bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,117 +1,117 @@
1
- # CCPA/CPRA vs. GDPR — Side-by-Side Comparison
2
-
3
- For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
4
-
5
- ---
6
-
7
- ## Scope & Applicability
8
-
9
- | Dimension | CCPA/CPRA | GDPR |
10
- |---|---|---|
11
- | **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
12
- | **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
13
- | **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
14
- | **Non-profits** | Generally exempt | Covered |
15
- | **Government entities** | Exempt | Covered (public authorities have specific rules) |
16
- | **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
17
-
18
- ---
19
-
20
- ## Key Definitions
21
-
22
- | Concept | CCPA/CPRA | GDPR |
23
- |---|---|---|
24
- | **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
25
- | **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
26
- | **Controller equivalent** | "Business" | "Controller" |
27
- | **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
28
- | **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
29
- | **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
30
- | **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
31
-
32
- ---
33
-
34
- ## Lawful Basis
35
-
36
- | Aspect | CCPA/CPRA | GDPR |
37
- |---|---|---|
38
- | **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
39
- | **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
40
- | **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
41
- | **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
42
-
43
- ---
44
-
45
- ## Consumer / Data Subject Rights
46
-
47
- | Right | CCPA/CPRA | GDPR |
48
- |---|---|---|
49
- | **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
50
- | **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
51
- | **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
52
- | **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
53
- | **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
54
- | **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
55
- | **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
56
- | **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
57
- | **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
58
- | **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
59
-
60
- ---
61
-
62
- ## Privacy Notices
63
-
64
- | Requirement | CCPA/CPRA | GDPR |
65
- |---|---|---|
66
- | **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
67
- | **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
68
- | **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
69
- | **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
70
- | **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
71
-
72
- ---
73
-
74
- ## Vendor / Third-Party Management
75
-
76
- | Aspect | CCPA/CPRA | GDPR |
77
- |---|---|---|
78
- | **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
79
- | **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
80
- | **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
81
- | **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
82
-
83
- ---
84
-
85
- ## Enforcement & Penalties
86
-
87
- | Aspect | CCPA/CPRA | GDPR |
88
- |---|---|---|
89
- | **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
90
- | **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
91
- | **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
92
- | **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
93
- | **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
94
-
95
- ---
96
-
97
- ## Practical Dual-Compliance Guidance
98
-
99
- For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
100
-
101
- **What GDPR already covers:**
102
- - Privacy notices (at collection and policy)
103
- - Consumer/data subject rights processes (access, delete, correct, portability)
104
- - Processor agreements
105
- - Data minimization and purpose limitation
106
- - Retention schedules
107
- - Security measures
108
-
109
- **CCPA/CPRA-specific additions needed:**
110
- 1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
111
- 2. Honor **Global Privacy Control (GPC)** signals
112
- 3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
113
- 4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
114
- 5. Implement **minors' opt-in** consent for sale/sharing (under 16)
115
- 6. Add **financial incentive / loyalty programme** disclosures if applicable
116
- 7. Confirm business threshold compliance annually — revenues and data volume thresholds
117
- 8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
1
+ # CCPA/CPRA vs. GDPR — Side-by-Side Comparison
2
+
3
+ For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
4
+
5
+ ---
6
+
7
+ ## Scope & Applicability
8
+
9
+ | Dimension | CCPA/CPRA | GDPR |
10
+ |---|---|---|
11
+ | **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
12
+ | **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
