From a Tim Wu privacy law reality check
"How would this work in practice? Once these fiduciary duties were established by state legislation or a court ruling, questions about the breach of such duties would be addressed case by case, by courts and judges, in the American common-law manner. Instead of asking what responsibilities all “data controllers” have, as the Europeans must now do, courts in the United States could ask more specific questions.An American Alternative to Europe’s Privacy Law
For example: Did Equifax, the credit reporting agency, fail to adequately protect user data? (Obviously.) Should a firm like Quora, the question-and-answer website, require that users “opt in” before allowing other people to find out what you are asking about? (Almost certainly.) Should Alexa, Amazon’s digital assistant, require users to “opt in” before it listens to their conversations? (It depends on how it would be carried out.)"