A proposition expected to be on California’s ballot in November, while potentially less onerous for businesses, reflects many of the targets, if not the explicit provisions, of the European Union’s wide-ranging General Data Protection Regulation.

If approved by voters, many experts say the California Right to Privacy Act of 2018 would be highly influential in other states, although its implementation would present challenges, particularly to smaller and medium-sized businesses.

The California proposition “brings GDPR to the U.S.,” said Gamelah Palagonia, senior vice president and cyber risk specialist with Willis Towers Watson P.L.C. in New York.

The GDPR took effect May 25.

Supporters of the California measure say they have submitted 625,000 signatures, enough to qualify for its appearance on the November ballot.

Although it differs, “it’s pretty much mirroring the major elements of GDPR, which basically gives individuals the right to know what businesses are doing with the information they collect, how it’s secured, and gives them the right to object to the sale of that information,” said Ms. Palagonia.

“It does sound a lot like the GDPR,” said Max Perkins, London-based senior vice president for global cyber and technology, global professional and financial risks with Lockton Cos L.L.P.

“We’re going to be talking about some really serious damages going forward, and also some really serious litigation costs,” which has not been the case to date, he said.

“That’s actually the biggest area of concern” about the proposition, said Annmarie Giblin, New York-based senior counselor for cyber liability with Chubb Ltd.

One key difference between the proposed California regulation and the GDPR is that under the latter, companies can be fined up to 4% of annual revenue, or $23.9 million, for the more serious breaches. A provision in the California proposition states violators may be liable for a civil penalty of up to $7,500 for each violation. A spokesman for the group behind the proposition could not be reached for comment.

Annie O’Leary, Chicago-based senior broker with Aon P.L.C.’s professional risk solutions group, said the California proposition “is not as far-reaching as the GDPR, but there are some elements of it in terms of consumers having better control of and access to their data” that are common to both.

Matthew McCabe, New York-based senior vice president with Marsh L.L.C.’s cyber practice, said that “at the end of the day, the most relevant point is we’re getting to more comprehensive data privacy regimes that are being mandated globally.”

California led the nation with the first data breach legislation in 2002, and many experts expect that the proposition would be similarly influential should it pass. “One way or the other, the other states will follow suit,” said Scott L. Vernick, a partner working on privacy and data security with Fox Rothschild L.L.P. in Philadelphia.

However, Joshua Gold, a shareholder and cyber insurance recovery attorney with policyholder law firm Anderson Kill P.C. in New York, said: “Other states will follow California’s lead, but not a majority of states, and I think given our own (U.S.) systems here, you would have a real push by business to lobby against too much regulation in this space, given just how valuable big data has gotten.”

“I would expect things to change gradually over time, but I don’t think we’ll see anything in terms of the scope of the GDPR in the near future,” he said. “I think gradually we’ll get to greater protection,” but there will not be an immediate “sea change.”

“I do think there is a greater sense of privacy rights that exists in Europe that simply does not exist in the United States,” Mr. Gold said.

“We also have another big driver of keeping regulation limited” in California, Massachusetts and some other regions of the country, “where data-driven businesses are major heavyweights in the economic world and certainly in this country,” he added.

There is an “uneasy co-existence between those business models and individual privacy rights” with regard to regulation, Mr. Gold said.

Firms would “be subject to the proposition” to the extent they do business in California, said Scott N. Godes, a partner at Barnes & Thornburg L.L.P. in Washington and co-chair of the firm’s cyber risk and data privacy group. The California standard will set a new baseline, he said.

While large companies that do business in Europe are already complying with the GDPR, passage of the California proposition would mean additional costs for smaller firms that do not operate internationally, said Mr. McCabe.

“You are undoubtedly putting in a scheme of compliance that is going to drain resources” for these businesses, he said, and there is still the unanswered question as to whether these provisions will protect data “any better than what we had before.”

“For smaller and midsized businesses, dealing with this rapidly evolving issue could be more difficult” than for larger firms, Ms. Giblin said.