What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation establishing consumer data privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling 100K+ residents' data. Primary purpose: empower consumers with control over personal information via rights-based approach including opt-out of sales/sharing.

Key Components

• Core rights: know/access, delete, opt-out sale/share, correct, limit sensitive data use
• Obligations: notices at collection, privacy policies, vendor contracts, reasonable security
• Enforcement by CPPA and Attorney General with $2,500-$7,500 fines per violation
• No certification; compliance via self-assessments, audits, DSAR handling

Why Organizations Use It

Mandatory for qualifying businesses to avoid fines, litigation from breaches ($100-$750 per consumer). Builds trust, reduces data risks, enables market differentiation, aligns with GDPR-like practices for efficiency and partnerships.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), operationalization/training, ongoing audits. Applies globally to CA data handlers; cross-functional teams, automation tools essential for DSARs/opt-outs.

What It Is

C-TPAT (Customs-Trade Partnership Against Terrorism) is a voluntary public-private partnership led by U.S. CBP. It secures international supply chains against terrorism and crime using risk-based Minimum Security Criteria (MSC) tailored by partner type.

Key Components

• **12 MSC domainsCorporate Security, Risk Assessment, Business Partners, Cybersecurity, Conveyance Security, Seals, Procedural Security, Agricultural Security, Physical Security, Access Controls, Personnel Security, Training.
• Security Profile documenting implementation.
• Validation/revalidation by CBP specialists.
• Continuous improvement via internal audits.

Why Organizations Use It

• **Trade facilitationReduced inspections, FAST lanes, priority processing.
• **Risk mitigationTerrorism, cyber, forced labor threats.
• **Competitive edgeTrusted trader status, MRAs with 19+ countries.
• Builds stakeholder trust, resilience.

Implementation Overview

• **Phased approachGap analysis, policy development, partner vetting, training, evidence collection.
• Applies to importers, carriers, brokers globally.
• CBP validation required; no fee, 6-12 months typical.