What is the primary objective of **CCPA**?

**The primary objective of CCPA is to grant California residents rights over their personal information, including the right to know, delete, opt-out of sales/sharing, correct, and limit use of sensitive personal information.** Enacted in 2018 and amended by CPRA effective January 1, 2023, it rebalances power by requiring businesses to provide notices at collection, handle data subject access requests (DSARs) within 45 days (extendable to 90), and implement reasonable security measures.

Who is legally or professionally required to comply with **CCPA**?

**For-profit businesses doing business in California must comply if they meet any threshold: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ California consumers/households/devices annually, or derive 50%+ revenue from selling/sharing such data.** This applies extraterritorially to global entities processing California residents' data, including employee data post-2022 CPRA exemption expiry.

Does **CCPA** require an external audit or third-party certification?

**No, CCPA does not mandate external audits or third-party certification.** Businesses must maintain internal records of requests and actions for 24 months, conduct periodic privacy audits, and demonstrate reasonable security practices, with high-revenue firms facing phased cybersecurity audits from 2028 under CPRA.

How often should an assessment for **CCPA** be performed?

**CCPA assessments, including data inventories and threshold checks, should be performed annually.** CPRA requires risk assessments for high-risk processing by 2026 (annually thereafter for executives to certify) and ongoing monitoring of data flows, vendor contracts, and notices to address evolving enforcement by the California Privacy Protection Agency (CPPA).

What are the consequences of non-compliance with **CCPA**?

**Non-compliance with CCPA incurs fines of $2,500 per unintentional violation and $7,500 per intentional violation (adjusted to $2,663/$7,988 in 2025), enforced by the CPPA and California Attorney General.** A private right of action allows $100-$750 per consumer per incident for unencrypted breach data, plus examples like Zoom's $85M settlement and Sephora's $1.2M fine.

Can **CCPA** be mapped to other international frameworks?

**Yes, CCPA maps closely to GDPR through shared elements like data subject rights, data mapping, and vendor contracts.** Overlaps include DSAR timelines (45 days), purpose limitation, and security requirements, enabling unified programs despite CCPA's opt-out focus versus GDPR's consent model.

What is the first step to begin implementing **CCPA**?

**The first step is conducting a legal applicability assessment and comprehensive data inventory.** Evaluate thresholds, map personal information flows (including sensitive categories), identify collection points, and prioritize gaps in notices, DSAR processes, and vendor contracts.

What is the primary objective of **AS9120B**?

**AS9120B establishes a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics.** Built on ISO 9001:2015’s 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like loss of traceability, counterfeit parts infiltration, documentation errors, and weak external provider controls. Core focus areas include chain-of-custody integrity via identification/traceability (Clause 8.5.2), counterfeit/suspected unapproved parts prevention (Clauses 8.1.4/8.1.5), configuration management (8.1.2), and preservation (8.5.4), ensuring product safety and conformity from receipt to delivery.

Who is legally or professionally required to comply with **AS9120B**?

**AS9120B applies to aviation, space, and defense distributors that purchase, store, split, or resell parts without changing characteristics.** It targets stockist distributors, pass-through distributors, and batch splitters, excluding value-added activities like machining or MRO. Certification is not legally mandatory but commercially essential, often required by OEMs and primes for supply chain approval. As of May 2023, 2,442 global certifications (836 in U.S.) underscore its role as a market entry criterion via IAQG’s OASIS database.

Does **AS9120B** require an external audit or third-party certification?

**Yes, AS9120B requires third-party certification through accredited bodies following a two-stage audit process.** Stage 1 reviews documentation and scope (Clause 4.3); Stage 2 verifies implementation and effectiveness via on-site audits using AS9101F criteria. Certification, valid for three years with annual surveillance, lists organizations in IAQG’s OASIS, enabling OEM visibility. Internal audits (Clause 9.2) support ongoing compliance.

How often should an assessment for **AS9120B** be performed?

