Does the US have a law like GDPR?

If we had such a law that has teeth in it, how long will it take before companies become less interested in operating within it.

And, when one looks at the cost involved in actually enforcing these laws versus the costs of non compliance it may not be worthwhile? For example: a company could be liable for penalties if they continue to operate without a valid SSL certificate (if the US can even legally create a law like GDPR). Would the burden of enforcement, penalties & legal fees vs the amount saved by removing the SSL from the end user's PC in fact render it uneconomical in cases where there isn't the risk of significant fines levied on them?
For example, many people do not use HTTPS and only do it if/when their business involves doing so, but don't have serious fears of penalties levied against them if they are in breach of a data protection law. Would they still remain interested in ensuring their customers/employees are protected? Would anyone care and therefore spend more in order to have it enforced, or is the idea simply an empty threat given how much smaller the chance of being affected is? I believe GDPR is a relatively strong one, but there are many other international agreements like it: COPPA / COP18 / C-30 etc. That also give an organization (or "data controller") responsibilities even if they comply. And you'd be surprised how many "data controllers" (people with personal information) have been caught for breach. And as @Glorca said, it does not make that much sense to make it enforceable, because of that - unless you really like paperwork/hassle. But there are definitely organizations (or "data processors") that can and should be fined if they breach. There are also organizations in the US, not just companies, who can be fined, and it does appear that there are some organizations that are interested.

So basically, I think your statement is spot-on.