Inside the digital compliance gap: Why most small businesses don't understand their multi-factor obligations

Inside the digital compliance gap: Why most small businesses don't understand their multi-factor obligations

Every day, thousands of American small businesses operate under false assumptions about their compliance obligations. Many believe that being a U.S. business means following only federal law or that serving primarily domestic customers exempts them from international regulations such as, for example, the GDPR.

In truth, digital compliance isn’t just about crossing borders; it’s also about crossing state lines. States such as California, Colorado, and Virginia have enacted their own privacy laws, each with distinct requirements and enforcement mechanisms.

Add to this the enforcement of federal accessibility standards, international data laws, and industry-specific rules, and it becomes clear that compliance obligations are determined by a complex intersection of factors, business location, visitor location, data practices, business size, industry type, and more.

Clym examines how businesses understand, or rather misunderstand, their compliance obligations, revealing a troubling gap between complex regulatory reality and simplified business assumptions.

How businesses oversimplify compliance

The scope of the misunderstanding becomes clear when examining how business owners think about compliance versus how regulations actually work.

What small businesses get wrong about compliance

Many small businesses start from the wrong assumption when it comes to their compliance obligations:

• "I'm a U.S. business, so I only have to follow U.S. law."
• "I don't target European customers, so the GDPR doesn't apply to my business."
• "I'm too small to worry about data privacy regulations."
• "I don't collect sensitive data, so I don't need to implement compliance measures."
• "Accessibility is about physical locations, not websites."

The complex reality

Compliance obligations are determined by multiple intersecting factors:

• Geographic factors: Both where your business operates and where your users are located matter, but in different ways and under different regulations. The GDPR has extraterritorial reach for businesses "offering goods or services" to EU residents, regardless of where the business is located. The CCPA applies based on California residents' data AND business size thresholds. Website accessibility under the ADA applies primarily to U.S. businesses, regardless of where website visitors are located.
• Business size thresholds: Many regulations include exemptions or reduced requirements for smaller businesses. The CCPA/CPRA has specific thresholds: annual gross revenues over $25 million, OR buying/selling personal information of 100,000+ California residents, OR deriving 50%+ of revenue from selling personal information. The GDPR has no size exemption, meaning even small businesses processing EU data must comply.
• Data type sensitivity: The kind of data collected by your business triggers different regulations. HIPAA applies specifically to protected health information processed by covered entities and business associates. The Video Privacy Protection Act (VPPA) applies to personally identifiable information about video viewing. Biometric data triggers specific provisions in several state privacy laws.
• Industry-specific rules: Healthcare, financial services, education, and other industries face additional sector-specific regulations beyond general privacy and accessibility laws. Being in a regulated industry adds layers of compliance regardless of business size or location.
• Business activities: What you do with the collected data matters as much as what you collect. Selling personal information triggers different obligations than using it solely for providing services. Using data for advertising involves additional requirements under frameworks such as the IAB's Transparency & Consent Framework.
• Target vs. passive markets: Some regulations distinguish between actively targeting a market versus passively accepting visitors. But this distinction isn't always clear-cut, and passive accessibility can still create obligations.

Why small businesses struggle to understand compliance

Research into compliance awareness reveals systematic misunderstandings about these multi-factor triggers:

When presented with scenarios involving multiple factors, many small business owners:

• Focus on a single factor, usually their business’s location, while ignoring other factors
• Assume size exempts them from regulations that don't have size thresholds
• Believe that not "targeting" a market exempts them from obligations triggered by serving users in that market
• Don't understand which type of collected data triggers which specific regulation(s)
• Are unaware that industry classification creates additional obligations

This isn't simple ignorance of specific regulations; it's rather a fundamental misunderstanding of how modern compliance obligations are determined.

