HR Compliance at 40 Employees: The Regulations That Just Kicked In and What to Do About Them

You hit 40 employees and suddenly your inbox is full of reminders about reporting deadlines you’ve never heard of. Your payroll provider mentions EEO-1 filing. Your insurance broker asks about OSHA posting requirements. Your accountant flags something about state-level pay data reporting. None of this was on your radar at 35 employees.

Here’s what’s actually happening: 40 employees isn’t a major federal compliance threshold like 50 (FMLA) or 100 (EEO-1 for most companies). But it’s the preparation zone before those bigger triggers, and depending on your state, industry, and whether you have any federal contracts, specific requirements may have already activated without you realizing it.

This isn’t about creating panic. It’s about knowing exactly which regulations apply to your situation so you can handle them efficiently rather than scrambling when an audit notice arrives or a deadline passes. Let’s break down what actually changes at this headcount, what the real exposure looks like, and how to address it without overbuilding your HR function.

What Actually Triggers at 40 Employees (And What Doesn’t)

The confusion at 40 employees comes from the gap between what people think applies and what actually does. Most business owners know about the 50-employee FMLA threshold. Some have heard about ACA requirements. But the 40-employee mark operates differently—it’s less about a single federal law kicking in and more about entering the zone where multiple smaller requirements start accumulating.

First, let’s clear up a common misconception: standard EEO-1 reporting does not apply at 40 employees for most companies. The federal requirement kicks in at 100 employees. But if you’re a federal contractor with 50 or more employees and a contract worth at least $50,000, you’re already required to file. That’s where the confusion starts—business owners hear “EEO-1” mentioned in forums or by advisors and assume it applies universally at smaller headcounts.

The federal contractor angle matters more than most owners realize. If you provide any services or products to federal agencies—even indirectly through a prime contractor—and you’ve crossed 50 employees, you’re likely subject to additional reporting requirements that standard private employers your size aren’t. This includes EEO-1 filing and potentially affirmative action plan requirements under OFCCP regulations.

State-level requirements create the real variability at this size. Some states impose pay equity reporting, anti-discrimination posting requirements, or paid leave mandates that activate between 35 and 50 employees. California, Colorado, Illinois, and Washington have all implemented reporting or compliance requirements with thresholds below the major federal ones. If you operate in multiple states, you’re tracking different trigger points for each jurisdiction.

Then there’s the headcount definition problem. Not every regulation counts employees the same way. Some use full-time equivalents (FTEs). Others count all employees regardless of hours worked. Some look at peak headcount during a measurement period. Others use average headcount across the year. You might be at 40 employees by one measure and 35 by another, which affects which requirements actually apply.

OSHA recordkeeping is another area where the 40-employee mark creates confusion. Most employers aren’t required to electronically submit OSHA 300A data until they reach 250 employees. But if you’re in a high-hazard industry—construction, manufacturing, healthcare, certain transportation sectors—the threshold drops to 20 employees. At 40 employees in one of those industries, you’ve been required to submit data electronically for years.

The practical takeaway: 40 employees is significant not because a single major law activates, but because you’re now large enough that gaps in compliance tracking start creating real exposure. You’re past the size where informal HR practices work, but not yet at the size where most major federal requirements automatically apply—unless your specific circumstances (contractor status, industry, state operations) change that equation.

Federal Reporting Requirements Worth Understanding

Let’s focus on what actually applies at the federal level for a standard private employer at 40 employees, then address how federal contractor status changes everything.

For most private companies at this size, federal reporting obligations are limited. You’re handling standard payroll tax reporting, maintaining I-9 documentation, and keeping required employment posters current. EEO-1 reporting doesn’t apply yet. ACA reporting applies if you’ve been over 50 full-time equivalent employees, but that’s a different threshold. The federal compliance burden at 40 employees is relatively manageable if you’re not a federal contractor.

