I like the general idea and I like that it specifically applies only to organizations with more than $25 million in revenue. Give small startups a break.
Does the GDPR also have a lower limit like this? It should.
Seems like the second one is the real problem. "50K users or devices" is less than 0.02% market share, even if you have only US customers, and for businesses with margins in the $1/user/year range it doesn't even cover one full time employee.
You can end up with that many users on a side project all of a sudden if it gets posted to the front page of a site like this one.
And it doesn't even have to be users in the signed-up sense if you simply have access logging turned on for your web server; 50k unique IPs would be enough.
Assuming you have any way to reliably identify which state your users are in -- which means we're back to "privacy regulations" encouraging companies to collect more data on their users.
So if you make more than $25 million, OR your have more than 50k users or devices, OR you make more than 50% of your money selling data