The systematic education failure

Several systemic factors have created this widespread misunderstanding:

Oversimplified business education: Standard business education still teaches compliance as location-based: "Your business operates in Texas, so you follow Texas and federal law." This framework made sense in a pre-Internet economy but fails nowadays to capture digital compliance reality. MBA programs, business courses, and startup guides rarely address the multi-factor nature of modern compliance.

Misleading marketing: Some compliance tool providers market solutions with oversimplified messaging: "GDPR compliance for your website" or "Get CCPA compliant" without explaining the complex factors that determine whether these regulations actually apply to a specific business. This reinforces simplified mental models.

Platform provider silence: Website platforms, e-commerce systems, and SaaS providers rarely educate users about compliance factors. A business can launch a website that collects personal data, uses tracking technologies, and is accessible globally without any guidance about the multi-factor triggers that might create compliance obligations.

Regulatory communication gaps: Regulators publish detailed guidance about their regulations, but rarely explain clearly how to determine whether those regulations apply to a specific business with a specific combination of characteristics. The GDPR guidance from the EU’s authorities is comprehensive but complex. Small business owners struggle to determine if GDPR applies to them specifically.

Professional service limitations: Most small businesses rely on generalist business attorneys and accountants who may not specialize in digital compliance. These professionals often apply traditional location-based thinking to digital contexts, missing the multi-factor complexity.

Case example: the misunderstood obligations

Consider a real-world pattern: A small U.S. e-commerce business (30 employees, $3 million annual revenue) that sells consumer products online.

The owner's assumption: "We're a U.S. business selling to U.S. customers primarily, so we need to follow U.S. e-commerce law and maybe basic website accessibility."

The reality: Traffic analysis of the business reveals the following:

• 82% U.S. traffic (with 18% from California)
• 9% U.K. traffic
• 5% Canadian traffic
• 4% Various EU countries

What the law really requires: a layered compliance map:

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): Likely doesn't apply yet; the business is below the $25 million revenue threshold and probably doesn't meet other thresholds, but if traffic in California grows or if the business starts selling personal data, the status could change.

General Data Protection Regulation (GDPR): Likely applies; the business is "offering goods or services" to EU residents, i.e. they accept orders from the EU, and process the personal data of EU customers. No size exemption exists. Lack of active EU targeting doesn't exempt them.

U.K. GDPR: Applies based on a similar logic to that of the GDPR; accepting U.K. orders means the business is offering services to U.K. residents.

Personal Information Protection and Electronic Documents Act (PIPEDA): May apply for Canadian customer transactions; Canada's federal privacy law applies to commercial activities involving personal information.

Americans with Disabilities Act (ADA) – Website Accessibility: Most likely applies; a U.S. business operating a commercial website is increasingly interpreted by courts as a "place of public accommodation" that is required to be accessible.

Accessibility for Ontarians with Disabilities Act (AODA): May apply if the business has an organizational presence in Ontario or falls under the AODA's scope for organizations serving Ontario residents.

Payment Card Industry Data Security Standard (PCI DSS): Definitely applies; collecting payment card information triggers Payment Card Industry Data Security Standards regardless of location or size.

The business owner's simplified location-based assumption missed most of these obligations, each triggered by different factor combinations.

The enforcement multi-factor approach

Regulators and courts consider multiple factors when determining jurisdiction and applicability:

GDPR enforcement: European Data Protection Authorities enforce based on:

• Whether personal data of EU residents is being processed
• Whether the processing is in the context of offering goods/services to EU residents
• Whether the business is established in the EU OR is targeting EU residents.

The size and location of the business’s headquarters are not limiting factors; small US businesses have received GDPR fines.

CCPA/CPRA enforcement: California's Attorney General enforces based on:

• Whether the business meets size/revenue/data thresholds
• Whether the business collects California resident personal information
• Whether the business does business in California; this is broadly interpreted

A business doesn't need California offices to be subject to CCPA if it meets thresholds and collects California resident data.

