The plain language of the law says that your interpretation is not correct. The criminal provisions apply to companies with over $1 billion in revenue or those those that have 1M or more users. That would expose a much larger range of independent developers to decades in prison.
A closer reading indicates seem to be correct that the criminal provisions only apply to those larger entities. However, ALL of the provisions in pages 26-33, which are significantly burdensome, still apply to All covered entities, which you can hit by just having 1 million user accounts.
