bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,117 +1,117 @@
1
- # CCPA/CPRA vs. GDPR — Side-by-Side Comparison
2
-
3
- For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
4
-
5
- ---
6
-
7
- ## Scope & Applicability
8
-
9
- | Dimension | CCPA/CPRA | GDPR |
10
- |---|---|---|
11
- | **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
12
- | **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
13
- | **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
14
- | **Non-profits** | Generally exempt | Covered |
15
- | **Government entities** | Exempt | Covered (public authorities have specific rules) |
16
- | **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
17
-
18
- ---
19
-
20
- ## Key Definitions
21
-
22
- | Concept | CCPA/CPRA | GDPR |
23
- |---|---|---|
24
- | **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
25
- | **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
26
- | **Controller equivalent** | "Business" | "Controller" |
27
- | **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
28
- | **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
29
- | **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
30
- | **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
31
-
32
- ---
33
-
34
- ## Lawful Basis
35
-
36
- | Aspect | CCPA/CPRA | GDPR |
37
- |---|---|---|
38
- | **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
39
- | **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
40
- | **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
41
- | **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
42
-
43
- ---
44
-
45
- ## Consumer / Data Subject Rights
46
-
47
- | Right | CCPA/CPRA | GDPR |
48
- |---|---|---|
49
- | **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
50
- | **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
51
- | **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
52
- | **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
53
- | **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
54
- | **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
55
- | **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
56
- | **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
57
- | **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
58
- | **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
59
-
60
- ---
61
-
62
- ## Privacy Notices
63
-
64
- | Requirement | CCPA/CPRA | GDPR |
65
- |---|---|---|
66
- | **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
67
- | **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
68
- | **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
69
- | **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
70
- | **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
71
-
72
- ---
73
-
74
- ## Vendor / Third-Party Management
75
-
76
- | Aspect | CCPA/CPRA | GDPR |
77
- |---|---|---|
78
- | **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
79
- | **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
80
- | **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
81
- | **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
82
-
83
- ---
84
-
85
- ## Enforcement & Penalties
86
-
87
- | Aspect | CCPA/CPRA | GDPR |
88
- |---|---|---|
89
- | **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
90
- | **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
91
- | **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
92
- | **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
93
- | **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
94
-
95
- ---
96
-
97
- ## Practical Dual-Compliance Guidance
98
-
99
- For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
100
-
101
- **What GDPR already covers:**
102
- - Privacy notices (at collection and policy)
103
- - Consumer/data subject rights processes (access, delete, correct, portability)
104
- - Processor agreements
105
- - Data minimization and purpose limitation
106
- - Retention schedules
107
- - Security measures
108
-
109
- **CCPA/CPRA-specific additions needed:**
110
- 1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
111
- 2. Honor **Global Privacy Control (GPC)** signals
112
- 3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
113
- 4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
114
- 5. Implement **minors' opt-in** consent for sale/sharing (under 16)
115
- 6. Add **financial incentive / loyalty programme** disclosures if applicable
116
- 7. Confirm business threshold compliance annually — revenues and data volume thresholds
117
- 8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
1
+ # CCPA/CPRA vs. GDPR — Side-by-Side Comparison
2
+
3
+ For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
4
+
5
+ ---
6
+
7
+ ## Scope & Applicability
8
+
9
+ | Dimension | CCPA/CPRA | GDPR |
10
+ |---|---|---|
11
+ | **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
12
+ | **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
