But, realistically, what recourse do users have if there's a breach?

A few years ago I got a letter from Washington State University saying that they'd obtained my personal health data (which I never directly consented to, nor had I interacted with WSU in any way prior to receiving this latter) and subsequently allowed it to be stolen by unknown malicious actors. In case you're curious, they kept the data on an unencrypted hard drive in a physical safe that was then physically stolen.

There was some class action pittance that meant nothing to me, and WSU does not seem to have been subject to any meaningful consequences. It seems to be viewed as a cost of doing business sort of thing. For all of us who had their data stolen, the horse has left the barn, and I see no real deterrent effect. This seems to be the norm when data breaches happen.

So while "pinky promise" might be a bit hyperbolic, there is a lot of truth to it in general and I don't know how this case is supposed to be any different. If there is some paradigm-breaking accountability mechanism built in, I'd love to hear more about it.

> There was some class action pittance that meant nothing to me, and WSU does not seem to have been subject to any meaningful consequences.

Class action suits, from my understanding, are about 1) compensating the initial plaintiffs, 2) setting an appropriate punitive damage to redress the harm to society, and 3) distributing that punitive damage in an equitable fashion.

You are benefiting from 2) and 3) as a claimant in a class-action. 2) is where the meaningful consequence happens, in my estimation.

Lots of abuses of data are "contractually" forbidden.

Contracts are legal constructs that ultimately have the threat of force of violence through law enforcement as their recourse.