Jeff Sovern is a professor of law at St. John's University School of Law and a coordinator of the Consumer Law & Policy Blog sponsored by the Public Citizen Litigation Group. The views expressed here are his. View more opinion articles on CNN.

(CNN) Many aspects of privacy protection in our country are broken and Congress is not doing its part to fix them. For example, when hackers obtained the private information of 148 million Americans in the 2017 Equifax breach, Congress did virtually nothing -- not even coming close to voting on bills, like the proposed Data Breach Prevention and Compensation Act, which would have done more to protect consumer information in the hands of credit bureaus.

Meanwhile, breaches such as the ones at Marriott -- that affected about 500 million consumers -- Quora , and Dunkin' Donuts continue to afflict Americans. Those three happened all in less than one week at the end of 2018. And data breaches often lead to identity theft, which hit record highs in 2017, with 16.7 million victims.

Jeff Sovern

If it were up to Congress we might never have learned of any of these breaches. No law required companies suffering data breaches to notify the public until California required breach disclosures in 2003. Other states followed, and that is why we know of the Equifax and other breaches. California has once more stepped into the privacy gap. It has enacted a new law which in 2020 will give Californians the ability to learn what companies know about them and direct that the information not be sold to others. Just as with its 2003 data breach law, the new California statute will change what we know about what businesses know about us, perhaps in ways we cannot now predict.

California passed its new law because, at present, consumers cannot ascertain what businesses know or have figured out about them. Sometimes it's not obvious: for example, Target can tell from a woman's purchases whether she is pregnant and tailor its marketing accordingly, according to a 2012 report by the New York Times . (In a statement, to the Times, Target declined to say what demographic information it buys or collects.)

But the California law may never take effect. Businesses are urging the Congress that did little after the Equifax breach to pass a federal privacy law to protect companies from state privacy laws. Businesses argue that complying with the laws of different states is expensive. It may indeed add to the expense of operating in multiple states, just as complying with many other different state laws does, but it is a cost worth incurring. If we hadn't allowed states freedom to choose their own course on privacy, California might never have passed its 2003 data breach notification law, with the result that we might never have learned how prevalent data beaches are and businesses would have less of an incentive to protect data.