The recently released draft of the American Privacy Rights Act 2024 (APRA) seeks to reshape data privacy standards across the United States. One notable component is the ‘Small Business’ Exemption, which may appear straightforward at first glance but carries nuances worth closer examination.

Who Qualifies for the Exemption?

Under the current draft, businesses must satisfy all of the following criteria to qualify for the ‘Small Business’ Exemption:

1. Annual Revenue Under USD 40 Million
While intended to set an upper limit for small entities, this threshold is relatively high when compared to other jurisdictions. For instance, Australia’s comparable threshold is approximately USD 2 million.

2. Data Volume Under 200,000 Individuals
Businesses must process personal data for fewer than 200,000 individuals, excluding data necessary to complete payments or transactions for requested products or services.

3. No Data ‘Sales’
The exemption is only available to entities that do not transfer personal data in exchange for revenue or “anything of value.” This criterion is more expansive than a traditional “sale,” because the phrase “transfer in exchange for revenue or anything of value” could include joint ventures, collaborations, or other business practices that are not typically viewed as outright data sales.

Is APRA’s Definition of “Small” Too Generous?

At first glance, an exemption for businesses under USD 40 million in annual revenue may seem broad. By comparison, Australia’s Privacy Act sets its exemption threshold at AUD 3 million (around USD 2 million). Australia’s Office of the Australian Information Commissioner (OAIC) has recently indicated that such exemptions may no longer be appropriate, given the privacy risks posed by entities of all sizes and the regulatory uncertainty exemptions can create.

As a result, there is an ongoing debate about whether APRA’s ‘Small Business’ Exemption truly targets the intended range of businesses or whether it offers a carve-out so large that it risks undermining the statute’s broader consumer protections.

“Transfer” Versus “Sale”

APRA’s emphasis on “transfers” rather than outright “sales” signals an effort to close loopholes where personal data might change hands without a direct exchange of money. However, this approach could capture everyday business activities—such as data-sharing partnerships or the use of proprietary data for targeted advertising tools (e.g., Meta Custom Audiences)—that are not typically classified as data sales. While this may strengthen consumer protection, it also raises questions about unintended consequences and administrative burdens for smaller organizations.

What This Means for Your Business

• Assess Your Thresholds: If your company is near or above USD 40 million in annual revenue or processes personal data for more than 200,000 individuals, you are likely to be fully subject to APRA’s requirements.

• Review Data-Sharing Practices: Even if you do not “sell” data in the conventional sense, any transfer of personal data in return for value could disqualify you from the exemption.

• Watch for Further Developments: APRA remains a draft, and legislative amendments could alter these criteria. Comparisons to international standards—such as Australia’s evolving stance on small business exemptions—suggest continued pressure to refine these provisions.

Given the complexity of the APRA draft and its potentially broad definition of “small business,” organizations should begin preparing for compliance. Conduct a thorough review of data processing activities, revenue projections, and data-sharing arrangements to determine whether you meet the current draft exemption criteria. Consultation with privacy law professionals is strongly recommended to navigate potential pitfalls and ensure readiness as APRA moves closer to enactment.