OSHA Form 300A posting is required if you’re in an industry that mandates recordkeeping. Every year from February 1 through April 30, you must post your annual summary of work-related injuries and illnesses. If you’re in a high-hazard industry with 20+ employees, you’re also submitting this data electronically to OSHA. Many business owners miss this because they assume OSHA requirements only matter in manufacturing or construction, but healthcare, warehousing, and certain retail operations also fall under these rules.

Federal contractor status completely changes the compliance landscape. If you have a federal contract worth $50,000 or more and you’ve reached 50 employees, you’re now required to file EEO-1 reports annually. These reports break down your workforce by job category, race, ethnicity, and gender. The deadline is typically in late spring, and missing it can trigger inquiries from the EEOC.

Beyond EEO-1, federal contractors face affirmative action plan requirements under OFCCP regulations. If you have a contract of $50,000 and 50+ employees, you’re required to develop and maintain written affirmative action programs. This isn’t about quotas—it’s about documenting your recruitment, hiring, and promotion practices and analyzing whether any disparities exist. Many growing companies don’t realize they’re federal contractors until they receive an OFCCP audit notice.

The “federal contractor” designation is broader than most owners think. It includes subcontractors working on federally funded projects, companies providing services to government agencies, and businesses selling products through federal supply schedules. Understanding who handles compliance responsibilities becomes critical when you’re navigating these overlapping obligations.

For non-contractors at 40 employees, the federal compliance burden is manageable. For contractors, it’s substantially higher and requires proactive attention to avoid enforcement issues.

Where State Requirements Create Real Complexity

State-level compliance at 40 employees varies so dramatically that generalizing is nearly impossible. What applies in Texas looks nothing like what applies in California, and multi-state operations face compounding obligations.

California is the most aggressive state for sub-50 employee requirements. Pay data reporting under SB 973 applies to employers with 100+ employees, but other California-specific requirements kick in earlier. The state’s anti-discrimination protections, meal and rest break rules, and paid sick leave mandates apply regardless of size, but enforcement scrutiny increases as you grow. At 40 employees, you’re large enough to be on the radar for state labor agency audits.

State WARN Acts create another layer of complexity. The federal WARN Act requires 60 days’ notice for mass layoffs or plant closures, but it only applies to employers with 100+ employees. Several states have mini-WARN Acts with lower thresholds. New York’s WARN Act applies to employers with 50+ employees in certain industries. California’s applies at 75 employees. If you’re planning any significant workforce reductions at 40 employees, you need to know whether your state has advance notice requirements that apply before you hit federal thresholds.

Paid leave mandates have been proliferating at the state and local level, and many apply well below 50 employees. Colorado, Connecticut, Massachusetts, Oregon, and Washington all have paid family and medical leave programs with varying employer size thresholds. Some apply to all employers. Others kick in at 15, 25, or 50 employees. If you operate in multiple states, you’re tracking different accrual rates, eligibility requirements, and contribution structures for each location.

State-level pay equity and salary history ban laws also matter at this size. Several states prohibit asking job applicants about salary history. Others require pay range disclosure in job postings. These requirements typically apply regardless of employer size, but at 40 employees, you’re large enough that a violation is more likely to result in enforcement action rather than a warning.

The practical challenge is that state requirements don’t align with federal thresholds. You can’t simply wait until you hit 50 or 100 employees to think about compliance. You need to know which states you operate in, which requirements apply at your current size, and what’s coming as you continue growing.

Multi-state operations amplify this complexity. If you have employees in five states, you’re tracking five different sets of requirements. Companies with multi-state payroll operations often discover that remote work has made this worse—hiring a single remote employee in a new state can trigger obligations you didn’t have before.

What Non-Compliance Actually Costs at This Size

Compliance violations at 40 employees carry real financial and operational consequences, but the exposure is different than at larger companies. You’re big enough to face meaningful penalties but small enough that a single issue can create disproportionate disruption.

