When does a small business lose its compliance carve-outs?

Every regulator that has thought about small business has answered “at what size do you apply?” differently. The result for an SMB owner: a patchwork of thresholds, each measured against a different metric, each triggering a different obligation. Here is the actual map.

GDPR — no threshold

Regulation (EU) 2016/679 applies to any organization that processes personal data of EU residents, regardless of size, regardless of whether the organization is established in the EU. A one-person consultancy with one EU customer has full GDPR obligations.

The single SME-friendly carve-out is Article 30(5): organizations under 250 employees are exempt from maintaining records of processing activities, except when processing is not occasional, includes special categories (health, race, religion, etc.), or is likely to result in risk to data subjects. Most SMBs process customer data continuously, which means “not occasional,” which means the carve-out does not actually apply. Treat as if Article 30 applies in full.

ePrivacy Directive — no threshold

Directive 2002/58/EC and its national transpositions apply to any electronic communications service or website operating in the EU. No size carve-out. A solo developer’s blog has the same cookie-consent obligations as a 10,000-employee enterprise.

EU Accessibility Act — microenterprise exemption for services only

Directive (EU) 2019/882 Article 4(5) exempts microenterprises providing services (fewer than 10 employees AND under €2M turnover/balance sheet) from the EAA service obligations. The exemption does not extend to:

• EAA-covered products (manufacturers, importers, distributors).
• Member-state pre-existing accessibility law (Germany’s BFSG, France’s RGAA, etc.).
• Antidiscrimination law (UK Equality Act, German AGG, French 2005 law).

See our detailed write-up on the EAA exemption.

UK Equality Act 2010 — no threshold for reasonable adjustments

The reasonable-adjustments duty under Section 20 applies to every service provider regardless of size. The duty is anticipatory — a 2-person service provider must consider accessibility before being asked. The Equality and Human Rights Commission (EHRC) has been consistent that resource constraints affect the “reasonable” qualifier but not the existence of the duty.

US ADA Title III — “public accommodations”

The ADA does not use a head-count threshold. Title III applies to any business qualifying as a “public accommodation” — a category covering retail, restaurants, professional services, lodging, transportation, education, and recreation. Most SMB websites qualify; corporate B2B websites with no consumer interface generally do not.

Title I (employment) has a 15-employee threshold but does not regulate websites. The DOJ’s April 2024 final rule under Title II applies to state and local government, not private SMBs.

California CCPA / CPRA — three thresholds, any one triggers

California Civil Code §1798.140(d) defines a covered business as a for-profit entity that:

• Has annual gross revenues over $25 million; or
• Buys, sells, shares, or receives personal information of 100,000 or more California consumers or households annually; or
• Derives 50% or more of annual revenue from selling or sharing personal info.

The three thresholds are independent. An SMB with $5M revenue can still cross the 100,000-consumers bar if they run a high-traffic California-facing site. Once covered, the full CCPA/CPRA suite applies.

Colorado, Connecticut, Texas, Virginia, Utah — converging

The post-CCPA wave of US state privacy laws settled on a similar pattern: revenue or volume-based thresholds, focused on consumer-data sales. The current population of state laws (2026):

• Colorado, Connecticut: 100,000 consumers per year, or 25,000 consumers + revenue from sales.
• Virginia: 100,000 consumers, or 25,000 + 50% sale revenue.
• Utah: $25M revenue + 100,000 consumers OR 25,000 + 50% sale revenue.
• Texas TDPSA: “Conducts business in Texas” with no size threshold, but the substantive duties only apply to non-small-businesses (under SBA size standard).
• Other states (DE, MD, OR, MN, NJ, NH, KY, etc.): similar 100k consumer / 25k+sale-revenue pattern, with some variation.

Australian Privacy Act — AUD 3M threshold

The Privacy Act 1988 applies to organizations with annual turnover above AUD 3 million. Below that, organizations are exempt from the Australian Privacy Principles (APPs) entirely. Exceptions:

• Health service providers (no threshold — covered regardless).
• Organizations that trade in personal information.
• Contractors to the federal government.
• Credit reporting bodies, residential tenancy databases.

The AUD 3M threshold is under reform; the Australian government has signaled intent to lower it substantially. The 2024 reform package proposes phased extension to all organizations regardless of turnover, with smaller-business obligations tiered. Plan as if the threshold may be lowered in 2026–2027.

Canada — PIPEDA + provincial

PIPEDA applies federally to commercial activities; no size threshold. Provincial laws (Quebec Law 25, BC PIPA, Alberta PIPA) apply additionally; Quebec’s Law 25 is the strictest and applies to any organization processing Quebec residents’ data, no size carve-out.

AODA (Ontario) applies to private-sector organizations with 50 or more employees; under 50 employees, public-sector duties only.

Brazil LGPD — no threshold

Lei Geral de Proteção de Dados (LGPD) applies to any organization processing data of Brazilian residents, no size carve-out. Penalty caps are smaller for small-and-startup organizations under ANPD regulation (RDA 4 of 2023), but the substantive obligations apply equally.

The compounding effect

An SMB selling EU + UK + US + Canadian customers is simultaneously under: GDPR (no threshold), ePrivacy (no threshold), UK Equality Act (no threshold), ADA (public accommodation), and possibly CCPA + Colorado + Texas + Quebec Law 25. Each has its own consent regime, breach notification timeline, data subject rights, and enforcement body.

This compounding is why “we are small, we are exempt” is rarely accurate for an SMB with cross-border traffic. The exemptions stack — qualifying for one is not the same as qualifying for all — and the substantive obligations of the regulations without size thresholds (GDPR, ePrivacy, UK Equality Act, ADA, Quebec Law 25, LGPD) cover most of the surface anyway.

The Veracly tracking

Each Veracly account declares a size band and a primary market mix. The scan engine applies jurisdiction-appropriate severity based on declared size — a declared microenterprise sees EAA findings marked informational rather than failing, while still receiving the underlying rule output so they can plan for crossing the threshold. The threshold and exemption analysis sits in the “Methodology” section of every report.

See also: EAA microenterprise exemption · Multi-jurisdiction website compliance