13
+ | **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
14
+ | **Non-profits** | Generally exempt | Covered |
15
+ | **Government entities** | Exempt | Covered (public authorities have specific rules) |
16
+ | **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
17
+
18
+ ---
19
+
20
+ ## Key Definitions
21
+
22
+ | Concept | CCPA/CPRA | GDPR |
23
+ |---|---|---|
24
+ | **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
25
+ | **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
26
+ | **Controller equivalent** | "Business" | "Controller" |
27
+ | **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
28
+ | **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
29
+ | **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
30
+ | **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
31
+
32
+ ---
33
+
34
+ ## Lawful Basis
35
+
36
+ | Aspect | CCPA/CPRA | GDPR |
37
+ |---|---|---|
38
+ | **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
39
+ | **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
40
+ | **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
41
+ | **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
42
+
43
+ ---
44
+
45
+ ## Consumer / Data Subject Rights
46
+
47
+ | Right | CCPA/CPRA | GDPR |
48
+ |---|---|---|
49
+ | **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
50
+ | **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
51
+ | **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
52
+ | **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
53
+ | **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
54
+ | **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
55
+ | **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
56
+ | **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
57
+ | **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
58
+ | **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
59
+
60
+ ---
61
+
62
+ ## Privacy Notices
63
+
64
+ | Requirement | CCPA/CPRA | GDPR |
65
+ |---|---|---|
66
+ | **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
67
+ | **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
68
+ | **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
69
+ | **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
70
+ | **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
71
+
72
+ ---
73
+
74
+ ## Vendor / Third-Party Management
75
+
76
+ | Aspect | CCPA/CPRA | GDPR |
77
+ |---|---|---|
78
+ | **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
79
+ | **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
80
+ | **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
81
+ | **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
82
+
83
+ ---
84
+
85
+ ## Enforcement & Penalties
86
+
87
+ | Aspect | CCPA/CPRA | GDPR |
88
+ |---|---|---|
89
+ | **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
90
+ | **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
91
+ | **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
92
+ | **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
93
+ | **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
94
+
95
+ ---
96
+
97
+ ## Practical Dual-Compliance Guidance
98
+
99
+ For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
100
+
101
+ **What GDPR already covers:**
102
+ - Privacy notices (at collection and policy)
103
+ - Consumer/data subject rights processes (access, delete, correct, portability)
104
+ - Processor agreements
105
+ - Data minimization and purpose limitation
106
+ - Retention schedules
107
+ - Security measures
108
+
109
+ **CCPA/CPRA-specific additions needed:**
110
+ 1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
111
+ 2. Honor **Global Privacy Control (GPC)** signals
112
+ 3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
113
+ 4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
114
+ 5. Implement **minors' opt-in** consent for sale/sharing (under 16)
115
+ 6. Add **financial incentive / loyalty programme** disclosures if applicable
116
+ 7. Confirm business threshold compliance annually — revenues and data volume thresholds
117
+ 8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
@@ -1,177 +1,177 @@
1
- # CCPA/CPRA Consumer Rights — Fulfillment Workflows
2
-
3
- ## General Request Handling Principles
4
-
5
- **Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
6
-
7
- **Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
8
- - For non-sensitive requests: match 2 data points the business already holds
9
- - For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
10
- - For requests submitted through an authorized agent: require written permission + verification of agent identity
11
-
12
- **Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
13
-
14
- **Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
15
-
16
- ---
17
-
18
- ## Right to Know (§1798.110 / §1798.115)
19
-
20
- **What must be disclosed:**
