I am arguing for GDPR. Corporations and local entities will exploit workarounds if privacy policy is a patchwork across jurisdictions (imagining all servers in the country moving to Arkansas because their privacy laws are non-existent or absent). National standards and federal enforcement are the only way to guarantee consistency.