What It Is

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state regulation establishing consumer privacy rights for California residents. It targets for-profit businesses meeting thresholds like $25M revenue or handling data of 100K+ consumers/devices. Primary purpose: empower consumers with control over personal information (PI) via rights-based approach including opt-out of sales/sharing.

Key Components

• Core rights: know/access, delete, opt-out sale/sharing, correct, limit sensitive PI use
• Obligations: notices at collection, privacy policies, vendor contracts, reasonable security
• Enforcement by CPPA and Attorney General; no formal certification, but audits/fines up to $7,500/violation
• Built on broad PI definitions (identifiers, inferences, household data)

Why Organizations Use It

Mandatory for qualifying businesses to avoid fines, litigation from breaches ($100-$750/consumer). Strategic benefits: builds trust, reduces data risks, enables market access, aligns with GDPR-like regimes. Enhances reputation, operational efficiency via data minimization.

Implementation Overview

Phased: scoping/gap analysis (0-3 months), policies/contracts (1-4 months), technical controls (2-6 months), ongoing governance/training/audits. Applies globally to CA data handlers; cross-functional teams essential. No certification, but demonstrable compliance via documentation.

What It Is

REACH (Regulation (EC) No 1907/2006) is the EU's core chemicals regulation for Registration, Evaluation, Authorisation and Restriction of Chemicals. It shifts responsibility to industry for generating safety data on substances, mixtures, and articles. Scope covers manufacture, import, and use above 1 tonne/year, using a risk-based lifecycle approach with technical annexes defining data requirements.

Key Components

• Four pillars: Registration (dossiers via IUCLID), Evaluation (dossier/substance checks), Authorisation (Annex XIV SVHCs), Restriction (Annex XVII bans/limits).
• Annexes I-XVII detail info requirements, SDS rules, exemptions.
• Built on industry-led data generation, ECHA coordination, national enforcement.
• Continuous compliance model, no certification but mandatory dossiers/notifications.

Why Organizations Use It

• Legal mandate for EU market access, avoiding fines/market bans.
• Manages chemical risks, drives substitution, enhances supply chain transparency.
• Builds stakeholder trust, supports ESG/innovation, reduces liability.

Implementation Overview

• Phased: gap analysis, inventory, dossiers, SDS/comms, monitoring.
• Applies to manufacturers/importers/downstream users in chemicals/manufacturing.
• EU/EEA geography; audits via national authorities, 10-year records.