just do it right and once every 20 years
A federal GDPR type would be good. Its going to get more difficult to do business in the US. Not because of CCPA - rather because we already have 3 states with slightly different regulations - California, Maine and Nevada - and around 12 more with legislation in state senates.
Add to that States like Mass which has data protection but no real privacy laws and things get more complicated still.
Further, most states create laws specific to a technology - so today its the browser - but not necessarially other methods of trawling data - for example, IOT or PAPER..
The one thing thats clear about the GDPR are the underlying principles - it doesnt go into much detail on the implementation on purpose - its system agnostic