I get the sentiment about personal power, though on an initiative like GDPR and CCPA compliance. "Institutional Power" is going to be required. It doesn't matter how much passion you have, compliance to these regulations require people (you can't do this alone) and money (you can't do this for free). People will have to do things that make their day to day harder (or at very least different from before and that may as well fall in the category of impossible for many) and organizations will have to spend money.
We can do our parts and raise awareness and we can be the ones to beat a drum about the impending implications once these laws reach our regions (and they will, California for better or for worse sets a lot of the tone and agenda for technology in the U.S.). We do have a duty to raise awareness, make meaningful changes in our areas and to evangelize, but is ultimately the responsibility of leadership to steer the ship. I like the way Bruce from Mr. Maclean's anecdote put it about the informed fool.
If you're raising awareness, coming up with reasonable strategies and plans (not just complaining) and you still feel like you're rocking the boat but only the life boat on a cruise ship, you may want to put that life boat in the water and get in, because that ship is headed for an iceberg and if your lonely voice is the only one raising the alarm and no one is listening, well we know how that ends.