What It Is

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), is a comprehensive state regulation establishing consumer privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling 100K+ consumers' data, employing a rights-based, operational framework focused on transparency and control over personal information (PI), including sensitive categories.

Key Components

• Core consumer rights: know/access, delete, opt-out of sales/sharing, correct, limit sensitive PI use
• Obligations: notices at collection, privacy policies, DSAR handling within 45 days, vendor contracts, reasonable security
• Enforcement via CPPA and Attorney General with $2,500-$7,500 per-violation fines; private breach actions
• Built on data minimization, verification standards, Global Privacy Control (GPC) honoring

Why Organizations Use It

Mandatory for applicable businesses to avoid multimillion fines, litigation; enhances data governance, reduces breach risks, builds consumer trust, enables market differentiation, aligns with other privacy laws like GDPR for efficiency.

Implementation Overview

Phased approach: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), operationalization/training, ongoing audits. Targets enterprises handling CA data across industries; no certification but requires demonstrable compliance via documentation, metrics.

What It Is

ISO 31000:2018, Risk management — Guidelines is an international standard providing a principles-based framework for managing risk. It applies universally across sectors, focusing on systematic identification, assessment, treatment, monitoring, and communication of risks to create and protect value.

Key Components

• Eight core principles (integrated, structured, customized, inclusive, dynamic, best information, human factors, continual improvement)
• Framework (leadership, integration, design, implementation, evaluation, improvement)
• Process (communication, context/criteria, assessment, treatment, monitoring/review, recording/reporting)
• Non-certifiable; no fixed controls

Why Organizations Use It

• Enhances decision-making, resilience, and strategic advantage
• Meets regulatory benchmarks indirectly (e.g., Basel III)
• Drives operational efficiency, stakeholder trust, innovation
• Reduces losses, optimizes capital allocation

Implementation Overview

• Phased approach: diagnose/design, build/deploy, operate/optimize, institutionalize
• Applicable to all sizes/industries; customize to context
• Involves policy, training, tools (e.g., risk registers), audits; no formal certification