“Political, social, and economic changes entail the recognition of new rights, and the common law, in its eternal youth, grows to meet the demands of society”.[1]

While an interest in defining and protecting privacy and personal data may seem de rigueur in the 21st century, the citation above actually dates back to the 1890s – when the rapid growth of newspaper readership in the U.S. and the invention of inexpensive, portable cameras led to fears of a “sensationalistic press” and the potential for intrusion on individual privacy.

Fast forward to the present day, and concerns about privacy and the effects of advances in technology, economics, conventional and social media, and surveillance are just as relevant, if not more so. Following a string of corporate data breaches, including 2017’s Equifax violation, as well as numerous instances of credit card theft from the likes of Target, Home Depot, TJMaxx and others, consumers are understandably concerned about the degree to which companies are willing and able protect their personal data. Terms such as “identity theft” and “phishing” are now part of the everyday vernacular.

Ensuring the safety and integrity of personal data is the impetus behind a string of recent legislation that places the responsibility of safeguarding personal information on the entities that own the data. While the European Union’s General Data Protection Regulation (GDPR) has captured the most attention, lawmakers in the U.S. have also made moves to hold organizations accountable for how they safeguard the privacy of consumers, employees, shareholders, and the general public.

The newly enacted California Consumer Privacy Act (CCPA) is intended to strengthen personal privacy rights for California residents. Signed into law in June of 2018, and amended the following September, the law takes effect starting in 2020. First and foremost, the law is intended to allow citizens to know what personal data is collected about them. This includes names and aliases, physical and email addresses and telephone numbers, account or policy numbers, social security numbers, driver’s license numbers, passport number and a host of other financial and medical data identified with a customer or member of their household.

Not only does the law allow residents to know what data has been collected about them, it also allows them to know if their personal information has been sold or shared, and with whom. In addition to being able to access their information, the law allows consumers to deny the sale of their personal data and it stipulates that all customers be treated fairly and equally when exercising their right to privacy. Companies can’t charge more, deny access to service, or reduce the quality of service for customers choosing to exercise their rights under CCPA.

The Act applies to any entity doing business in California that meets at least one of the following criteria:

  • $25 million in gross annual revenue
  • Maintains personal information for at least 50,000 consumers, households, or their devices
  • Earns half or more of its annual revenue through the sale of personal data  [2]

CCPA requires businesses to implement reasonable security measures to protect consumer data and imposes damages for both intentional and unintentional violations, including data theft or other security breaches. The penalties can be quite substantial, as they can be applied per resident, per incident.

In practice, the Act has implications that reach beyond the borders of California. Companies doing business in the state will no doubt incur significant costs in order to update business practices and methodologies (including websites and internet presence) in order to achieve accordance with the new law. Moreover, companies will have to anticipate an overwhelming swarm of costly consumer-driven litigation, both legitimate and frivolous.

States other than California are currently discussing their own implementation the Consumer Privacy Act. The U.S. Congress has held hearings on whether a comprehensive data privacy law should be enacted at the federal level. Whether you view this form of legislation as a welcome safeguard and a much-needed effort at consumer protection or as burdensome government overreach, the overall trend in North America and Europe is clear. Personal data about customers, employees, students, patients, or the overall public at large is an asset that needs to be protected. Failure to do so can only place your organization in peril.

If you’d like to learn more about how to locate sensitive information in your organization or other strategies for effective data governance, contact Sherpa Software today. We offer a range of solutions to identify personal data across your enterprise – in email, file shares and beyond – with the capability to move, copy, quarantine or delete it.


[1] Samuel Warren and Louis D. Brandeis (1890), “The Right To Privacy”Harvard Law Review (Vol. 4, No. 193).

[2] “CCPA Guide: Are You Covered by the CCPA”. JD Supra