What is the primary objective of **CCPA**?

**The primary objective of the CCPA is to grant California residents rights to control their personal information, including access, deletion, opt-out of sales/sharing, correction, and limitation of sensitive personal information use.** Enacted in 2018 and amended by CPRA effective 2023, it targets data monetization practices by requiring transparency, notices at collection, and non-discrimination.

Who is legally or professionally required to comply with **CCPA**?

**For-profit businesses doing business in California must comply if they exceed any threshold: annual gross revenue over $25 million, process personal information of 100,000+ California consumers/households/devices annually, or derive 50%+ revenue from selling/sharing such data.** This applies extraterritorially; employee/B2B exemptions expired December 2022.

Does **CCPA** require an external audit or third-party certification?

**No, CCPA does not mandate external audits or third-party certification.** Businesses must implement reasonable security, maintain data maps, and conduct internal audits, with high-revenue firms ($26M+) facing phased cybersecurity audits from 2028 per CPRA; CPPA may subpoena for enforcement reviews.

How often should an assessment for **CCPA** be performed?

**CCPA assessments, including threshold checks and data inventories, should be performed annually.** CPRA requires risk assessments by 2026 for high-risk processing (e.g., biometrics), with ongoing monitoring of data flows, vendor contracts, and consumer requests to ensure continuous compliance.

What are the consequences of non-compliance with **CCPA**?

**Non-compliance with CCPA incurs fines of $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General or CPPA.** Private right of action for certain breaches allows $100-$750 per consumer per incident; examples include Sephora's $1.2M fine and Zoom's $85M settlement.

Can **CCPA** be mapped to other international frameworks?

**Yes, CCPA can be mapped to other international frameworks through shared elements like data subject rights and vendor contracts.** Its access/deletion/opt-out provisions align with GDPR's DSARs (45-day timelines), enabling unified programs despite CCPA's opt-out focus versus GDPR consent.

What is the first step to begin implementing **CCPA**?

**The first step to implement CCPA is conducting a legal applicability assessment against the three thresholds and creating a comprehensive data inventory.** Map personal information flows, collection points, vendors, and retention to identify gaps, followed by privacy notices and DSAR workflows.

What is the primary objective of **EN 1090**?

**EN 1090 ensures controlled execution and conformity assessment of steel and aluminium structural components for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment via certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**, **EN 1090-2** for steel technical requirements (welding, tolerances, inspection), and **EN 1090-3** for aluminium. Risk-based **Execution Classes (EXC1–EXC4)** scale controls by consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium components and kits for permanent construction works in the EEA must comply with EN 1090 for CE marking.** This includes fabricators, steelwork contractors, and welding shops supplying to EU/UK markets. Scope covers structures like buildings, bridges, and roofs; non-structural items are excluded.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the FPC system by a Notified Body via AVCP systems, including initial inspection and ongoing surveillance audits.** Certification enables CE marking and DoP issuance after initial type testing/calculation (ITT/ITC) and factory review.

How often should an assessment for **EN 1090** be performed?

**FPC surveillance audits by Notified Bodies occur annually initially, then per EN 1090-1 Table B.3 based on EXC and performance.** Internal audits are continuous; changes to processes, products, or personnel trigger re-assessments.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance prevents CE marking, blocking EEA market access and risking product withdrawal, fines, or liability under CPR.** Notified Bodies may suspend certificates for major non-conformities, with public notification.

Can **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality, but no formal mappings to unrelated frameworks are specified.** It aligns with Eurocodes for design and focuses solely on execution and conformity.

What is the first step to begin implementing **EN 1090**?

**Conduct a gap analysis of current processes against EN 1090-1 FPC requirements and determine Execution Class (EXC) for product families.** Default to **EXC2** if unspecified, then engage a Notified Body.

CCPA vs EN 1090

Standards Comparison

CCPA

Mandatory

2020

California regulation granting consumers data privacy rights

EN 1090

Mandatory

2009

EU standard for steel and aluminium structural execution

Quick Verdict

CCPA mandates data privacy rights for California residents, enforced by fines, while EN 1090 requires certified execution of structural metal components for EU market access via CE marking. Companies adopt CCPA to avoid penalties and build trust; EN 1090 for legal sales compliance.

Data Privacy

CCPA

California Consumer Privacy Act (CCPA/CPRA)

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Grants consumers rights to know, delete, correct, opt-out of sales/sharing
Applies to businesses with $25M revenue or 100K+ CA consumers/devices
Mandates notices at collection and Do Not Sell/Share links
Requires honoring Global Privacy Control signals frictionlessly
Imposes $7,500 fines per intentional violation by CPPA/AG

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes (EXC1-EXC4)
Factory Production Control (FPC) certification
CE marking via Notified Body audits
Welding quality aligned with ISO 3834
Material traceability and NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

CCPA Details

What It Is

California Consumer Privacy Act (CCPA), as amended by California Privacy Rights Act (CPRA), is a state regulation establishing consumer data privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling 100K+ consumers' data, using a rights-based approach focused on transparency, opt-outs, and data minimization.

