I always thought it was a nice coincidence that the acronym for the California Air Resources Board—CARB—also happens to be the nickname for the carburetors we all used to have on our cars. That agency is responsible for driving* up national vehicle emissions standards by setting very strict state standards (*intentional pun). The net result of California’s standards is that, since no automaker makes “California-only” cars, all new cars end up complying with the more stringent state standard even though the national standards are much lower. The national standards are referred to as the Corporate Average Fuel Economy or CAFE standards. (Café is not a car-related term and thus is not really as cool.)
At first glance this would appear to be a textbook dormant commerce clause issue, much like regulating the size of mud flaps on an interstate tractor trailer. Bibb v Navajo Freight Lines, Inc, 359 US 520 (1959). However, when the Clean Air Act was passed in 1963, California got a special waiver to make its own rules, since it was more or less already doing so anyway.
The current administration is working on rolling back the CAFE standards and getting rid of California’s special waiver while they are at it. California is expected to sue the Trump administration if it actually goes through with it. This would be in addition to the other 20+ lawsuits the Golden State already has going against the current administration, including one from September that concerns a different aspect of the Clean Air Act.
Now the European Union seems to be doing the same thing. The European Union General Data Protection Regulation (GDPR), which went into effect last week on May 25, 2018, may in fact create data privacy rules for the world in the same way California’s vehicle emissions standards were adopted nationally. The prime example of how the GDPR is likely to play out is where a non-EU company is operating a website that is visited by an EU citizen. If that site collects data on the citizen through cookies or other means, that data would presumably be governed by the GDPR. It’s worth noting that this isn’t a paper tiger regulation either, as fines can reach €20 million (about $24 million). The effective date comes after a full two-year transition period, so it should be interesting to see just how prepared the Internet is. For the sake of data privacy I hope it plays out to the benefit of the public much like the CARB standards did.