13
+ | **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
14
+ | **Non-profits** | Generally exempt | Covered |
15
+ | **Government entities** | Exempt | Covered (public authorities have specific rules) |
16
+ | **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
17
+
18
+ ---
19
+
20
+ ## Key Definitions
21
+
22
+ | Concept | CCPA/CPRA | GDPR |
23
+ |---|---|---|
24
+ | **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
25
+ | **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
26
+ | **Controller equivalent** | "Business" | "Controller" |
27
+ | **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
28
+ | **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
29
+ | **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
30
+ | **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
31
+
32
+ ---
33
+
34
+ ## Lawful Basis
35
+
36
+ | Aspect | CCPA/CPRA | GDPR |
37
+ |---|---|---|
38
+ | **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
39
+ | **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
40
+ | **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
41
+ | **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
42
+
43
+ ---
44
+
45
+ ## Consumer / Data Subject Rights
46
+
47
+ | Right | CCPA/CPRA | GDPR |
48
+ |---|---|---|
49
+ | **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
50
+ | **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
51
+ | **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
52
+ | **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
53
+ | **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
54
+ | **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
55
+ | **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
56
+ | **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
57
+ | **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
58
+ | **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
59
+
60
+ ---
61
+
62
+ ## Privacy Notices
63
+
64
+ | Requirement | CCPA/CPRA | GDPR |
65
+ |---|---|---|
66
+ | **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
67
+ | **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
68
+ | **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
69
+ | **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
70
+ | **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
71
+
72
+ ---
73
+
74
+ ## Vendor / Third-Party Management
75
+
76
+ | Aspect | CCPA/CPRA | GDPR |
77
+ |---|---|---|
78
+ | **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
79
+ | **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
80
+ | **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
81
+ | **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
82
+
83
+ ---
84
+
85
+ ## Enforcement & Penalties
86
+
87
+ | Aspect | CCPA/CPRA | GDPR |
88
+ |---|---|---|
89
+ | **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
90
+ | **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
91
+ | **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
92
+ | **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
93
+ | **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
94
+
95
+ ---
96
+
97
+ ## Practical Dual-Compliance Guidance
98
+
99
+ For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
100
+
101
+ **What GDPR already covers:**
102
+ - Privacy notices (at collection and policy)
103
+ - Consumer/data subject rights processes (access, delete, correct, portability)
104
+ - Processor agreements
105
+ - Data minimization and purpose limitation
106
+ - Retention schedules
107
+ - Security measures
108
+
109
+ **CCPA/CPRA-specific additions needed:**
110
+ 1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
111
+ 2. Honor **Global Privacy Control (GPC)** signals
112
+ 3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
113
+ 4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
114
+ 5. Implement **minors' opt-in** consent for sale/sharing (under 16)
115
+ 6. Add **financial incentive / loyalty programme** disclosures if applicable
116
+ 7. Confirm business threshold compliance annually — revenues and data volume thresholds
117
+ 8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
@@ -1,177 +1,177 @@
1
- # CCPA/CPRA Consumer Rights — Fulfillment Workflows
2
-
3
- ## General Request Handling Principles
4
-
5
- **Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
6
-
7
- **Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
8
- - For non-sensitive requests: match 2 data points the business already holds
9
- - For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
10
- - For requests submitted through an authorized agent: require written permission + verification of agent identity
11
-
12
- **Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
13
-
14
- **Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
15
-
16
- ---
17
-
18
- ## Right to Know (§1798.110 / §1798.115)
19
-
20
- **What must be disclosed:**
21
- - Specific pieces of PI collected about the consumer
22
- - Categories of PI collected
23
- - Categories of sources from which PI was collected
24
- - Business or commercial purpose for collecting, selling, or sharing PI
25
- - Categories of third parties to whom PI was disclosed
26
- - Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
27
-
28
- **Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
29
-
30
- **Exceptions where disclosure can be refused:**
31
- - Would require disclosing third-party trade secrets
32
- - Would conflict with federal/state law
33
- - PI collected for single one-time transaction and not retained
34
- - PI solely for internal operations consistent with context of collection
35
- - Solely used to complete the transaction for which collected
36
-
37
- **Workflow:**
38
- 1. Receive and log request with timestamp
39
- 2. Verify consumer identity (2-point match for standard requests)
40
- 3. Search PI systems using identifying data
41
- 4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
42
- 5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
43
- 6. Deliver response in portable, readily usable format within 45 days
44
- 7. Provide notice if extension is needed (within original 45-day window)
45
-
46
- ---
47
-
48
- ## Right to Delete (§1798.105)
49
-
50
- **Business must:**
51
- - Delete the consumer's PI from its records
52
- - Direct service providers and contractors to delete the PI
53
-
54
- **Exceptions (business may retain PI if necessary to):**
55
- 1. Complete a transaction or perform a contract
56
- 2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
57
- 3. Fix errors that impair intended functionality
58
- 4. Exercise free speech or ensure another consumer's right to free speech
59
- 5. Comply with a legal obligation (CCPA §1798.145(a))
60
- 6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
61
- 7. Research, journalism, or statistical purposes in the public interest
62
-
63
- **Workflow:**
64
- 1. Receive and log deletion request
65
- 2. Verify consumer identity
66
- 3. Check if any exceptions apply; document reasoning if invoking an exception
67
- 4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
68
- 5. Confirm deletion to consumer (or explain exception invoked) within 45 days
69
- 6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
70
-
71
- ---
72
-
73
- ## Right to Correct (§1798.106) — CPRA Addition
74
-
75
- **What the business must do:**
76
- - Take commercially reasonable steps to correct inaccurate PI
77
- - Instruct service providers and contractors to correct the PI
78
- - Consumer must provide documentation if business contests the claimed inaccuracy
79
-
80
- **Business may decline if:**
81
- - Correction would require revealing another individual's PI
82
- - Business disagrees the PI is inaccurate and documents its decision
83
-
84
- **Workflow:**
85
- 1. Receive correction request with claimed correction details
86
- 2. Verify consumer identity
87
- 3. Evaluate accuracy of the claimed correction (may request supporting documentation)
88
- 4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
89
- 5. Notify consumer of outcome within 45 days
90
-
91
- ---
92
-
93
- ## Right to Opt-Out of Sale / Sharing (§1798.120)
94
-
95
- **Scope:** Applies to:
96
- - **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
97
- - **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
98
-
99
- **Mechanics:**
100
- - "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
101
- - Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
102
- - Once opted out, the business must wait **12 months** before asking the consumer to re-consent
103
-
104
- **Impact on advertising:**
105
- - Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
106
- - Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
107
-
108
- **Workflow:**
109
- 1. Consumer submits opt-out via link, form, or GPC signal
110
- 2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
111
- 3. Update consent/preference management platform within 15 business days
112
- 4. Propagate opt-out to service providers and contractors engaged in sale/sharing
113
- 5. Do not contact consumer for 12 months to ask them to reconsider
114
-
115
- ---
116
-
117
- ## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
118
-
119
- **Sensitive Personal Information (SPI) categories:**
120
- - Social Security numbers, driver's license, passport, other government IDs
121
- - Financial account credentials (login + security code)
122
- - Precise geolocation (within 1/4 mile)
123
- - Racial/ethnic origin, religious/philosophical beliefs, union membership
124
- - Contents of consumer mail, email, or text messages (unless business is the intended recipient)
125
- - Genetic data
126
- - Biometric data for uniquely identifying a person
127
- - Health/medical information
128
- - Sexual orientation or sex life
129
-
130
- **Permitted uses without limitation right:**
131
- Business may use SPI without offering limitation if the purpose is:
132
- - Performing services or providing goods reasonably expected by a consumer
133
- - Safety, security, and integrity of services
134
- - Short-term, transient use (e.g., contextual ad based on current session)
135
- - Services on behalf of the business (service provider context)
136
- - Verifying or maintaining quality of services
137
- - Activities for which SPI was provided
138
-
139
- **Workflow:**
140
- 1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
141
- 2. Consumer exercises right — no identity verification required beyond confirming consumer identity
142
- 3. Process within **15 business days**
143
- 4. Restrict use of SPI to only the permitted purposes listed above
144
- 5. Propagate limitation to service providers and contractors
145
-
146
- ---
147
-
148
- ## Right to Non-Discrimination (§1798.125)
149
-
150
- Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
151
- - Deny goods or services
152
- - Charge a different price (except where directly related to value of data)
153
- - Provide a different level or quality of goods/services
154
- - Suggest any of the above will occur
155
-
156
- **Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
157
- - The financial incentive is reasonably related to the value of the consumer's PI
158
- - Consumer provides opt-in consent with a clear description of material terms
159
- - Consumer can withdraw at any time
160
-
161
- ---
162
-
163
- ## Authorized Agent Requests
164
-
165
- Consumers may designate an authorized agent to submit requests on their behalf. Business must:
166
- - Require written permission from the consumer (signed authorization)
167
- - Verify the agent's identity
168
- - May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
169
-
170
- ---
171
-
172
- ## Record-Keeping
173
-
174
- **CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
175
- - Consumer requests and responses for 24 months
176
- - Disclosures for 24 months
177
- - Training records for CCPA/CPRA compliance
1
+ # CCPA/CPRA Consumer Rights — Fulfillment Workflows
2
+
3
+ ## General Request Handling Principles
4
+
5
+ **Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
6
+
7
+ **Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
8
+ - For non-sensitive requests: match 2 data points the business already holds
9
+ - For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
10
+ - For requests submitted through an authorized agent: require written permission + verification of agent identity
11
+
12
+ **Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
13
+
14
+ **Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
15
+
16
+ ---
17
+
18
+ ## Right to Know (§1798.110 / §1798.115)
19
+
20
+ **What must be disclosed:**
21
+ - Specific pieces of PI collected about the consumer
22
+ - Categories of PI collected
23
+ - Categories of sources from which PI was collected
24
+ - Business or commercial purpose for collecting, selling, or sharing PI
25
+ - Categories of third parties to whom PI was disclosed
26
+ - Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
27
+
28
+ **Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
29
+
30
+ **Exceptions where disclosure can be refused:**
31
+ - Would require disclosing third-party trade secrets
32
+ - Would conflict with federal/state law
33
+ - PI collected for single one-time transaction and not retained
34
+ - PI solely for internal operations consistent with context of collection
35
+ - Solely used to complete the transaction for which collected
36
+
37
+ **Workflow:**
38
+ 1. Receive and log request with timestamp
39
+ 2. Verify consumer identity (2-point match for standard requests)
40
+ 3. Search PI systems using identifying data
41
+ 4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
42
+ 5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
43
+ 6. Deliver response in portable, readily usable format within 45 days
44
+ 7. Provide notice if extension is needed (within original 45-day window)
45
+
46
+ ---
47
+
48
+ ## Right to Delete (§1798.105)
49
+
50
+ **Business must:**
51
+ - Delete the consumer's PI from its records
52
+ - Direct service providers and contractors to delete the PI
53
+
54
+ **Exceptions (business may retain PI if necessary to):**
55
+ 1. Complete a transaction or perform a contract
56
+ 2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
57
+ 3. Fix errors that impair intended functionality
58
+ 4. Exercise free speech or ensure another consumer's right to free speech
59
+ 5. Comply with a legal obligation (CCPA §1798.145(a))
60
+ 6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
61
+ 7. Research, journalism, or statistical purposes in the public interest
62
+
63
+ **Workflow:**
64
+ 1. Receive and log deletion request
65
+ 2. Verify consumer identity
66
