Just more politicians trying to fix a problem they know nothing about. But if it sounds good on paper, then great, right?

They still have the same fundamental problem as HIPAA, GDPR, etc., and that is a lack of oversight. They make all these laws and cripple companies, while increasing costs of doing business. But they have no one who is actually making sure companies follow the law. For example, HIPAA has never fined one company for not following the rules until after a breach occurred. All of those regulating bodies leave it up to the companies to make sure they are following the law, and companies typically don't do the right thing until something bad happens. But, by that time, the damage is already done.

This is my career. I make fat paychecks for costing companies money in the short-term but end up saving them a huge amount of money and reputation damage by preventing breaches. So, while the laws can be as well-natured as possible, they don't actually stop anything from happening. In my industry, compliance laws are called money-getters. It's a way for the government to profit off of a company's bad fortune. And the biggest kicker is, one that CA just makes worse, is that in many cases breaches occur even when a company is doing everything right. Because privacy and security is a reactive game. It's very rare that attack vectors are blocked until a bad guy actually finds one and exploits it. Only then does the world know about the vulnerability and, by then, it's too late.

And lastly, these laws hurt the common person more than many of you realize. Since more than 70% (higher depending on the metric you look at) of breaches occur due to stupid people falling for stupid phishing scams, companies are slowly changing their culture where the person who fell for it is on the hook for the breach and is sued for damages. And it's not the companies themselves who are leading that charge, it's the fat cat cyber insurance companies who are doing this...and lobbying for laws that make it possible.