The question is not "is there anything that would clearly be burdensome?", but "am I confident enough that I am complying with these items, as retroactively interpreted by regulators?"
You need to pay a lawyer to evaluate that for you, that's the cost, not whoever the bills sponsor says this is intended to target.
Can you cite an example of one of these requirements that you wouldn't be confident in being able to comply with? Also: how much do you think a legal consult costs? For any one item, I think we're talking a couple hundred bucks.
Almost all of the language in the section we're referring to applies to just one requirement, which is to make data tech companies retain about consumers available upon request to those consumers. That's something responsible companies already do, many because they're already by regulation required to do so.
Just popping in to say that I've never had an invoice less than $800 from any firm I've ever hired, and those were very small things. Data privacy-related stuff tends to be way more complicated, and if my company didn't have me, basic data privacy stuff would cost them tens of thousands a year just in legal.
Most competent lawyers cost $400+/hr. For them to review your internal compliance policies and procedures (including your opt-in/out procedures. etc), privacy policy, etc. you could easily be looking at a few hundred hours. That doesn't include the external auditors that the bill wants you to have.
As you said in one of your comments, fortunately this bill as written will never come into law, both due to its implications, and the fact that its author is a single member of a minority party. This is one instance in which I am happy with our system of government.
This proposal doesn't require companies to do formal internal compliance reviews. It's not SOX or GLBA. For most startups, the legal overhead here would probably amount to a few phone calls with a lawyer.
My read is that it's less onerous than the California privacy statute that already covers a huge fraction of tech startups.
We do both security and privacy engineering work for our clients, most of whom are encumbered in one way or another by regs, and it is not the norm for legal to do line-item review of policies and procedures. SOC2 Type 1 audits are much closer to a mainstream practice, would almost certainly satisfy the "data protection" requirements in any rule the FTC would come up with, and certainly do not involve "a few hundred hours" of legal.
That's just not accurate. You should read pages 26-33 in detail. It wants external auditors to come in, and while consultation with a lawyer isn't required, companies would offensively have to use them to review everything they do, lest they be found non-compliant. That could easily range into hundreds of hours of legal work.
I believe I'm one of the "auditors or independent technical experts" this bill refers to (trust me, we don't need Wyden's help getting work), and for the most part the only time we talk to client legal is when we're negotiating our contract. Note also the "if reasonably possible" attached to getting external assessment.
You need to pay a lawyer to evaluate that for you, that's the cost, not whoever the bills sponsor says this is intended to target.