bmad-plus 0.9.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/LICENSE +21 -21
- package/README.md +105 -85
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +8 -3
- package/readme-international/README.es.md +8 -3
- package/readme-international/README.fr.md +8 -3
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +5 -58
- package/tools/cli/commands/doctor.js +2 -0
- package/tools/cli/commands/install.js +9 -128
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +26 -41
- package/tools/cli/commands/uninstall.js +7 -4
- package/tools/cli/commands/update.js +2 -1
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +0 -1
- package/tools/cli/lib/pack-copy.js +84 -84
- package/tools/cli/lib/packs.js +114 -114
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +45 -0
|
@@ -1,117 +1,117 @@
|
|
|
1
|
-
# CCPA/CPRA vs. GDPR — Side-by-Side Comparison
|
|
2
|
-
|
|
3
|
-
For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
|
|
4
|
-
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
## Scope & Applicability
|
|
8
|
-
|
|
9
|
-
| Dimension | CCPA/CPRA | GDPR |
|
|
10
|
-
|---|---|---|
|
|
11
|
-
| **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
|
|
12
|
-
| **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
|
|
13
|
-
| **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
|
|
14
|
-
| **Non-profits** | Generally exempt | Covered |
|
|
15
|
-
| **Government entities** | Exempt | Covered (public authorities have specific rules) |
|
|
16
|
-
| **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
|
|
17
|
-
|
|
18
|
-
---
|
|
19
|
-
|
|
20
|
-
## Key Definitions
|
|
21
|
-
|
|
22
|
-
| Concept | CCPA/CPRA | GDPR |
|
|
23
|
-
|---|---|---|
|
|
24
|
-
| **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
|
|
25
|
-
| **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
|
|
26
|
-
| **Controller equivalent** | "Business" | "Controller" |
|
|
27
|
-
| **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
|
|
28
|
-
| **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
|
|
29
|
-
| **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
|
|
30
|
-
| **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
|
|
31
|
-
|
|
32
|
-
---
|
|
33
|
-
|
|
34
|
-
## Lawful Basis
|
|
35
|
-
|
|
36
|
-
| Aspect | CCPA/CPRA | GDPR |
|
|
37
|
-
|---|---|---|
|
|
38
|
-
| **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
|
|
39
|
-
| **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
|
|
40
|
-
| **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
|
|
41
|
-
| **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
|
|
42
|
-
|
|
43
|
-
---
|
|
44
|
-
|
|
45
|
-
## Consumer / Data Subject Rights
|
|
46
|
-
|
|
47
|
-
| Right | CCPA/CPRA | GDPR |
|
|
48
|
-
|---|---|---|
|
|
49
|
-
| **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
|
|
50
|
-
| **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
|
|
51
|
-
| **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
|
|
52
|
-
| **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
|
|
53
|
-
| **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
|
|
54
|
-
| **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
|
|
55
|
-
| **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
|
|
56
|
-
| **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
|
|
57
|
-
| **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
|
|
58
|
-
| **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
|
|
59
|
-
|
|
60
|
-
---
|
|
61
|
-
|
|
62
|
-
## Privacy Notices
|
|
63
|
-
|
|
64
|
-
| Requirement | CCPA/CPRA | GDPR |
|
|
65
|
-
|---|---|---|
|
|
66
|
-
| **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
|
|
67
|
-
| **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
|
|
68
|
-
| **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
|
|
69
|
-
| **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
|
|
70
|
-
| **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
|
|
71
|
-
|
|
72
|
-
---
|
|
73
|
-
|
|
74
|
-
## Vendor / Third-Party Management
|
|
75
|
-
|
|
76
|
-
| Aspect | CCPA/CPRA | GDPR |
|
|
77
|
-
|---|---|---|
|
|
78
|
-
| **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
|
|
79
|
-
| **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
|
|
80
|
-
| **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
|
|
81
|
-
| **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
|
|
82
|
-
|
|
83
|
-
---
|
|
84
|
-
|
|
85
|
-
## Enforcement & Penalties
|
|
86
|
-
|
|
87
|
-
