What It Is

California Consumer Privacy Act (CCPA), as amended by California Privacy Rights Act (CPRA), is a California state regulation establishing consumer privacy rights. It applies extraterritorially to for-profit businesses meeting thresholds: $25M+ revenue, 100K+ consumers' data, or 50%+ revenue from PI sales/sharing. Primary purpose: empower California residents with control over personal information (PI) via rights-based approach including opt-out, deletion, and sensitive PI limits.

Key Components

• Core consumer rights: know/access, delete, opt-out sales/sharing, correct, limit sensitive PI.
• Obligations: notices at collection, privacy policies, DSAR handling (45-90 days), GPC honoring, vendor contracts.
• Enforcement by CPPA and AG; fines $2,500-$7,500/violation; private breach actions.
• No certification; compliance via audits, documentation.

Why Organizations Use It

Mandatory for thresholds; avoids fines, litigation. Builds trust, differentiates in data-heavy sectors (tech, retail). Enhances governance, efficiency; aligns with GDPR-like regimes for scalability.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4), technical controls (2-6), operationalization/training, audits. Cross-functional for enterprises doing business in California; tools like DSAR platforms essential. (178 words)

What It Is

POPIA (Protection of Personal Information Act, 2013, Act 4 of 2013) is South Africa’s comprehensive privacy regulation. It establishes minimum enforceable requirements for processing personal information of natural and juristic persons, using a principle-based approach with eight conditions for lawful processing, emphasizing accountability and risk management.

Key Components

• **Eight conditionsAccountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation.
• **Core elementsData subject rights (access, correction, objection), mandatory Information Officer, operator contracts, breach notification (Section 22).
• Built on GDPR-aligned principles but includes juristic persons.
• Compliance via demonstrable controls, no formal certification.

Why Organizations Use It

• Legal mandate for South African processing activities.
• Mitigates fines (up to ZAR 10M), criminal penalties, civil claims.
• Enhances data governance, security, trust; supports B2B compliance.

Implementation Overview

• Phased: gap analysis, data mapping, governance, controls, training.
• Applies universally to private/public sectors in South Africa.
• Requires audits, DPIAs; ongoing Regulator oversight.