While this is generally true for any regulation ... for small businesses we do have one approach to address the problem of regulatory compliance: outsourcing to specialized firms. For example small sites can just use an identity provider (maybe something like AuthO presuming they add an age-verification module) which can be easily integrated.
Do you think everything in this world should be doable as a mom and pop business? I don't. For example, I wouldn't want a moon-lighter handling my medical records, or my money accounts and credit cards. We have many examples where limiting who can work in certain spaces has become reasonable.
