I corrected my And to an OR so yes, good point but overall, it still doesn't impact "entire startup community". There are plenty of tech. businesses that don't hit 50 Million in revenue AND don't have a million users. I am talking about those.
True, but the issue is that getting 1M+ installs isn't under the control of the developer. Sometimes things go viral - look at Flappy Bird. Under this law, that guy (if he were in the US) could be looking at decades in prison unless he took enough investment money to comply.
This law also uses a very broad definition of "personal information" that could possibly include IP addresses. So it does have an effect on the entire community, in the sense that every startup hopes to surpass 1M users, and this law will punish them for it.
I don't think it will pass as is, but if it does, this is truly a "sky is falling" moment for US startups. Because it effectively limits non-VC backed startups to less than 1M users, it also makes sure that there will never be a competitor to Facebook or Google. Like GDPR, it locks in entrenched competitors.
Flappy Bird might have a million customers but he could opt to not collect information on those users. If Apple/Google had the information that is their issue, not that of the app developer.
No, he couldn't. I think you need to read the draft more carefully. Flappy Bird, in the scenario you describe, is explicitly exempt from imprisonment under this proposal.
That seems to be an entirely incorrect interpretation. Any app with more than 1 million users would fall under this law. You're simply reading it wrong, as the OP of this thread initially did. Any entity with personal information - as that term is (very broadly) defined in this document - on more than 1 million or more users is fully exposed to its civil and criminal penalties. This includes developers that just get lucky and get 1 million or more installs, and who have no way to pay for compliance.
No, I think you're confused. Having 1MM users makes you a "Covered Entity" in this draft. But "Covered Entities" aren't required to file data protection reports to the FTC until they make $1B in revenue or have 50MM users.† And, again: the "decades of imprisonment" 'downandout is talking about refers only to the crime of deliberately misreporting those data protection reports. It is not the case that any failure to comply with this law has prison time attached.
Happy to be wrong about this; if I am, please offer a cite.
You are both right and wrong. Flappy Bird indeed had over 50MM users (in fact it had over 100MM users), and therefore its owner would have criminal liability under this law regardless of revenue. However you are right that the lower limit excludes people from criminal penalties. Having just 1MM user accounts still exposes them to the full brunt of the civil penalties available under this law that could easily bankrupt them. So if you have between 1MM and 50MM users, you won't go to prison, you'll just be broke.
I hope it passes. If there are significant problems, updates and changes can always be made. As for your comparison with the GDPR, I think it's way too early to start drawing conclusions.
