There also needs to be a licensing system for any company or person that is going to have access to PII data for more than 25k people. People in this position need extra training, especially developers. Many developers learn about information security on the job but it should be a formalized training system. We keep seeing the same dumb mistakes being made at companies like leaving databases unsecured or S3 buckets public.
I'm guessing a better solution is this combination:
(a) legislation similar to the EU's GDPR, and
(b) legislation that prohibits consumer-oriented products and services from requiring EULAs or other licensing terms that give up the rights granted under (a), and
(c) grants private individuals the right to bring lawsuits for violations of (a,b)