nabnob parent
They're only subject to large fines if those laws are in place and actually being enforced, though. Companies keep getting away with these huge data breaches in the United States with almost no real consequences.
It's getting harder and harder to ignore these laws unless you're willing to stay out of some major markets (such as Europe and California).
I think we'll see a national privacy law in the United States at some point in the next five years. There's appetite for it in both major parties (Democrats to protect bodily autonomy, Republicans to stick it to Big Tech), and I think the targets of the regulations themselves will at some point lobby for a consistent national law rather than the patchwork of state laws that we have now.
The RESTRICT Act suggests that there's political will in the US to solve the same problems that the GDPR solves. If the RESTRICT Act fails, the US might get federal-level privacy protection (subject to the PATRIOT Act, of course).
The RESTRICT act isn’t GDPR and actually contains everything they couldn’t pass in the PATRIOT act, right?
At least at my employer, we've gone the route of global GDPR compliance.