What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation establishing consumer privacy rights for California residents. It applies to for-profit businesses meeting thresholds like $25M revenue or handling data of 100K+ consumers. Primary purpose: empower consumers with control over personal information (PI) via rights-based framework. Approach: operational compliance with notices, request handling, and vendor controls.

Key Components

• Core rights: know/access, delete, opt-out of sales/sharing, correct, limit sensitive PI use.
• Obligations: data mapping, notices at collection, Do Not Sell/Share links, GPC honoring.
• Enforcement by CPPA and Attorney General; fines $2,500-$7,500 per violation.
• No certification; compliance via audits, documentation proving "reasonable" practices.

Why Organizations Use It

Mandatory for qualifying businesses to avoid fines, litigation from breaches ($100-$750 per consumer). Strategic benefits: builds trust, reduces data risks, enables market access, aligns with GDPR. Enhances governance, efficiency via minimization.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), training/audits (ongoing). Targets data-heavy industries globally if serving California. Requires cross-functional teams, automation for DSARs.

What It Is

NIST SP 800-53 Revision 5 is the U.S. federal government's primary catalog of security and privacy controls for information systems and organizations. This risk-based framework provides standardized safeguards to protect confidentiality, integrity, availability, and privacy risks, emphasizing flexible, outcome-oriented implementation integrated with the Risk Management Framework (RMF).

Key Components

• Organized into 20 control families (e.g., AC, AU, SR, PT) with over 1,100 base controls and enhancements.
• Baselines in SP 800-53B for low/moderate/high impact plus privacy baseline.
• Tailoring, overlays, parameters for customization; linked to SP 800-53A assessments.
• No formal certification; compliance via RMF authorization to operate (ATO).

Why Organizations Use It

• Mandatory for federal agencies/contractors under FISMA/OMB A-130; voluntary for others.
• Enhances risk management, operational resilience, supply chain security.
• Builds stakeholder trust, enables reciprocity, supports FedRAMP/cloud.

Implementation Overview

• Phased **RMF lifecyclecategorize, select/tailor baselines, implement, assess, monitor.
• Applies to all sizes/industries processing sensitive data; heavy documentation/training.
• Audits via continuous monitoring/POA&Ms (approx. 179 words).