| Aspect | CCPA/CPRA | GDPR |
|
|
88
|
-
|---|---|---|
|
|
89
|
-
| **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
|
|
90
|
-
| **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
|
|
91
|
-
| **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
|
|
92
|
-
| **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
|
|
93
|
-
| **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
|
|
94
|
-
|
|
95
|
-
---
|
|
96
|
-
|
|
97
|
-
## Practical Dual-Compliance Guidance
|
|
98
|
-
|
|
99
|
-
For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
|
|
100
|
-
|
|
101
|
-
**What GDPR already covers:**
|
|
102
|
-
- Privacy notices (at collection and policy)
|
|
103
|
-
- Consumer/data subject rights processes (access, delete, correct, portability)
|
|
104
|
-
- Processor agreements
|
|
105
|
-
- Data minimization and purpose limitation
|
|
106
|
-
- Retention schedules
|
|
107
|
-
- Security measures
|
|
108
|
-
|
|
109
|
-
**CCPA/CPRA-specific additions needed:**
|
|
110
|
-
1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
|
|
111
|
-
2. Honor **Global Privacy Control (GPC)** signals
|
|
112
|
-
3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
|
|
113
|
-
4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
|
|
114
|
-
5. Implement **minors' opt-in** consent for sale/sharing (under 16)
|
|
115
|
-
6. Add **financial incentive / loyalty programme** disclosures if applicable
|
|
116
|
-
7. Confirm business threshold compliance annually — revenues and data volume thresholds
|
|
117
|
-
8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
|
|
1
|
+
# CCPA/CPRA vs. GDPR — Side-by-Side Comparison
|
|
2
|
+
|
|
3
|
+
For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Scope & Applicability
|
|
8
|
+
|
|
9
|
+
| Dimension | CCPA/CPRA | GDPR |
|
|
10
|
+
|---|---|---|
|
|
11
|
+
| **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
|
|
12
|
+
| **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
|
|
13
|
+
| **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
|
|
14
|
+
| **Non-profits** | Generally exempt | Covered |
|
|
15
|
+
| **Government entities** | Exempt | Covered (public authorities have specific rules) |
|
|
16
|
+
| **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Key Definitions
|
|
21
|
+
|
|
22
|
+
| Concept | CCPA/CPRA | GDPR |
|
|
23
|
+
|---|---|---|
|
|
24
|
+
| **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
|
|
25
|
+
| **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
|
|
26
|
+
| **Controller equivalent** | "Business" | "Controller" |
|
|
27
|
+
| **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
|
|
28
|
+
| **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
|
|
29
|
+
| **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
|
|
30
|
+
| **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
|
|
31
|
+
|
|
32
|
+
---
|
|
33
|
+
|
|
34
|
+
## Lawful Basis
|
|
35
|
+
|
|
36
|
+
| Aspect | CCPA/CPRA | GDPR |
|
|
37
|
+
|---|---|---|
|
|
38
|
+
| **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
|
|
39
|
+
| **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
|
|
40
|
+
| **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
|
|
41
|
+
| **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
## Consumer / Data Subject Rights
|
|
46
|
+
|
|
47
|
+
| Right | CCPA/CPRA | GDPR |
|
|
48
|
+
|---|---|---|
|
|
49
|
+
| **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
|
|
50
|
+
| **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
|
|
51
|
+
| **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
|
|
52
|
+
| **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
|
|
53
|
+
| **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
|
|
54
|
+
| **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
|
|
55
|
+
| **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
|
|
56
|
+
| **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
|
|
57
|
+
| **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
|
|
58
|
+
| **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
|
|
59
|
+
|
|
60
|
+
---
|
|
61
|
+
|
|
62
|
+
## Privacy Notices
|
|
63
|
+
|
|
64
|
+
| Requirement | CCPA/CPRA | GDPR |
|
|
65
|
+
|---|---|---|
|
|
66
|
+
| **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
|
|
67
|
+
| **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
|
|
68
|
+
| **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
|
|
69
|
+
| **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