21
- - Specific pieces of PI collected about the consumer
22
- - Categories of PI collected
23
- - Categories of sources from which PI was collected
24
- - Business or commercial purpose for collecting, selling, or sharing PI
25
- - Categories of third parties to whom PI was disclosed
26
- - Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
27
-
28
- **Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
29
-
30
- **Exceptions where disclosure can be refused:**
31
- - Would require disclosing third-party trade secrets
32
- - Would conflict with federal/state law
33
- - PI collected for single one-time transaction and not retained
34
- - PI solely for internal operations consistent with context of collection
35
- - Solely used to complete the transaction for which collected
36
-
37
- **Workflow:**
38
- 1. Receive and log request with timestamp
39
- 2. Verify consumer identity (2-point match for standard requests)
40
- 3. Search PI systems using identifying data
41
- 4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
42
- 5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
43
- 6. Deliver response in portable, readily usable format within 45 days
44
- 7. Provide notice if extension is needed (within original 45-day window)
45
-
46
- ---
47
-
48
- ## Right to Delete (§1798.105)
49
-
50
- **Business must:**
51
- - Delete the consumer's PI from its records
52
- - Direct service providers and contractors to delete the PI
53
-
54
- **Exceptions (business may retain PI if necessary to):**
55
- 1. Complete a transaction or perform a contract
56
- 2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
57
- 3. Fix errors that impair intended functionality
58
- 4. Exercise free speech or ensure another consumer's right to free speech
59
- 5. Comply with a legal obligation (CCPA §1798.145(a))
60
- 6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
61
- 7. Research, journalism, or statistical purposes in the public interest
62
-
63
- **Workflow:**
64
- 1. Receive and log deletion request
65
- 2. Verify consumer identity
66
- 3. Check if any exceptions apply; document reasoning if invoking an exception
67
- 4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
68
- 5. Confirm deletion to consumer (or explain exception invoked) within 45 days
69
- 6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
70
-
71
- ---
72
-
73
- ## Right to Correct (§1798.106) — CPRA Addition
74
-
75
- **What the business must do:**
76
- - Take commercially reasonable steps to correct inaccurate PI
77
- - Instruct service providers and contractors to correct the PI
78
- - Consumer must provide documentation if business contests the claimed inaccuracy
79
-
80
- **Business may decline if:**
81
- - Correction would require revealing another individual's PI
82
- - Business disagrees the PI is inaccurate and documents its decision
83
-
84
- **Workflow:**
85
- 1. Receive correction request with claimed correction details
86
- 2. Verify consumer identity
87
- 3. Evaluate accuracy of the claimed correction (may request supporting documentation)
88
- 4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
89
- 5. Notify consumer of outcome within 45 days
90
-
91
- ---
92
-
93
- ## Right to Opt-Out of Sale / Sharing (§1798.120)
94
-
95
- **Scope:** Applies to:
96
- - **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
97
- - **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
98
-
99
- **Mechanics:**
100
- - "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
101
- - Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
102
- - Once opted out, the business must wait **12 months** before asking the consumer to re-consent
103
-
104
- **Impact on advertising:**
105
- - Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
106
- - Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
107
-
108
- **Workflow:**
109
- 1. Consumer submits opt-out via link, form, or GPC signal
110
- 2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
111
- 3. Update consent/preference management platform within 15 business days
112
- 4. Propagate opt-out to service providers and contractors engaged in sale/sharing
113
- 5. Do not contact consumer for 12 months to ask them to reconsider
114
-
115
- ---
116
-
117
- ## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
118
-
119
- **Sensitive Personal Information (SPI) categories:**
120
- - Social Security numbers, driver's license, passport, other government IDs
121
- - Financial account credentials (login + security code)
122
- - Precise geolocation (within 1/4 mile)
123
- - Racial/ethnic origin, religious/philosophical beliefs, union membership
124
- - Contents of consumer mail, email, or text messages (unless business is the intended recipient)
125
- - Genetic data
126
- - Biometric data for uniquely identifying a person
127
- - Health/medical information
128
- - Sexual orientation or sex life
129
-
130