**AS9120B requires internal audits at planned intervals to cover all processes annually (Clause 9.2).** Audits ensure QMS conformity and effectiveness, with competent, objective auditors reporting results for timely corrective actions. Management reviews (Clause 9.3) occur at planned intervals, typically quarterly or semi-annually, evaluating performance trends, risks, and supplier data. Surveillance audits follow certification annually.

What are the consequences of non-compliance with **AS9120B**?

**Non-compliance with AS9120B risks commercial exclusion, supply chain rejection, and safety liabilities.** Lacking certification prevents OEM contracts and OASIS listing, causing revenue loss. Audit failures yield nonconformities, requiring costly corrections; persistent issues delay recertification. Operationally, weak controls enable counterfeit parts or traceability loss, risking recalls, liabilities, and reputational damage in ASD sectors.

Can **AS9120B** be mapped to other international frameworks?

**AS9120B aligns directly with ISO 9001:2015’s high-level structure, enabling seamless mapping of its 10 clauses.** It augments ISO requirements with distributor-specific additions (e.g., counterfeit prevention, traceability), allowing integrated QMS for dual certification. Clause-by-clause comparisons facilitate transitions from prior versions like AS9120A.

What is the first step to begin implementing **AS9120B**?

**The first step is conducting a gap analysis against AS9120B clauses using a certified checklist (Clauses 4-10).** Form a cross-functional team to assess current processes, justify scope/not-applicable determinations (Clause 4.3), and prioritize risks like supplier controls and traceability. Document findings in a risk register tied to context (Clause 4.1/4.2) for a phased rollout.

CCPA vs AS9120B

Standards Comparison

CCPA

Mandatory

2020

California regulation granting consumers data privacy rights

AS9120B

Mandatory

2016

Aerospace QMS standard for parts distributors.

Quick Verdict

CCPA mandates privacy rights for California consumers, requiring data notices, opt-outs, and breach security. AS9120B certifies aerospace distributors for traceability and counterfeit prevention. Companies adopt CCPA to avoid fines; AS9120B for market access and supply chain trust.

Data Privacy

CCPA

California Consumer Privacy Act (CCPA/CPRA)

Cost

€€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Consumer rights to know, delete, correct, opt-out of sales/sharing
Applies via thresholds: $25M revenue or 100K+ CA residents/devices
Requires 'Do Not Sell or Share' links and GPC signals
Right to limit sensitive personal information usage
Private right of action for security breaches

Quality Management

AS9120B

AS9120B Quality Management Systems - Requirements

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and suspected unapproved parts prevention
Traceability and chain-of-custody controls for split lots
Risk-based external provider evaluation and monitoring
Configuration management via sales order records
Enhanced preservation and product identification requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

CCPA Details

What It Is

California Consumer Privacy Act (CCPA), amended by California Privacy Rights Act (CPRA), is a state regulation granting California residents rights over personal information. It targets for-profit businesses meeting thresholds, using a rights-based, risk-proportionate approach for data governance and compliance.

Key Components

Consumer rights: know/access, delete, correct, opt-out sales/sharing, limit sensitive PI
Thresholds: $25M revenue, 100K+ consumers/devices, 50% data revenue
Obligations: notices/policies, DSAR handling (45-90 days), GPC honoring, vendor controls, security
Enforcement model: CPPA/AG fines ($2,500-$7,500/violation), private breach actions; no certification

Why Organizations Use It

Avoids regulatory fines, litigation from breaches
Enhances data governance, reduces breach risks
Builds consumer trust, enables market differentiation
Aligns with GDPR, supports multi-state compliance

Implementation Overview

Phased: scoping (0-3 months), policies/contracts (1-4m), technical systems (2-6m), training/audits (ongoing). Applies globally to CA data handlers; cross-functional, tool-intensive for enterprises.

AS9120B Details

What It Is

AS9120B is the IAQG quality management system standard for aerospace distributors, based on ISO 9001:2015's 10-clause structure. It establishes requirements for organizations procuring, storing, and reselling parts without alteration, emphasizing risk-based thinking to address distribution risks like traceability loss and counterfeits.