|
|
70
|
+
| **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
|
|
71
|
+
|
|
72
|
+
---
|
|
73
|
+
|
|
74
|
+
## Vendor / Third-Party Management
|
|
75
|
+
|
|
76
|
+
| Aspect | CCPA/CPRA | GDPR |
|
|
77
|
+
|---|---|---|
|
|
78
|
+
| **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
|
|
79
|
+
| **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
|
|
80
|
+
| **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
|
|
81
|
+
| **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
## Enforcement & Penalties
|
|
86
|
+
|
|
87
|
+
| Aspect | CCPA/CPRA | GDPR |
|
|
88
|
+
|---|---|---|
|
|
89
|
+
| **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
|
|
90
|
+
| **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
|
|
91
|
+
| **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
|
|
92
|
+
| **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
|
|
93
|
+
| **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## Practical Dual-Compliance Guidance
|
|
98
|
+
|
|
99
|
+
For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
|
|
100
|
+
|
|
101
|
+
**What GDPR already covers:**
|
|
102
|
+
- Privacy notices (at collection and policy)
|
|
103
|
+
- Consumer/data subject rights processes (access, delete, correct, portability)
|
|
104
|
+
- Processor agreements
|
|
105
|
+
- Data minimization and purpose limitation
|
|
106
|
+
- Retention schedules
|
|
107
|
+
- Security measures
|
|
108
|
+
|
|
109
|
+
**CCPA/CPRA-specific additions needed:**
|
|
110
|
+
1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
|
|
111
|
+
2. Honor **Global Privacy Control (GPC)** signals
|
|
112
|
+
3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
|
|
113
|
+
4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
|
|
114
|
+
5. Implement **minors' opt-in** consent for sale/sharing (under 16)
|
|
115
|
+
6. Add **financial incentive / loyalty programme** disclosures if applicable
|
|
116
|
+
7. Confirm business threshold compliance annually — revenues and data volume thresholds
|
|
117
|
+
8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
|
|
@@ -1,177 +1,177 @@
|
|
|
1
|
-
# CCPA/CPRA Consumer Rights — Fulfillment Workflows
|
|
2
|
-
|
|
3
|
-
## General Request Handling Principles
|
|
4
|
-
|
|
5
|
-
**Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
|
|
6
|
-
|
|
7
|
-
**Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
|
|
8
|
-
- For non-sensitive requests: match 2 data points the business already holds
|
|
9
|
-
- For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
|
|
10
|
-
- For requests submitted through an authorized agent: require written permission + verification of agent identity
|
|
11
|
-
|
|
12
|
-
**Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
|
|
13
|
-
|
|
14
|
-
**Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
|
|
15
|
-
|
|
16
|
-
---
|
|
17
|
-
|
|
18
|
-
## Right to Know (§1798.110 / §1798.115)
|
|
19
|
-
|
|
20
|
-
**What must be disclosed:**
|
|
21
|
-
- Specific pieces of PI collected about the consumer
|
|
22
|
-
- Categories of PI collected
|
|
23
|
-
- Categories of sources from which PI was collected
|
|
24
|
-
- Business or commercial purpose for collecting, selling, or sharing PI
|
|
25
|
-
- Categories of third parties to whom PI was disclosed
|
|
26
|
-
- Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
|
|
27
|
-
|
|
28
|
-
**Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
|
|
29
|
-
|
|
30
|
-
**Exceptions where disclosure can be refused:**
|
|
31
|
-
- Would require disclosing third-party trade secrets
|
|
32
|
-
- Would conflict with federal/state law
|
|
33
|
-
- PI collected for single one-time transaction and not retained
|
|
34
|
-
- PI solely for internal operations consistent with context of collection
|
|
35
|
-
- Solely used to complete the transaction for which collected
|
|
36
|
-
|
|
37
|
-
**Workflow:**
|
|
38
|
-
1. Receive and log request with timestamp
|
|
39
|
-
2. Verify consumer identity (2-point match for standard requests)
|
|
40
|
-
3. Search PI systems using identifying data
|
|
41
|
-
4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
|
|
42
|
-
5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
|
|
43
|
-
6. Deliver response in portable, readily usable format within 45 days
|
|
44
|
-
7. Provide notice if extension is needed (within original 45-day window)
|
|
45
|
-
|
|
46
|
-
---
|
|
47
|
-
|
|
48
|
-
## Right to Delete (§1798.105)
|
|
49
|
-
|
|
50
|
