The first jolt came with Europe’s General Data Protection Regulation (GDPR), which introduced sweeping new privacy protections in 2018 for consumers and defined some early guardrails around the use of artificial intelligence. In the UK alone, GDPR’s enforcement arm, the Independent Commissioner’s Office, has already handed out more than $440 million in fines for major breaches and violations.

Now comes an even more stringent set of data-governance controls from the U.S. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, will require companies doing business in the state to obtain customer consent before collecting, using, or selling their data.