ADA website accessibility: Federal courts increasingly find jurisdiction based on:

• Whether the defendant is a U.S. business or has U.S. operations
• Whether the website serves as a gateway to goods/services
• Whether the website qualifies as a "public accommodation" or service of one

Where website visitors are located is less relevant than whether the business itself has a U.S. presence.

The risk of multi-factor misunderstanding

Operating under false assumptions about what triggers compliance obligations creates several risks:

False security: Businesses believe they're exempt when they're actually covered. "We're too small for the GDPR," although no size exemption exists, or "We don't target Europe," despite the fact that accepting European orders can be sufficient.

Misprioritized resources: Businesses may invest in compliance for regulations that don't apply while ignoring ones that do. A U.S. business might implement CCPA compliance, despite being below thresholds, while ignoring the GDPR, which has no threshold.

Incomplete implementation: Businesses might implement a single-factor solution, i.e. a cookie banner for visitor location, while missing obligations triggered by other factors, such as industry-specific consent requirements, or accessibility for the business’s location.

Growth surprises: As businesses grow, they may suddenly meet thresholds or triggers they weren't monitoring. Crossing $25 million in revenue suddenly triggers the need for CCPA compliance. Expanding product lines into health-related services triggers the obligation to comply with HIPAA.

Emerging solutions for multi-factor assessment

Addressing the multi-factor complexity gap requires tools and approaches such as:

Comprehensive factor analysis: Rather than asking just "where are my visitors from?", effective assessment requires analyzing:

• Business location and presence
• Business size (employees, revenue)
• Industry and business type
• Types of data collected
• Data processing activities
• Visitor/user locations
• Target markets
• Specific technologies used

Threshold tracking: Monitoring when your business approaches regulatory thresholds, such as revenue limits, data volume limits, employee counts, so compliance can be planned before obligations trigger.

Factor combination logic: It is important to understand that different regulations use different combinations of factors. For example, the GDPR primarily cares about EU data subjects’ data + offering services, the CCPA cares about the data of California residents + business size thresholds, and the ADA cares about the U.S. business presence + public accommodation status.

Closing the compliance knowledge gap

Closing the compliance understanding gap requires systemic changes:

1. Education reform: Business education must evolve from location-based compliance models to multi-factor frameworks that reflect digital reality.

2. Regulatory clarity: Regulators should provide clear, accessible guidance, specifically on applicability and not just on compliance requirements, in order to help businesses determine whether the regulation applies to a specific business profile.

3. Platform responsibility: Website and e-commerce platforms should help users understand which factors might trigger compliance obligations based on their business setup.

4. Professional development: Business attorneys, accountants, and advisors need specialized training in digital compliance's multi-factor nature.

5. Assessment tools: Businesses need accessible tools that analyze multiple factors simultaneously to determine applicable obligations.

The takeaway: Compliance isn’t one-size-fits-all

The digital compliance gap exists not just because businesses don't know about specific regulations, but because they don't understand the multi-factor framework that determines which regulations apply to them.

A U.S. business might assume its obligations are limited to U.S. law, missing GDPR obligations triggered by EU visitor data. A small business might assume size exempts it from regulations that have no size threshold. A business not targeting a market might assume it has no obligations to users from that market who nonetheless use its services.

Closing this gap requires moving beyond simplified location-based thinking to understand that compliance obligations emerge from the intersection of multiple factors: where you operate, where your users are, what you do, what data you collect, how large you are, and what industry you serve.

The first step is recognizing that compliance isn't simple.

The second step is conducting a comprehensive, multi-factor assessment to analyze all relevant factors, not just one or two.

The third step is implementing compliance based on your actual obligations, not assumptions about what should apply.

Until business education, regulatory guidance, and assessment tools all reflect the multi-factor reality of digital compliance, the gap will persist, leaving thousands of businesses unknowingly exposed to regulations they don't even know apply to them.

This story was produced by Clym and reviewed and distributed by Stacker.