-
**Business must:**
|
|
51
|
-
- Delete the consumer's PI from its records
|
|
52
|
-
- Direct service providers and contractors to delete the PI
|
|
53
|
-
|
|
54
|
-
**Exceptions (business may retain PI if necessary to):**
|
|
55
|
-
1. Complete a transaction or perform a contract
|
|
56
|
-
2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
|
|
57
|
-
3. Fix errors that impair intended functionality
|
|
58
|
-
4. Exercise free speech or ensure another consumer's right to free speech
|
|
59
|
-
5. Comply with a legal obligation (CCPA §1798.145(a))
|
|
60
|
-
6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
|
|
61
|
-
7. Research, journalism, or statistical purposes in the public interest
|
|
62
|
-
|
|
63
|
-
**Workflow:**
|
|
64
|
-
1. Receive and log deletion request
|
|
65
|
-
2. Verify consumer identity
|
|
66
|
-
3. Check if any exceptions apply; document reasoning if invoking an exception
|
|
67
|
-
4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
|
|
68
|
-
5. Confirm deletion to consumer (or explain exception invoked) within 45 days
|
|
69
|
-
6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
|
|
70
|
-
|
|
71
|
-
---
|
|
72
|
-
|
|
73
|
-
## Right to Correct (§1798.106) — CPRA Addition
|
|
74
|
-
|
|
75
|
-
**What the business must do:**
|
|
76
|
-
- Take commercially reasonable steps to correct inaccurate PI
|
|
77
|
-
- Instruct service providers and contractors to correct the PI
|
|
78
|
-
- Consumer must provide documentation if business contests the claimed inaccuracy
|
|
79
|
-
|
|
80
|
-
**Business may decline if:**
|
|
81
|
-
- Correction would require revealing another individual's PI
|
|
82
|
-
- Business disagrees the PI is inaccurate and documents its decision
|
|
83
|
-
|
|
84
|
-
**Workflow:**
|
|
85
|
-
1. Receive correction request with claimed correction details
|
|
86
|
-
2. Verify consumer identity
|
|
87
|
-
3. Evaluate accuracy of the claimed correction (may request supporting documentation)
|
|
88
|
-
4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
|
|
89
|
-
5. Notify consumer of outcome within 45 days
|
|
90
|
-
|
|
91
|
-
---
|
|
92
|
-
|
|
93
|
-
## Right to Opt-Out of Sale / Sharing (§1798.120)
|
|
94
|
-
|
|
95
|
-
**Scope:** Applies to:
|
|
96
|
-
- **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
|
|
97
|
-
- **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
|
|
98
|
-
|
|
99
|
-
**Mechanics:**
|
|
100
|
-
- "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
|
|
101
|
-
- Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
|
|
102
|
-
- Once opted out, the business must wait **12 months** before asking the consumer to re-consent
|
|
103
|
-
|
|
104
|
-
**Impact on advertising:**
|
|
105
|
-
- Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
|
|
106
|
-
- Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
|
|
107
|
-
|
|
108
|
-
**Workflow:**
|
|
109
|
-
1. Consumer submits opt-out via link, form, or GPC signal
|
|
110
|
-
2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
|
|
111
|
-
3. Update consent/preference management platform within 15 business days
|
|
112
|
-
4. Propagate opt-out to service providers and contractors engaged in sale/sharing
|
|
113
|
-
5. Do not contact consumer for 12 months to ask them to reconsider
|
|
114
|
-
|
|
115
|
-
---
|
|
116
|
-
|
|
117
|
-
## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
|
|
118
|
-
|
|
119
|
-
**Sensitive Personal Information (SPI) categories:**
|
|
120
|
-
- Social Security numbers, driver's license, passport, other government IDs
|
|
121
|
-
- Financial account credentials (login + security code)
|
|
122
|
-
- Precise geolocation (within 1/4 mile)
|
|
123
|
-
- Racial/ethnic origin, religious/philosophical beliefs, union membership
|
|
124
|
-
- Contents of consumer mail, email, or text messages (unless business is the intended recipient)
|
|
125
|
-
- Genetic data
|
|
126
|
-
- Biometric data for uniquely identifying a person
|
|
127
|
-
- Health/medical information
|
|
128
|
-
- Sexual orientation or sex life
|
|
129
|
-
|
|
130
|
-
**Permitted uses without limitation right:**
|
|
131
|
-
Business may use SPI without offering limitation if the purpose is:
|
|
132
|
-
- Performing services or providing goods reasonably expected by a consumer
|
|
133
|
-
- Safety, security, and integrity of services
|
|
134
|
-
- Short-term, transient use (e.g., contextual ad based on current session)
|
|
135
|
-
