in your shape.

What each gap actually costs you

Privacy fines are not the whole bill. The settlement is.

01 · The fine is the floor

Published penalty ranges show the regulator's lever. Real settlements bundle disgorgement, customer notification cost, ongoing compliance audits, and legal fees. The fine is the smallest line on the bill.

02 · Pixel disclosure has changed

Meta and Google ad pixels send user behavior to the platform. The FTC has decided this counts as third-party data sharing and must be disclosed and consented for sensitive categories. BetterHelp and GoodRx settlements set the precedent.

03 · No BAA is the killer

A vendor that handles PHI without a BAA puts you in HIPAA's "willful neglect" tier. That is the $1.9M annual cap. With a BAA, you are in the $100 to $50,000 reasonable-cause tier instead.

04 · State enforcement is here

CA, CO, CT, UT, VA, and a growing list have active privacy regimes. CA alone is $7,500 per intentional violation per consumer. Multiply by your customer count for the worst-case envelope.

05 · GDPR is the largest stick

Up to 4% of global annual revenue or €20M, whichever is higher. Even if you serve EU customers casually, a non-compliant cookie banner is enforceable. Do not assume "we are a US business" exempts you.

06 · No policy doubles the multiplier

A privacy policy is a good-faith defense in nearly every regime. Without one, regulators apply the highest-tier multiplier when calculating penalties. Adding one is a 2-hour task that halves your worst-case exposure.

What this estimator actually counts

Published ranges, not invented multipliers.

Each regulator's exposure range comes from their actual penalty schedule, scaled by the variables they care about (volume, intent, recurrence). Where a range is broad, this calc shows the broad range.

HIPAA

$100 to $1.9M annual cap

Tiered by intent. Reasonable cause $100 to $50k. Willful neglect with no BAA hits the $1.9M annual cap. Only fires for healthcare with PHI collection.

GDPR

Up to 4% of revenue or €20M

Higher of the two. Smaller violations capped at 2% / €10M. Fires whenever you serve EU/UK residents, regardless of where your business is registered.

FTC

$50k+ per violation

Settlements with BetterHelp ($7.8M), GoodRx ($1.5M), and Cerebral ($7M) set the floor for sensitive-data + pixel-sharing cases. Per-violation math gets multiplied by user count fast.

State (CA leads)

$2,500 to $7,500 per consumer

CCPA per-consumer per-violation. CO, CT, UT, VA active in 2026 with similar structure. State exposure scales linearly with your user count.

What raises the range

Pixels, no policy, no BAA

Marketing pixels on sensitive pages, missing privacy policy, missing BAAs with vendors. Each one moves you up a tier in the relevant regulator's penalty schedule.

What lowers it

Consent banners, scrubbing, BAAs

A real consent banner (not a footer link), pixel scrubbing on sensitive paths, and BAAs in place show good-faith effort and drop you into the lowest penalty tier.

Want this emailed to yourself?

Your inputs, your exposure ranges, your specific gaps, and the recommended actions · in your inbox to forward to whoever handles compliance for you.

No newsletter. No auto-follow-up. We will not show this to a sales team.

What businesses caught off-guard say after

We had been running Meta pixel on our intake form for three years. The FTC opened an inquiry about a competitor and we got swept up because our setup looked identical. Six-figure legal fees just to respond.

r/smallbusiness · 2026-03

Got a CCPA letter from a customer demanding to know everything we held on them. We had no process. Spent two weeks rebuilding from scratch and ended up paying a settlement to make it go away.

r/legaladvice · 2026-04

Our analytics vendor never offered a BAA. We did not know to ask. After the breach, the OCR investigator said our entire setup was willful neglect. The vendor was 80 dollars a month. The settlement was not.

r/healthcare · 2026-04

More from the vault

Keep going.

Browse the vault