Key Components

Core consumer rights: know/access, delete, correct, opt-out sales/sharing, limit sensitive data
Obligations: notices at collection, privacy policies, DSAR handling (45-90 days), vendor contracts
Enforcement by CPPA with $2,500-$7,500 per violation fines; private breach actions
No certification; compliance via audits, risk assessments (2026 for high-risk)

Why Organizations Use It

Mandatory for qualifying businesses to avoid multimillion fines (e.g., $85M settlements)
Builds consumer trust, reduces breach risks ($9.48M avg cost)
Enables multi-state compliance, competitive differentiation via privacy-by-design
Strategic ROI: 75% faster DSARs, 40% incident reduction

Implementation Overview

Phased: scope/gap analysis (0-3 months), policies/contracts (1-4 months), tech/automation (2-6 months), training/audits (ongoing). Applies globally to CA data handlers; cross-functional teams essential for data mapping, GPC integration.

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family for the execution and conformity assessment of structural steel and aluminium components. It implements the EU Construction Products Regulation (CPR), enabling CE marking for load-bearing metal structures in construction. The risk-based approach scales requirements via Execution Classes (EXC1-EXC4) linked to failure consequences, service conditions, and production complexity.

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), and Declaration of Performance (DoP).
**EN 1090-2/-3Technical rules for steel/aluminium execution (welding, tolerances, corrosion protection, inspection).
Core principles: traceability, welding quality (ISO 3834), NDT inspection; certified by Notified Bodies via AVCP systems.

Why Organizations Use It

Mandatory for EU market access and CE marking.
Reduces liability, rework, and ensures structural safety.
Builds trust with clients, enables high-risk projects, and aligns with Eurocodes.

Implementation Overview

Phased: gap analysis, FPC development, personnel training, Notified Body certification, ongoing surveillance. Targets fabricators in construction; 3-12 months typical, with audits for EXC2+.

Key Differences

Aspect	CCPA	EN 1090
Scope	Consumer data privacy rights and obligations	Structural steel/aluminium fabrication and conformity
Industry	All sectors handling CA residents' data, US-focused	Construction/metal fabrication, EU/EEA mandatory
Nature	State privacy regulation with fines	Harmonized standard for CE marking certification
Testing	DSAR processes, security audits, no formal certification	FPC certification, NB audits, ongoing surveillance
Penalties	$2,500-$7,500 per violation plus breach lawsuits	Market exclusion, no CE marking, certificate suspension

Scope

CCPA

Consumer data privacy rights and obligations

EN 1090

Structural steel/aluminium fabrication and conformity

Industry

CCPA

All sectors handling CA residents' data, US-focused

EN 1090

Construction/metal fabrication, EU/EEA mandatory

Nature

CCPA

State privacy regulation with fines

EN 1090

Harmonized standard for CE marking certification

Testing

CCPA

DSAR processes, security audits, no formal certification

EN 1090

FPC certification, NB audits, ongoing surveillance

Penalties

CCPA

$2,500-$7,500 per violation plus breach lawsuits

EN 1090

Market exclusion, no CE marking, certificate suspension

Frequently Asked Questions

Common questions about CCPA and EN 1090

CCPA FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

Discover how modern compliance monitoring tools leverage continuous, real-time oversight and automated alerts to shift organizations from reactive problem-solving to proactive threat detection and prevention, safeguarding against emerging risks before they escalate.

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Uncover top 5 unseen complexities modern compliance software manages effortlessly—from sensitive data mapping to real-time regulatory shifts. Automate audits, i

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

OSHA vs MLPS 2.0 (Multi-Level Protection Scheme)

Explore OSHA vs MLPS 2.0: US workplace safety meets China's cybersecurity scheme. Uncover gaps, strategies & implementation for global compliance mastery. Dive in now!

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 22301

Compare MLPS 2.0 vs ISO 22301: China's graded cybersecurity meets global business continuity. Discover differences, compliance gaps, and strategies for resilient ops now.

K-PIPA vs UAE PDPL

Compare K-PIPA vs UAE PDPL: Korea's consent-driven CPOs & 72h breaches vs UAE's GDPR-like DPOs, DPIAs & transfers. Key gaps, insights for global compliance mastery!

CCPA

EN 1090

Quick Verdict

CCPA

Key Features

EN 1090

Key Features

Detailed Analysis

CCPA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

CCPA FAQ

What is the primary objective of CCPA?

Who is legally or professionally required to comply with CCPA?

Does CCPA require an external audit or third-party certification?

How often should an assessment for CCPA be performed?

What are the consequences of non-compliance with CCPA?

Can CCPA be mapped to other international frameworks?

What is the first step to begin implementing CCPA?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

Can EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Top 5 Unseen Complexities Modern Compliance Software Effortlessly Manages

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

OSHA vs MLPS 2.0 (Multi-Level Protection Scheme)

MLPS 2.0 (Multi-Level Protection Scheme) vs ISO 22301

K-PIPA vs UAE PDPL