As we approach the 6 month anniversary of "GDPR day" there is evidence that one of the greatest aims of the legislation may slowly be being realised. 

GDPR was not just a stone landing in a pond, causing a big splash, a few ripples and then disappearing.  Its effects are here to stay.  

We have yet to see any mega fines, but there is evidence of a significant increase in complaints and data breach reporting across a number of EU member states.  And a welcome drop (temporarily, at least) in marketing emails.

But more importantly, we are seeing significantly greater awareness of rights and obligations - and, as a consequence, increasing evidence of behavioural change. 

Transparency leads to awareness, awareness leads to choice.  Choice drives competition. Competition drives businesses' desire to differentiate themselves.   

Behavioural change.  Not just undertaking a compliance programme and devising compliant business models because it's the right thing to do (and you may face enforcement action if you don't).  But doing it because it makes business sense.  Because it can be a strong selling point. Because discerning consumers are begining to grasp that their data has value - and in the wrong hands it can be used to cause them harm.  Because we want more control over our data.  And our children's. 

Big tech is taking notice - even if it has yet to change many of its ways.   But as Tim Cook notes, that change needs to come.  Businesses are not changing their behaviours quickly enough. Consumers are becoming increasingly more exposed.   

But is it realistic to expect Washington to enact legislation that protects citizens (and data subjects who are not US citizens) in a way that may, at least in the short term, adversely impact corporate profitability? 

California's new Consumer Privacy Act is a step in the right direction.  It may take the US and other legislatures some time to catch up with European data protection legislation, but perhaps the tide is finally turning.