Key Components

Over 100 aerospace-specific requirements beyond ISO 9001.
Core areas: context analysis, leadership, planning, support, operations (traceability, counterfeit prevention, supplier controls), performance evaluation, improvement.
Built on PDCA cycle; requires documented information, not full procedures.
Certification via accredited bodies, leading to OASIS listing.

Why Organizations Use It

Commercial necessity for OEM/Tier-1 supply chains.
Mitigates risks of nonconformities, enhances chain-of-custody trust.
Drives efficiency, market access (2,442 global certifications), competitive edge.

Implementation Overview

Phased: gap analysis, process design, training, audits (6-12 months).
Applies to aviation/space/defense distributors globally.
Involves internal audits, management reviews, Stage 1/2 certification.

Key Differences

Aspect	CCPA	AS9120B
Scope	Consumer privacy rights and data handling	Aerospace distributor quality management
Industry	All businesses handling CA resident data	Aerospace parts distributors globally
Nature	Mandatory state regulation with enforcement	Voluntary certification standard
Testing	Internal audits and consumer request handling	Third-party certification audits
Penalties	$2,500-$7,500 per violation, private actions	Loss of certification, market exclusion

Scope

CCPA

Consumer privacy rights and data handling

AS9120B

Aerospace distributor quality management

Industry

CCPA

All businesses handling CA resident data

AS9120B

Aerospace parts distributors globally

Nature

CCPA

Mandatory state regulation with enforcement

AS9120B

Voluntary certification standard

Testing

CCPA

Internal audits and consumer request handling

AS9120B

Third-party certification audits

Penalties

CCPA

$2,500-$7,500 per violation, private actions

AS9120B

Loss of certification, market exclusion

Frequently Asked Questions

Common questions about CCPA and AS9120B

CCPA FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

From Data Fragments to Strategic Insight: Powering Intelligent Risk Management with Integrated Compliance Monitoring

Transform data fragments into strategic insights with integrated compliance monitoring. Automate real-time risk management, ensure GDPR & SOC 2 compliance, and

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Decode AICPA Trust Services Criteria from auditor jargon to plain English with side-by-side tables, analogies & TL;DRs. CISOs & founders: implement SOC 2 contro

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

Avoid top 10 SOC 2 mistakes like scope creep & evidence gaps. See fail/pass visuals, client quotes, Vanta/Drata automation fixes for bootstrapped startups. Quic

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

C-TPAT vs ISO 21001

Compare C-TPAT vs ISO 21001: Secure supply chains with CBP benefits via C-TPAT; optimize education for learner success with ISO 21001. Uncover differences, implementation tips now! (152 characters)

AS9110C vs ISO 30301

Discover AS9110C vs ISO 30301: Aerospace QMS for aviation maintenance meets records management mastery. Compare HLS structures, risks, ops controls & certification paths. Boost compliance now!

ISO 37001 vs EN 1090

ISO 37001 vs EN 1090: Compare anti-bribery ABMS with steel/aluminium structural standards. Key differences, compliance benefits & implementation guide. Boost ethics & safety now!

CCPA

AS9120B

Quick Verdict

CCPA

Key Features

AS9120B

Key Features

Detailed Analysis

CCPA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

AS9120B Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

CCPA FAQ

What is the primary objective of CCPA?

Who is legally or professionally required to comply with CCPA?

Does CCPA require an external audit or third-party certification?

How often should an assessment for CCPA be performed?

What are the consequences of non-compliance with CCPA?

Can CCPA be mapped to other international frameworks?

What is the first step to begin implementing CCPA?

AS9120B FAQ

What is the primary objective of AS9120B?

Who is legally or professionally required to comply with AS9120B?

Does AS9120B require an external audit or third-party certification?

How often should an assessment for AS9120B be performed?

What are the consequences of non-compliance with AS9120B?

Can AS9120B be mapped to other international frameworks?

What is the first step to begin implementing AS9120B?

You Might also be Interested in These Articles...

From Data Fragments to Strategic Insight: Powering Intelligent Risk Management with Integrated Compliance Monitoring

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

C-TPAT vs ISO 21001

AS9110C vs ISO 30301

ISO 37001 vs EN 1090