No, he couldn't. I think you need to read the draft more carefully. Flappy Bird, in the scenario you describe, is explicitly exempt from imprisonment under this proposal.
That seems to be an entirely incorrect interpretation. Any app with more than 1 million users would fall under this law. You're simply reading it wrong, as the OP of this thread initially did. Any entity with personal information - as that term is (very broadly) defined in this document - on more than 1 million or more users is fully exposed to its civil and criminal penalties. This includes developers that just get lucky and get 1 million or more installs, and who have no way to pay for compliance.
No, I think you're confused. Having 1MM users makes you a "Covered Entity" in this draft. But "Covered Entities" aren't required to file data protection reports to the FTC until they make $1B in revenue or have 50MM users.† And, again: the "decades of imprisonment" 'downandout is talking about refers only to the crime of deliberately misreporting those data protection reports. It is not the case that any failure to comply with this law has prison time attached.
Happy to be wrong about this; if I am, please offer a cite.
You are both right and wrong. Flappy Bird indeed had over 50MM users (in fact it had over 100MM users), and therefore its owner would have criminal liability under this law regardless of revenue. However you are right that the lower limit excludes people from criminal penalties. Having just 1MM user accounts still exposes them to the full brunt of the civil penalties available under this law that could easily bankrupt them. So if you have between 1MM and 50MM users, you won't go to prison, you'll just be broke.