- **Permitted uses without limitation right:**
131
- Business may use SPI without offering limitation if the purpose is:
132
- - Performing services or providing goods reasonably expected by a consumer
133
- - Safety, security, and integrity of services
134
- - Short-term, transient use (e.g., contextual ad based on current session)
135
- - Services on behalf of the business (service provider context)
136
- - Verifying or maintaining quality of services
137
- - Activities for which SPI was provided
138
-
139
- **Workflow:**
140
- 1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
141
- 2. Consumer exercises right — no identity verification required beyond confirming consumer identity
142
- 3. Process within **15 business days**
143
- 4. Restrict use of SPI to only the permitted purposes listed above
144
- 5. Propagate limitation to service providers and contractors
145
-
146
- ---
147
-
148
- ## Right to Non-Discrimination (§1798.125)
149
-
150
- Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
151
- - Deny goods or services
152
- - Charge a different price (except where directly related to value of data)
153
- - Provide a different level or quality of goods/services
154
- - Suggest any of the above will occur
155
-
156
- **Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
157
- - The financial incentive is reasonably related to the value of the consumer's PI
158
- - Consumer provides opt-in consent with a clear description of material terms
159
- - Consumer can withdraw at any time
160
-
161
- ---
162
-
163
- ## Authorized Agent Requests
164
-
165
- Consumers may designate an authorized agent to submit requests on their behalf. Business must:
166
- - Require written permission from the consumer (signed authorization)
167
- - Verify the agent's identity
168
- - May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
169
-
170
- ---
171
-
172
- ## Record-Keeping
173
-
174
- **CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
175
- - Consumer requests and responses for 24 months
176
- - Disclosures for 24 months
177
- - Training records for CCPA/CPRA compliance
1
+ # CCPA/CPRA Consumer Rights — Fulfillment Workflows
2
+
3
+ ## General Request Handling Principles
4
+
5
+ **Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
6
+
7
+ **Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
8
+ - For non-sensitive requests: match 2 data points the business already holds
9
+ - For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
10
+ - For requests submitted through an authorized agent: require written permission + verification of agent identity
11
+
12
+ **Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
13
+
14
+ **Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
15
+
16
+ ---
17
+
18
+ ## Right to Know (§1798.110 / §1798.115)
19
+
20
+ **What must be disclosed:**
21
+ - Specific pieces of PI collected about the consumer
22
+ - Categories of PI collected
23
+ - Categories of sources from which PI was collected
24
+ - Business or commercial purpose for collecting, selling, or sharing PI
25
+ - Categories of third parties to whom PI was disclosed
26
+ - Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
27
+
28
+ **Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
29
+
30
+ **Exceptions where disclosure can be refused:**
31
+ - Would require disclosing third-party trade secrets
32
+ - Would conflict with federal/state law
33
+ - PI collected for single one-time transaction and not retained
34
+ - PI solely for internal operations consistent with context of collection
35
+ - Solely used to complete the transaction for which collected
36
+
37
+ **Workflow:**
38
+ 1. Receive and log request with timestamp
39
+ 2. Verify consumer identity (2-point match for standard requests)
40
+ 3. Search PI systems using identifying data
41
+ 4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
42
+ 5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
43
+ 6. Deliver response in portable, readily usable format within 45 days
44
+ 7. Provide notice if extension is needed (within original 45-day window)
45
+
46
+ ---
47
+
48
+ ## Right to Delete (§1798.105)
49
+
50
+ **Business must:**
51
+ - Delete the consumer's PI from its records
52
+ - Direct service providers and contractors to delete the PI
53
+
54
+ **Exceptions (business may retain PI if necessary to):**
55
+ 1. Complete a transaction or perform a contract
56
+ 2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
57
+ 3. Fix errors that impair intended functionality
58
+ 4. Exercise free speech or ensure another consumer's right to free speech
59
+ 5. Comply with a legal obligation (CCPA §1798.145(a))
60
+ 6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
61
+ 7. Research, journalism, or statistical purposes in the public interest
62
+
63
+ **Workflow:**
64
+ 1. Receive and log deletion request
65
+ 2. Verify consumer identity
66
+ 3. Check if any exceptions apply; document reasoning if invoking an exception
67
+ 4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
68
+ 5. Confirm deletion to consumer (or explain exception invoked) within 45 days
69
+ 6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
70
+
71
+ ---
72
+
73
+ ## Right to Correct (§1798.106) — CPRA Addition
74
+
75
+ **What the business must do:**
76
+ - Take commercially reasonable steps to correct inaccurate PI
77
+ - Instruct service providers and contractors to correct the PI
78
+ - Consumer must provide documentation if business contests the claimed inaccuracy
79
+
80
+ **Business may decline if:**
81
+ - Correction would require revealing another individual's PI
82
+ - Business disagrees the PI is inaccurate and documents its decision
83
+
84
+ **Workflow:**
85
+ 1. Receive correction request with claimed correction details
86
+ 2. Verify consumer identity
87
+ 3. Evaluate accuracy of the claimed correction (may request supporting documentation)
88
+ 4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
89
+ 5. Notify consumer of outcome within 45 days
90
+
91
+ ---
92
+
93
+ ## Right to Opt-Out of Sale / Sharing (§1798.120)
94
+
95
+ **Scope:** Applies to:
96
+ - **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
97
+ - **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
98
+
99
+ **Mechanics:**
100
+ - "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
101
+ - Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
102
+ - Once opted out, the business must wait **12 months** before asking the consumer to re-consent
103
+
104
+ **Impact on advertising:**
105
+ - Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
106
+ - Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
107
+
108
+ **Workflow:**
109
+ 1. Consumer submits opt-out via link, form, or GPC signal
110
+ 2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
111
+ 3. Update consent/preference management platform within 15 business days
112
+ 4. Propagate opt-out to service providers and contractors engaged in sale/sharing
113
+ 5. Do not contact consumer for 12 months to ask them to reconsider
114
+
115
+ ---
116
+
117
+ ## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
118
+
119
+ **Sensitive Personal Information (SPI) categories:**
120
+ - Social Security numbers, driver's license, passport, other government IDs
121
+ - Financial account credentials (login + security code)
122
+ - Precise geolocation (within 1/4 mile)
123
+ - Racial/ethnic origin, religious/philosophical beliefs, union membership
124
+ - Contents of consumer mail, email, or text messages (unless business is the intended recipient)
125
+ - Genetic data
126
+ - Biometric data for uniquely identifying a person
127
+ - Health/medical information
128
+ - Sexual orientation or sex life
129
+
130
+ **Permitted uses without limitation right:**
131
+ Business may use SPI without offering limitation if the purpose is:
132
+ - Performing services or providing goods reasonably expected by a consumer
133
+ - Safety, security, and integrity of services
134
+ - Short-term, transient use (e.g., contextual ad based on current session)
135
+ - Services on behalf of the business (service provider context)
136
+ - Verifying or maintaining quality of services
137
+ - Activities for which SPI was provided
138
+
139
+ **Workflow:**
140
+ 1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
141
+ 2. Consumer exercises right — no identity verification required beyond confirming consumer identity
142
+ 3. Process within **15 business days**
143
+ 4. Restrict use of SPI to only the permitted purposes listed above
144
+ 5. Propagate limitation to service providers and contractors
145
+
146
+ ---
147
+
148
+ ## Right to Non-Discrimination (§1798.125)
149
+
150
+ Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
151
+ - Deny goods or services
152
+ - Charge a different price (except where directly related to value of data)
153
+ - Provide a different level or quality of goods/services
154
+ - Suggest any of the above will occur
155
+
156
+ **Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
157
+ - The financial incentive is reasonably related to the value of the consumer's PI
158
+ - Consumer provides opt-in consent with a clear description of material terms
159
+ - Consumer can withdraw at any time
160
+
161
+ ---
162
+
163
+ ## Authorized Agent Requests
164
+
165
+ Consumers may designate an authorized agent to submit requests on their behalf. Business must:
166
+ - Require written permission from the consumer (signed authorization)
167
+ - Verify the agent's identity
168
+ - May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
169
+
170
+ ---
171
+
172
+ ## Record-Keeping
173
+
174
+ **CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
175
+ - Consumer requests and responses for 24 months
176
+ - Disclosures for 24 months
177
+ - Training records for CCPA/CPRA compliance