Fortunately, this is just a "discussion draft" and I don't believe it would ever be passed as it is written. This clause would expose mom-and-pop app developers who have apps that happen to go viral and get more than 1 million installs to the same expensive, onerous requirements as an entity with $1 billion or more in revenue:
Each covered entity that has not less than $1,000,000,000 per year in revenue and stores, shares, or uses personal information on more than 1,000,000 consumers or consumer devices or any covered entity that stores, shares, or uses personal information.."
Putting those two vastly different classes of entities under the same umbrella and exposing them to decades in prison seems like it would have a chilling effect on the startup community. You would just have to hope that your app/website doesn't get to 1 million users, otherwise you're exposed to requirements where the implementation will bankrupt a small team or independent developer.
I guess you could simply stop allowing new registrations at 999,999 people, but it seems like a bad idea to discourage businesses from growing beyond that.
Each covered entity that has not less than $1,000,000,000 per year in revenue and stores, shares, or uses personal information on more than 1,000,000 consumers or consumer devices or any covered entity that stores, shares, or uses personal information.."
Putting those two vastly different classes of entities under the same umbrella and exposing them to decades in prison seems like it would have a chilling effect on the startup community. You would just have to hope that your app/website doesn't get to 1 million users, otherwise you're exposed to requirements where the implementation will bankrupt a small team or independent developer.
I guess you could simply stop allowing new registrations at 999,999 people, but it seems like a bad idea to discourage businesses from growing beyond that.