Well the problem is, there is no consensus standard. The onus is on every individual vendor to figure out how to comply. And it's so poorly written that there is no clear path to compliance. Even attempting to comply is burdensome and subjects you to a lot of legal risk. Only the largest vendors can afford to take on this risk. For others, the only winning move is not to play. Classic regulatory capture.