Why this is on you, even if you’re tiny

Many small business owners assume compliance training is a problem for enterprises. It’s not. Federal regulations apply at very low employee counts (some at 1 employee, many at 15), state regulations stack on top, and industry-specific obligations apply regardless of size. The cost of getting this wrong — fines, lawsuits, reputational damage — vastly outweighs the cost of doing it right.

What follows is a starting checklist. It is not legal advice. Specifics depend on your state, industry, and employee count — verify with a licensed employment attorney for your situation.

Near-universal: applies to most small businesses

• Anti-harassment / sexual harassment training. Required in California (5+ employees, biennial), New York (all employers, annual), Illinois (all employers, annual), Connecticut, Delaware, Maine, and a growing list of states. Even where not legally required, it’s a strong recommended practice for liability mitigation.
• Workplace safety / OSHA basics. Required for most industries; specifics depend on workplace hazards. Office environments have minimal requirements; manufacturing, construction, healthcare have substantial ones.
• Security awareness training. Not federally mandated for most small businesses but increasingly required by cyber insurance policies and by clients (especially in SaaS, financial services, healthcare adjacent).
• Discrimination / EEO training. Recommended for all businesses, required for federal contractors and many state-regulated industries.

Industry-specific (verify your situation)

• HIPAA training — healthcare and any business handling protected health information.
• PCI-DSS training — businesses that handle credit card data directly (most outsource to processors and avoid most of the burden).
• FERPA training — education-adjacent businesses with student data.
• Anti-money-laundering / Know-Your-Customer — financial services, money transmission, real estate above certain thresholds.
• Food safety — restaurants, food production, certain retail.
• Driver / fleet training — businesses operating commercial vehicles.

How often

Frequency varies by jurisdiction and topic. A common pattern:

How to actually run it

1. Build a single source of truth. One document or spreadsheet listing every required training, who’s required to take it, when it was last completed, when it expires.
2. Default to self-paced online courses. Vendor platforms (KnowBe4, EVERFI, smaller niche providers) handle delivery and tracking. For tiny businesses, even free or low-cost options often beat building from scratch.
3. Schedule renewals proactively. Don’t wait for expiration notices. 60-day advance reminders work better than 7-day fire drills.
4. Get manager attestation. Completion is one thing; understanding is another. A brief manager check-in after compliance training catches gaps and signals importance.
5. Document everything. Date completed, training provider, certificate of completion (if available). This is the documentation that matters if anything ever goes wrong.

Common pitfalls

• Treating it as one-time onboarding. Most compliance training is recurring. Build the renewal cycle into your calendar from day one.
• Skipping documentation. If a complaint arises, the question is what you can prove was completed — not what you remember happened.
• Choosing the cheapest provider without checking quality. The cheap providers often have outdated content that doesn’t meet current state requirements. Verify the content is current.
• Not training contractors. Many requirements (especially harassment, safety) extend to contractors working at your locations. Don’t assume independent contractor status exempts them from all your training obligations.
• Lapsing certifications. Industry-specific certs that expire silently are common compliance failures. Calendar them with 90-day advance notice.

Free resources worth knowing about

• OSHA.gov — free training materials and guidance, particularly useful for industry-specific safety.
• SHRM — sample policies and templates; some content free, much behind membership.
• EEOC.gov — guidance on anti-discrimination training content requirements.
• State Attorney General sites — state-specific harassment training resources, often free.

Compliance is the unglamorous backbone. Get the calendar built once, run the system, and it’ll stay out of your way for the rest of the year.