What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation establishing consumer privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25 million revenue or handling data of 100,000+ consumers/devices. Primary purpose: empower consumers with control over personal information (PI) via rights-based approach, including opt-out of sales/sharing and limits on sensitive PI.

Key Components

• Core consumer rights: know/access, delete, correct, opt-out of sales/sharing, limit sensitive PI use
• Business obligations: notices at collection, privacy policies, vendor contracts, DSAR handling within 45 days
• Enforcement by CPPA and Attorney General with $2,500-$7,500 fines per violation; private breach actions
• No certification; compliance via audits, data mapping, GPC honoring

Why Organizations Use It

Mandatory for applicable businesses to avoid fines, litigation, reputational damage. Builds trust, enables market access, aligns with GDPR. Reduces data risks, improves governance, yields efficiency via minimization.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), operationalization/training, ongoing audits. Applies globally to CA data handlers; cross-functional for enterprises in tech/retail/finance.

What It Is

Regulation (EU) 2024/1689, the EU AI Act, is a comprehensive horizontal regulation establishing a risk-based framework for AI systems across sectors. It prohibits unacceptable-risk practices, regulates high-risk systems with lifecycle obligations, mandates transparency for limited-risk AI, and minimally regulates others.

Key Components

• **Four risk tiersunacceptable (banned), high-risk (Annex I/III), limited (transparency), minimal.
• Core high-risk requirements: risk management (Article 9), data governance (Article 10), documentation (Articles 11-13), human oversight (Article 14), cybersecurity (Article 15).
• GPAI obligations (Chapter V), conformity assessments, CE marking, EU database registration.
• Built on product-safety principles with harmonized standards presumption.

Why Organizations Use It

• Mandatory for EU-market AI to avoid fines up to 7% global turnover.
• Enhances safety, trust, market access; mitigates harms in employment, biometrics, justice.
• Builds competitive edge via compliant innovation and stakeholder confidence.

Implementation Overview

Phased rollout (6-36 months); inventory/classify AI, build RMS/QMS, conduct assessments. Applies to providers/deployers EU-wide; requires audits/notified bodies for high-risk. (178 words)