- Services on behalf of the business (service provider context)
|
|
136
|
-
- Verifying or maintaining quality of services
|
|
137
|
-
- Activities for which SPI was provided
|
|
138
|
-
|
|
139
|
-
**Workflow:**
|
|
140
|
-
1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
|
|
141
|
-
2. Consumer exercises right — no identity verification required beyond confirming consumer identity
|
|
142
|
-
3. Process within **15 business days**
|
|
143
|
-
4. Restrict use of SPI to only the permitted purposes listed above
|
|
144
|
-
5. Propagate limitation to service providers and contractors
|
|
145
|
-
|
|
146
|
-
---
|
|
147
|
-
|
|
148
|
-
## Right to Non-Discrimination (§1798.125)
|
|
149
|
-
|
|
150
|
-
Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
|
|
151
|
-
- Deny goods or services
|
|
152
|
-
- Charge a different price (except where directly related to value of data)
|
|
153
|
-
- Provide a different level or quality of goods/services
|
|
154
|
-
- Suggest any of the above will occur
|
|
155
|
-
|
|
156
|
-
**Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
|
|
157
|
-
- The financial incentive is reasonably related to the value of the consumer's PI
|
|
158
|
-
- Consumer provides opt-in consent with a clear description of material terms
|
|
159
|
-
- Consumer can withdraw at any time
|
|
160
|
-
|
|
161
|
-
---
|
|
162
|
-
|
|
163
|
-
## Authorized Agent Requests
|
|
164
|
-
|
|
165
|
-
Consumers may designate an authorized agent to submit requests on their behalf. Business must:
|
|
166
|
-
- Require written permission from the consumer (signed authorization)
|
|
167
|
-
- Verify the agent's identity
|
|
168
|
-
- May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
|
|
169
|
-
|
|
170
|
-
---
|
|
171
|
-
|
|
172
|
-
## Record-Keeping
|
|
173
|
-
|
|
174
|
-
**CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
|
|
175
|
-
- Consumer requests and responses for 24 months
|
|
176
|
-
- Disclosures for 24 months
|
|
177
|
-
- Training records for CCPA/CPRA compliance
|
|
1
|
+
# CCPA/CPRA Consumer Rights — Fulfillment Workflows
|
|
2
|
+
|
|
3
|
+
## General Request Handling Principles
|
|
4
|
+
|
|
5
|
+
**Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
|
|
6
|
+
|
|
7
|
+
**Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
|
|
8
|
+
- For non-sensitive requests: match 2 data points the business already holds
|
|
9
|
+
- For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
|
|
10
|
+
- For requests submitted through an authorized agent: require written permission + verification of agent identity
|
|
11
|
+
|
|
12
|
+
**Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
|
|
13
|
+
|
|
14
|
+
**Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Right to Know (§1798.110 / §1798.115)
|
|
19
|
+
|
|
20
|
+
**What must be disclosed:**
|
|
21
|
+
- Specific pieces of PI collected about the consumer
|
|
22
|
+
- Categories of PI collected
|
|
23
|
+
- Categories of sources from which PI was collected
|
|
24
|
+
- Business or commercial purpose for collecting, selling, or sharing PI
|
|
25
|
+
- Categories of third parties to whom PI was disclosed
|
|
26
|
+
- Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
|
|
27
|
+
|
|
28
|
+
**Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
|
|
29
|
+
|
|
30
|
+
**Exceptions where disclosure can be refused:**
|
|
31
|
+
- Would require disclosing third-party trade secrets
|
|
32
|
+
- Would conflict with federal/state law
|
|
33
|
+
- PI collected for single one-time transaction and not retained
|
|
34
|
+
- PI solely for internal operations consistent with context of collection
|
|
35
|
+
- Solely used to complete the transaction for which collected
|
|
36
|
+
|
|
37
|
+
**Workflow:**
|
|
38
|
+
1. Receive and log request with timestamp
|
|
39
|
+
2. Verify consumer identity (2-point match for standard requests)
|
|
40
|
+
3. Search PI systems using identifying data
|
|
41
|
+
4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
|
|
42
|
+
5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
|
|
43
|
+
6. Deliver response in portable, readily usable format within 45 days
|
|
44
|
+
7. Provide notice if extension is needed (within original 45-day window)
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
## Right to Delete (§1798.105)
|
|
49
|
+
|
|
50
|
+
**Business must:**
|
|
51
|
+
- Delete the consumer's PI from its records
|
|
52
|
+
- Direct service providers and contractors to delete the PI
|
|
53
|
+
|
|
54
|
+
