What It Is

California Consumer Privacy Act (CCPA), as amended by California Privacy Rights Act (CPRA), is a state regulation establishing consumer privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling 100K+ consumers' data. Primary purpose: empower consumers with control over personal information (PI) via rights-based approach including opt-out and data minimization.

Key Components

• Core consumer rights: know/access, delete, correct, opt-out sales/sharing, limit sensitive PI use
• Obligations: notices at collection, privacy policies, vendor contracts, GPC honoring
• Enforcement by CPPA and Attorney General with $2,500-$7,500 per violation fines
• No certification; compliance via audits, data mapping, DSAR handling

Why Organizations Use It

Mandatory for qualifying businesses to avoid fines, litigation from breaches. Reduces data risks, builds trust, enables market access. Strategic: improves governance, aligns with GDPR-like regimes for efficiency.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), training/audits (ongoing). Applies globally to CA data handlers; cross-functional for tech, retail, ad firms. No formal certification; internal/external audits demonstrate reasonableness.

What It Is

ISO 37001 is the international standard for Anti-Bribery Management Systems (ABMS), a certifiable framework published in 2016 and revised in 2025. It specifies requirements to prevent, detect, and respond to bribery risks across organizations of any size, type, or sector. The standard employs a risk-based, proportionate approach aligned with the ISO Harmonized Structure (HS) and PDCA cycle.

Key Components

• Core clauses 4-10 cover context, leadership, planning, support, operations, evaluation, and improvement.
• Eight key controls: policy, compliance function, risk assessment, due diligence, training, financial/non-financial controls, reporting/investigations, continual improvement.
• Built on leadership accountability, third-party focus, and evidence-based auditing; optional third-party certification with 3-year cycles.

Why Organizations Use It

• Mitigates legal risks (e.g., FCPA, UK Bribery Act) via "reasonable steps" evidence.
• Drives efficiencies (up to 15% compliance cost reduction), reputational trust, ESG alignment.
• Enables market access, stakeholder confidence, cultural shifts.

Implementation Overview

• Phased: gap analysis, risk assessment, control design, training, audits.
• Scalable for SMEs to multinationals; integrates with ISO 9001/27001.
• Certification involves Stage 1/2 audits; transition to 2025 by 2027.