How Data Privacy Laws Are Changing Business Strategy
Data as a Valuable Asset
In today’s business world, data has become one of the most valuable assets a company owns. But with that value comes a growing risk. Every customer interaction, online transaction, or marketing campaign involves collecting and processing personal information — and regulators are watching closely.
In this episode of the Measure Success Podcast, hosted by Carl J. Cox, CEO of 40 Strategy and 40 Accounting, sits down with Jenny Sheridan, founder of JL Sheridan Law, a Silicon Valley boutique firm specializing in technology transactions, intellectual property, and data privacy. Jenny brings decades of experience advising tech companies on how to navigate complex privacy laws like the California Consumer Privacy Act (CCPA).
Their conversation sheds light on what every business leader — from startups to established enterprises — must know to stay compliant, reduce risk, and protect their reputation.
The Rise of Data Privacy Laws in the U.S.
When California passed the California Consumer Privacy Act (CCPA) in 2018, it marked a major turning point. For the first time, U.S. businesses were required to treat consumer data with the same level of care expected in Europe under the GDPR (General Data Protection Regulation).
Jenny explains that California didn’t stop there. In 2019, new amendments and regulations strengthened the law and created a dedicated agency to enforce it — the California Privacy Protection Agency (CPPA). Since then, privacy has become a nationwide trend.
“As of 2025, sixteen states now have consumer privacy laws,” Jenny shares. “And while most apply only to business-to-consumer companies, California is unique — it also covers B2B transactions and employee data.”
For business leaders, that means compliance is no longer just a checkbox. It’s a fundamental part of doing business in a digital world.
Understanding What the CCPA Covers
The CCPA gives California residents more control over how their data is collected, shared, and sold. It requires businesses to be transparent about how they use personal information and to provide consumers with the right to:
- Access their data
- Correct inaccurate information
- Request deletion of their data
- Opt out of having their data sold or shared
Jenny explains that while these rights sound simple, implementing them properly can be complex — especially when companies don’t fully understand where their data lives.
“Most businesses don’t even know all the data they collect or where it’s stored,” Jenny notes. “You can’t comply with privacy laws if you don’t understand your own data flow.”
The Real Cost of Non-Compliance
Many business owners think of compliance as a legal or technical issue, but the true cost of ignoring privacy laws goes far beyond fines.
Yes, the CCPA allows regulators to impose monetary penalties — typically in the thousands per violation — but the real damage often comes from the time, energy, and reputation lost during an investigation.
Jenny shares an example:
“The fine itself may not bankrupt a company, but responding to an investigation can take enormous time away from business operations. And once your name appears in an enforcement action, it can hurt your reputation with customers and partners.”
In other words, the opportunity cost and reputational risk often outweigh the financial penalties. Companies like Sephora have faced major public scrutiny after privacy violations — and rebuilding customer trust takes time.
Privacy Laws and the Ad Tech Industry
Much of the momentum behind privacy regulation began with concerns about ad tech — the tracking and profiling of consumers for targeted advertising.
Regulators want to ensure consumers can choose how their data is used. Businesses that engage in digital advertising or retargeting must provide clear disclosures and working opt-out mechanisms.
“If you’re doing targeted advertising, you better have the right disclosures on your privacy policy,” Jenny says. “And I can’t emphasize this enough — your opt-out mechanism must actually work.” Jenny now helps companies perform forensic audits to verify whether their websites and systems function as promised. Many businesses discover gaps that could lead to compliance issues if left unchecked.
Sensitive Data: The Next Frontier in Regulation
While many privacy laws began with marketing and tracking concerns, regulators are now focusing on sensitive personal information — including:
- Precise geolocation data
- Children’s information
- Health and biometric data
- Neural or behavioral tracking
Jenny highlights that some of these categories fall outside traditional healthcare laws like HIPAA. For example, many health and wellness apps collect personal data that isn’t covered by HIPAA protections.
“If you’re in the consumer health space, HIPAA doesn’t apply,” Jenny explains. “Now we have new standalone laws in states like Washington that are much more aggressive about protecting sensitive data.” This shift means that even companies outside the healthcare industry need to evaluate how they collect, store, and share personal information.