EEO-1 reporting violations for federal contractors result in formal inquiries from the EEOC. While the agency doesn’t typically assess direct fines for late filing, non-compliance can trigger broader compliance reviews. If you’re flagged for missing an EEO-1 deadline, the EEOC may expand its inquiry into your hiring practices, pay equity, and discrimination complaint history. The cost isn’t the penalty—it’s the time and legal expense of responding to the investigation.

OSHA penalties scale based on violation severity. Failure to post the required Form 300A summary can result in citations. Failure to maintain required injury and illness records or submit electronic data when required can trigger larger penalties. For a 40-employee company, a single OSHA inspection that uncovers recordkeeping violations can result in penalties that meaningfully impact cash flow.

State-level enforcement has been increasing. California’s Labor Commissioner actively audits wage and hour compliance, and violations can result in per-employee penalties plus waiting time penalties for final paycheck delays. At 40 employees, a meal and rest break violation affecting your entire workforce can quickly escalate into six-figure exposure when you factor in penalties, back pay, and legal costs.

The hidden cost is litigation exposure from documentation gaps. At 40 employees, you’re large enough that disgruntled former employees have an easier time finding employment attorneys willing to take their cases. If you terminate someone and can’t produce clear documentation of performance issues or policy violations, you’re defending a wrongful termination claim with weak evidence. Even if you ultimately prevail, the legal costs can exceed $50,000 for a case that goes to summary judgment.

Pay equity claims are another growing risk. If you don’t have documented compensation structures and you’re challenged on pay disparities between employees in similar roles, you’re defending your decisions after the fact. Without clear criteria for how you set pay, you’re exposed to claims of discrimination even if your actual decisions were legitimate.

Audit likelihood increases as you grow. State agencies and federal regulators prioritize larger employers, but 40 employees is the size where you’re no longer flying under the radar. If you receive a complaint—from a current or former employee, a job applicant, or a competitor—agencies are more likely to investigate than they would for a 10-person company.

The practical reality: non-compliance at 40 employees rarely results in catastrophic penalties, but it creates expensive distractions. You’re spending time and money responding to issues that could have been avoided with basic documentation and policy adherence.

Handling This Without Overbuilding Your HR Function

The instinct at 40 employees is often to either ignore compliance until something breaks or immediately hire an HR manager and implement enterprise-level systems. Neither approach makes sense for most businesses at this size.

Start with a compliance inventory specific to your circumstances. List every state where you have employees. Identify whether you’re a federal contractor. Note your industry and whether it’s considered high-hazard for OSHA purposes. This gives you the actual scope of what applies rather than a generic checklist that includes requirements you don’t face.

A one-time compliance audit from an employment attorney or HR consultant can be worth the investment. You’re not hiring someone full-time—you’re paying for a few hours of work to identify gaps in your current practices. The deliverable should be a prioritized list of what needs immediate attention, what can wait, and what doesn’t apply to you at all. This costs a few thousand dollars and prevents you from either over-investing in compliance infrastructure or missing something critical.

Building a compliance calendar is more valuable than most policy manuals. You need to know when EEO-1 is due (if applicable), when OSHA 300A posting is required, when state-specific reports are due, and when required notices need to be distributed. A simple spreadsheet with deadlines and responsible parties prevents missed filings without requiring ongoing HR overhead.

The PEO question comes up frequently at this size. Does co-employment actually transfer compliance risk? The answer is nuanced. A PEO handles payroll tax compliance, workers’ compensation administration, and benefits compliance. They typically assist with policy development and provide access to HR support. Understanding how co-employment works helps clarify what shifts and what doesn’t.

If you’re a federal contractor, the PEO doesn’t file EEO-1 reports on your behalf—you’re still the employer of record for those purposes. If you face a discrimination claim, the PEO provides support, but you’re still a named party in any litigation. The value of a PEO at 40 employees is reducing administrative burden and providing access to expertise, not transferring legal responsibility.

For many companies at this size, a hybrid approach works better than all-or-nothing. Use a PEO or payroll provider for tax and benefits administration. Retain an employment attorney on a fixed-fee arrangement for policy reviews and quick questions. Build internal processes for documentation and recordkeeping. Comparing PEO cost versus hiring an HR manager can help you determine which approach fits your budget and needs.

