23 Association of Research Libraries Research Library Issues 297 — 2019 From a consumer advocacy perspective, CCPA has been criticized as a weakened version of GDPR, heavily relying on notice provisions, rather than requiring consumers to opt-in to data collection and processing for providing only limited availability to data portability for including at least a limited right to deletion or right to be forgotten for applying only to a specific definition of “businesses” and, in some respects, for lacking appropriate enforcement mechanisms. On the other hand, some have criticized CCPA as overly expansive in its application by eliminating the distinction between sensitive and non-sensitive personal information or by requiring high costs for compliance, thereby disadvantaging smaller technology companies. While other states do not have comprehensive consumer privacy legislation in place, several are reportedly considering it.11 Washington State, for example, is currently considering the Washington Privacy Act.12 This bill would apply to personally identifiable data, but largely excludes de-identified data. It includes provisions on the right to access, the right to delete and the right to opt-out. It also specifically governs facial recognition technology. The Washington Privacy Act, as currently drafted, would empower the state Attorney General’s office to enforce its provisions, but would not create a private right of action for consumers. Regardless of the provisions that might be included if the Washington Privacy Act becomes law, it is clear that there would be stark differences between this bill and CCPA, as well as GDPR. Other state legislation is also likely to have small and large differences, resulting once again in a patchwork of state provisions governing different aspects of consumer data, with different standards of protection. International Privacy Developments Consumer data privacy has been a topic of active discussion internationally, as well. Most notably, in 2018, the EU’s General Data Protection Regulation (GDPR) went into effect and has resulted in a domino effect in terms of compliance by private businesses as well as new legislation in other countries.