Why Every Business Needs a Data Map
The foundation of any privacy program is understanding where your data lives and how it moves — a process called data mapping.
Jenny often begins client engagements by mapping data flow: “I ask my clients, ‘Do you know where your data is?’ Because until you know that, you can’t manage compliance.” Through her firm, JL Sheridan Law, Jenny offers what she calls “Level One” and “Level Two” services:
- Level One: Data inventory, privacy notices, and identifying compliance gaps.
- Level Two: Deep assessments for high-risk or sensitive data environments, including information security policies and employee training.
This staged approach helps small and mid-sized businesses reduce their exposure and implement systems they can manage long-term.
How Much Does Compliance Cost?
One of the most common questions Jenny gets from clients is, “What will this cost?”
While compliance does require an investment, the cost of doing nothing is often higher. Privacy technology tools like OneTrust or TrustArc can assist in implementation, but they aren’t plug-and-play. Businesses still need human oversight and customized policies.
“You can do this on a lower budget, but you need the right attention to detail,” Jenny advises. “Compliance is not just a technical fix — it’s an operational discipline.”
The most cost-effective way to start is with a privacy assessment to understand your current risk level. From there, companies can prioritize updates that offer the biggest protection for their budget.
AI and the Future of Privacy Enforcement
Regulators aren’t just relying on manual investigations anymore. Jenny predicts that artificial intelligence will soon be used to scan websites and identify non-compliance automatically. “Regulators will use AI — why wouldn’t they?” she says. “It’s already happening in Europe under GDPR, where authorities are scanning sites for privacy issues.” For business owners, this means there will be fewer places to hide. Transparency, accuracy, and proactive compliance will become the new standard.
B2B vs. B2C: Different Rules, Same Responsibility
One of the most misunderstood aspects of privacy law is the difference between B2B and B2C obligations.
While many states exempt B2B companies, California’s law does not. Jenny notes that B2B organizations — especially those offering SaaS products — are increasingly driven to improve privacy because of customer expectations. “In Silicon Valley, B2B companies can’t even compete for contracts unless they meet certain security standards,” Jenny says. “Customers are demanding it.” For B2C companies, the stakes are even higher. Marketing teams must ensure their websites, cookie consent tools, and ad networks align with privacy laws. Mistakes can quickly snowball into public violations.
Building a Culture of Privacy
Jenny emphasizes that compliance isn’t just a legal requirement — it’s part of a healthy company culture. Companies that treat privacy as a core value, not an afterthought, build stronger customer trust and reduce long-term risk. This starts with training employees, assigning accountability, and regularly reviewing systems for weaknesses. “Data is an asset,” Jenny reminds listeners. “Using it responsibly creates value for your business. It’s not just about avoiding fines — it’s about earning trust.”
Key Takeaways for Business Leaders
- Understand Your Data Flow: You can’t protect or manage what you don’t know exists.
- Update Privacy Policies: Ensure they reflect current law and your actual practices.
- Test Your Opt-Out Mechanisms: Regulators are actively checking them.
- Protect Sensitive Data: Health, location, and biometric data require extra care.
- Train Your Team: Make privacy part of your culture, not just a checklist.
- Plan for AI Oversight: Automated compliance scanning is on the horizon.
Next Steps: How to Protect Your Business
If you’re unsure where your business stands, Jenny recommends starting with a privacy readiness assessment. “The first step is a conversation,” she says. “Whether you’re B2B or B2C, understanding your risk level helps you take smart, manageable action.” For companies that handle consumer data, advertising, or customer relationships in California or other states with active privacy laws, that conversation is no longer optional. It’s essential for business longevity.
About the Guest: Jenny Sheridan
Jenny Sheridan is the founder of JL Sheridan Law, a Silicon Valley boutique firm focusing on technology transactions, IP, and data privacy. She holds a JD from Columbia Law School and a master’s degree from Tufts University. She has also served as an adjunct professor and frequently advises startups and growth-stage companies on privacy compliance and technology law.
About the Measure Success Podcast
The Measure Success Podcast, hosted by Carl J. Cox, explores how leaders, entrepreneurs, and business owners define success beyond profits. Each episode features actionable insights on strategy, leadership, and sustainable growth — helping businesses reach their full potential.
Listener Feedback:
