This essay, built on keynote remarks, makes two claims. First, privacy, as a fundamental right, should be considered a principal component of data governance. In today’s world, the concerns about computer processing that arose in the 1960s and 1970s have accelerated even as policy remains behind. And where those concerns, and protections, in the United States have focused most closely on governmental collection and use of data, we now know that the porosity between commercial and government collection and use necessitates attention to both. Data governance thus must take into account, take seriously—and indeed, center—individual privacy. Second, in the U.S., states have a key role to play in these efforts. Where federal efforts have fallen short, California and other states have picked up the privacy baton. Using as an illustrative example recent implementations of California’s Consumer Privacy Act by the California Privacy Protection Agency, the essay show how fundamental rights concepts like autonomy are embedded within California’s updates to the “notice and choice” model. States have always had an important role in privacy and data governance; today this role is crucial. The 2025 inauguration was quickly followed by actions that threaten to upend entirely the foundation of privacy and data protection that, at the federal level, has been in place since the 1970s, and in some cases approaching a century. Indeed, federal activities today precisely echo the federal surveillance and harassment of Americans uncovered by the Church Committee in the 1970s. State-level protections are vital to privacy, and to the democratic participation it enables.