+ 3. Check if any exceptions apply; document reasoning if invoking an exception
67
+ 4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
68
+ 5. Confirm deletion to consumer (or explain exception invoked) within 45 days
69
+ 6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
70
+
71
+ ---
72
+
73
+ ## Right to Correct (§1798.106) — CPRA Addition
74
+
75
+ **What the business must do:**
76
+ - Take commercially reasonable steps to correct inaccurate PI
77
+ - Instruct service providers and contractors to correct the PI
78
+ - Consumer must provide documentation if business contests the claimed inaccuracy
79
+
80
+ **Business may decline if:**
81
+ - Correction would require revealing another individual's PI
82
+ - Business disagrees the PI is inaccurate and documents its decision
83
+
84
+ **Workflow:**
85
+ 1. Receive correction request with claimed correction details
86
+ 2. Verify consumer identity
87
+ 3. Evaluate accuracy of the claimed correction (may request supporting documentation)
88
+ 4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
89
+ 5. Notify consumer of outcome within 45 days
90
+
91
+ ---
92
+
93
+ ## Right to Opt-Out of Sale / Sharing (§1798.120)
94
+
95
+ **Scope:** Applies to:
96
+ - **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
97
+ - **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
98
+
99
+ **Mechanics:**
100
+ - "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
101
+ - Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
102
+ - Once opted out, the business must wait **12 months** before asking the consumer to re-consent
103
+
104
+ **Impact on advertising:**
105
+ - Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
106
+ - Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
107
+
108
+ **Workflow:**
109
+ 1. Consumer submits opt-out via link, form, or GPC signal
110
+ 2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
111
+ 3. Update consent/preference management platform within 15 business days
112
+ 4. Propagate opt-out to service providers and contractors engaged in sale/sharing
113
+ 5. Do not contact consumer for 12 months to ask them to reconsider
114
+
115
+ ---
116
+
117
+ ## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
118
+
119
+ **Sensitive Personal Information (SPI) categories:**
120
+ - Social Security numbers, driver's license, passport, other government IDs
121
+ - Financial account credentials (login + security code)
122
+ - Precise geolocation (within 1/4 mile)
123
+ - Racial/ethnic origin, religious/philosophical beliefs, union membership
124
+ - Contents of consumer mail, email, or text messages (unless business is the intended recipient)
125
+ - Genetic data
126
+ - Biometric data for uniquely identifying a person
127
+ - Health/medical information
128
+ - Sexual orientation or sex life
129
+
130
+ **Permitted uses without limitation right:**
131
+ Business may use SPI without offering limitation if the purpose is:
132
+ - Performing services or providing goods reasonably expected by a consumer
133
+ - Safety, security, and integrity of services
134
+ - Short-term, transient use (e.g., contextual ad based on current session)
135
+ - Services on behalf of the business (service provider context)
136
+ - Verifying or maintaining quality of services
137
+ - Activities for which SPI was provided
138
+
139
+ **Workflow:**
140
+ 1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
141
+ 2. Consumer exercises right — no identity verification required beyond confirming consumer identity
142
+ 3. Process within **15 business days**
143
+ 4. Restrict use of SPI to only the permitted purposes listed above
144
+ 5. Propagate limitation to service providers and contractors
145
+
146
+ ---
147
+
148
+ ## Right to Non-Discrimination (§1798.125)
149
+
150
+ Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
151
+ - Deny goods or services
152
+ - Charge a different price (except where directly related to value of data)
153
+ - Provide a different level or quality of goods/services
154
+ - Suggest any of the above will occur
155
+
156
+ **Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
157
+ - The financial incentive is reasonably related to the value of the consumer's PI
158
+ - Consumer provides opt-in consent with a clear description of material terms
159
+ - Consumer can withdraw at any time
160
+
161
+ ---
162
+
163
+ ## Authorized Agent Requests
164
+
165
+ Consumers may designate an authorized agent to submit requests on their behalf. Business must:
166
+ - Require written permission from the consumer (signed authorization)
167
+ - Verify the agent's identity
168
+ - May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
169
+
170
+ ---
171
+
172
+ ## Record-Keeping
173
+
174
+ **CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
175
+ - Consumer requests and responses for 24 months
176
+ - Disclosures for 24 months
177
+ - Training records for CCPA/CPRA compliance