What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation establishing consumer privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling 100K+ consumers' data. Primary purpose: empower consumers with control over personal information via rights-based approach including opt-out and data limits.

Key Components

• Core rights: know/access, delete, opt-out sales/sharing, correct, limit sensitive PI
• Notices at collection, privacy policies, vendor contracts
• Global Privacy Control (GPC) honoring, data minimization
• Enforcement by CPPA and Attorney General; no certification, but audits/fines

Why Organizations Use It

Mandatory for applicable businesses to avoid $2,500-$7,500 per-violation fines and breach litigation ($100-$750 per consumer). Reduces risks, builds trust, enables data governance efficiency, aligns with GDPR-like regimes for market access.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), operationalization/training, audits. Applies globally to CA data handlers; cross-functional teams needed for tech, legal, security integration.

What It Is

ISO 28000:2022 is an international standard specifying requirements for a security management system (SMS) focused on supply chain security. It adopts a risk-based, PDCA (Plan-Do-Check-Act) approach to manage threats like theft, sabotage, and disruptions.

Key Components

• Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, and improvement.
• Emphasizes risk assessment (aligned with ISO 31000), security policies, operational controls, and supplier interdependencies.
• Built on harmonized ISO structure for integration; supports third-party certification per ISO 28003.

Why Organizations Use It

• Reduces supply chain risks, ensures compliance, and meets partner requirements.
• Delivers continuity, insurance savings, and market access.
• Builds stakeholder trust through auditable governance.

Implementation Overview

• Phased: gap analysis, risk assessment, controls deployment, training, audits.
• Applicable to all sizes/industries; certification via Stage 1/2 audits. (178 words)