Answer: C - An organization must legally comply with privacy promises and notices, contractual commitments, and industry standards, like PCI DSS.
An organization operating in the US, serving customers who are US citizens, and handling data in the US alone does not necessarily have an obligation to comply with global privacy standards. However, many organizations work to adhere to stricter privacy standards and regulations as they serve or reach contacts with foreign citizenship. In addition, data is often transferred to processors in other companies.
With evolving privacy standards and regulations, US organizations are constantly working to gain more insights and establish transparency on their use of data while adopting privacy standards in line with stricter regulations, like GDPR.