What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation establishing consumer privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling 100K+ consumers' data. Primary purpose: empower consumers with control over personal information (PI), including sensitive PI like biometrics. Approach: rights-based with opt-out focus, notices, and enforcement.

Key Components

• Core rights: know/access, delete, opt-out sale/sharing, correct, limit sensitive PI use.
• Notices at collection, comprehensive privacy policies, 'Do Not Sell/Share' links.
• Verification processes, vendor contracts, data mapping.
• Enforcement by CPPA with $2,500-$7,500 fines per violation; private breach actions. No formal certification; compliance via audits and documentation.

Why Organizations Use It

Mandatory for applicable businesses to avoid fines, litigation, reputational harm. Drives data governance efficiency, consumer trust, market differentiation. Aligns with GDPR-like regimes for scalability; reduces breach risks via security mandates.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), operationalization/training, ongoing audits. Applies globally to CA data handlers; cross-functional for enterprises in tech/retail/finance.

What It Is

IEC 62443 (ISA/IEC 62443 series) is an international consensus-based standard framework for cybersecurity in Industrial Automation and Control Systems (IACS). Its primary purpose is securing OT environments across the lifecycle, using a risk-based approach with zones/conduits segmentation and security levels (SL 0–4).

Key Components

• Four groupings: General (-1), Policies/Procedures (-2), System (-3), Components (-4).
• Seven Foundational Requirements (FR1–7) like IAC, RDF, RA; ~140+ component requirements.
• SL-T (target), SL-C (capability), SL-A (achieved) triad.
• ISASecure modular certifications (SDLA, CSA, SSA).

Why Organizations Use It

• Mitigates OT risks (safety, downtime); supports regulatory alignment (horizontal standard).
• Enables shared responsibility (asset owners, integrators, suppliers).
• Procurement leverage, supply chain assurance, insurance benefits.
• Builds stakeholder trust via certifiable maturity (ML1–4).

Implementation Overview

• Phased: governance (CSMS per -2-1), risk assessment (-3-2), segmentation, controls (-3-3/-4-2).
• Applies to critical infrastructure globally; suits all sizes with pilots.
• Involves audits, training; optional ISASecure certification.