The key is matching your compliance infrastructure to your actual obligations. If you’re a single-state, non-contractor employer in a low-regulation state, your needs are minimal. If you’re a multi-state federal contractor in a high-hazard industry, you need more robust support. Don’t build for a hypothetical 100-employee future when you’re managing 40-employee present-day requirements.

What Changes Between Here and 50 Employees

Understanding what’s coming helps you prepare without over-investing too early. The jump from 40 to 50 employees brings meaningful new requirements, but you don’t need to implement everything at 41 employees.

FMLA is the major federal trigger at 50 employees. Once you’ve had 50 or more employees for 20 or more workweeks in the current or preceding calendar year, you’re covered. This means eligible employees can take up to 12 weeks of unpaid, job-protected leave for qualifying reasons. You need FMLA policies, notice procedures, and tracking systems in place. Many business owners underestimate the administrative complexity of managing intermittent FMLA leave.

ACA reporting requirements apply once you average 50 or more full-time equivalent employees. You’re filing Forms 1094-C and 1095-C annually and providing coverage statements to employees. If you don’t offer affordable minimum essential coverage to full-time employees, you’re potentially facing employer shared responsibility payments. This is complicated enough that most companies at this size rely on their benefits broker or payroll provider to handle the reporting mechanics.

EEO-1 reporting becomes required at 100 employees for private employers (or 50 if you’re a federal contractor, as discussed earlier). At 40 employees, you’re still 10 away from the next major threshold, but it’s worth understanding what’s involved so you’re not surprised when it applies.

State requirements continue to layer on. Some states have additional leave mandates or anti-discrimination protections that kick in at 50 employees. The pattern you’re seeing at 40—where state obligations don’t align neatly with federal thresholds—continues as you grow.

Documentation practices that scale are more important than specific policies. At 40 employees, you can still manage performance issues informally if you’re documenting conversations and decisions. By 50, you need more structured performance management. The key is building habits now—documenting coaching conversations, keeping notes on policy violations, maintaining clear records of compensation decisions—that don’t require wholesale process changes later.

When to reassess your HR infrastructure depends on how much complexity you’re managing. If you’re growing quickly, operating in multiple states, or facing high turnover, you’ll need dedicated HR support before 50 employees. Exploring small business HR outsourcing options can help bridge the gap. If you’re stable, single-state, and have low employee relations issues, you can often wait until 60-75 employees before bringing someone on full-time.

The mistake is assuming you need the same infrastructure as a 200-person company just because you’ve crossed 40 employees. You don’t. You need infrastructure that matches your actual compliance obligations and operational complexity, with an eye toward what’s coming in the next 12-24 months.

Making Compliance Decisions That Actually Fit Your Business

Reaching 40 employees is a compliance checkpoint, not a crisis. The key is knowing exactly which regulations apply to your specific situation—your industry, your states of operation, your federal contractor status—rather than implementing generic best practices that may not match your actual obligations.

Start with a compliance inventory. List what applies now, what’s coming at 50 employees, and what doesn’t apply at all. This prevents both over-preparation and dangerous gaps. Most business owners at this size are either doing too much or too little, rarely landing on the right level of attention.

The infrastructure question—whether to hire internal HR, work with consultants, or use a PEO—depends on your specific circumstances. A single-state employer with straightforward operations has different needs than a multi-state federal contractor. Learning how to choose a PEO that fits your situation is essential if you’re considering that route. Before you make infrastructure decisions, understand what you’re actually managing. Before you renew your PEO agreement, compare your options. Most businesses overpay due to bundled fees and unclear administrative markups. We break down pricing, services, and contract structures so you can make a smarter decision.

Compliance at 40 employees is manageable if you’re intentional about it. Focus on what applies, document what matters, and build practices that scale without creating unnecessary overhead. You’re not trying to be perfect—you’re trying to be prepared for what actually applies to your business.