Yes, they have to comply with NSLs. Difference though is the level of data they harvest on you. Google's business model requires they harvest as much as possible and in a way they ensure they can read it. Further, the bigger risk to most users is not NSL's, it's having some dodgy ad-corp buy your data and sell it to even dodgier companies.
And banks and insurances for credit ratings. And for screening companies, that are contracted to evaluate your job application on basis of your purchases, locations and so on
