I worked for a number of American companies, not beholden to also serve EU markers. They still did not demonstrate any cavalier attitudes towards PII though. Nobody wants to be the subject of some data leak front-page story.
Of course not, but there is a huge difference between market-demanded standards and quality and government-mandated ones. In more ways than one: cost, difficulty of implementation, UX, etc.
A real, practical example is that US web startups do not have to annoy their US users with cookie banners for simply using Google Analytics on their website - like the EU ones must. Underneath, the implementation and PII data protections are exactly the same, but the UX is night and day.