**Exceptions (business may retain PI if necessary to):**
|
|
55
|
+
1. Complete a transaction or perform a contract
|
|
56
|
+
2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
|
|
57
|
+
3. Fix errors that impair intended functionality
|
|
58
|
+
4. Exercise free speech or ensure another consumer's right to free speech
|
|
59
|
+
5. Comply with a legal obligation (CCPA §1798.145(a))
|
|
60
|
+
6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
|
|
61
|
+
7. Research, journalism, or statistical purposes in the public interest
|
|
62
|
+
|
|
63
|
+
**Workflow:**
|
|
64
|
+
1. Receive and log deletion request
|
|
65
|
+
2. Verify consumer identity
|
|
66
|
+
3. Check if any exceptions apply; document reasoning if invoking an exception
|
|
67
|
+
4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
|
|
68
|
+
5. Confirm deletion to consumer (or explain exception invoked) within 45 days
|
|
69
|
+
6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
|
|
70
|
+
|
|
71
|
+
---
|
|
72
|
+
|
|
73
|
+
## Right to Correct (§1798.106) — CPRA Addition
|
|
74
|
+
|
|
75
|
+
**What the business must do:**
|
|
76
|
+
- Take commercially reasonable steps to correct inaccurate PI
|
|
77
|
+
- Instruct service providers and contractors to correct the PI
|
|
78
|
+
- Consumer must provide documentation if business contests the claimed inaccuracy
|
|
79
|
+
|
|
80
|
+
**Business may decline if:**
|
|
81
|
+
- Correction would require revealing another individual's PI
|
|
82
|
+
- Business disagrees the PI is inaccurate and documents its decision
|
|
83
|
+
|
|
84
|
+
**Workflow:**
|
|
85
|
+
1. Receive correction request with claimed correction details
|
|
86
|
+
2. Verify consumer identity
|
|
87
|
+
3. Evaluate accuracy of the claimed correction (may request supporting documentation)
|
|
88
|
+
4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
|
|
89
|
+
5. Notify consumer of outcome within 45 days
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## Right to Opt-Out of Sale / Sharing (§1798.120)
|
|
94
|
+
|
|
95
|
+
**Scope:** Applies to:
|
|
96
|
+
- **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
|
|
97
|
+
- **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
|
|
98
|
+
|
|
99
|
+
**Mechanics:**
|
|
100
|
+
- "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
|
|
101
|
+
- Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
|
|
102
|
+
- Once opted out, the business must wait **12 months** before asking the consumer to re-consent
|
|
103
|
+
|
|
104
|
+
**Impact on advertising:**
|
|
105
|
+
- Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
|
|
106
|
+
- Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
|
|
107
|
+
|
|
108
|
+
**Workflow:**
|
|
109
|
+
1. Consumer submits opt-out via link, form, or GPC signal
|
|
110
|
+
2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
|
|
111
|
+
3. Update consent/preference management platform within 15 business days
|
|
112
|
+
4. Propagate opt-out to service providers and contractors engaged in sale/sharing
|
|
113
|
+
5. Do not contact consumer for 12 months to ask them to reconsider
|
|
114
|
+
|
|
115
|
+
---
|
|
116
|
+
|
|
117
|
+
## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
|
|
118
|
+
|
|
119
|
+
**Sensitive Personal Information (SPI) categories:**
|
|
120
|
+
- Social Security numbers, driver's license, passport, other government IDs
|
|
121
|
+
- Financial account credentials (login + security code)
|
|
122
|
+
- Precise geolocation (within 1/4 mile)
|
|
123
|
+
- Racial/ethnic origin, religious/philosophical beliefs, union membership
|
|
124
|
+
- Contents of consumer mail, email, or text messages (unless business is the intended recipient)
|
|
125
|
+
- Genetic data
|
|
126
|
+
- Biometric data for uniquely identifying a person
|
|
127
|
+
- Health/medical information
|
|
128
|
+
- Sexual orientation or sex life
|
|
129
|
+
|
|
130
|
+
**Permitted uses without limitation right:**
|
|
131
|
+
Business may use SPI without offering limitation if the purpose is:
|
|
132
|
+
- Performing services or providing goods reasonably expected by a consumer
|
|
133
|
+
- Safety, security, and integrity of services
|
|
134
|
+
- Short-term, transient use (e.g., contextual ad based on current session)
|
|
135
|
+
- Services on behalf of the business (service provider context)
|
|
136
|
+
- Verifying or maintaining quality of services
|
|
137
|
+
- Activities for which SPI was provided
|
|
138
|
+
|
|
139
|
+
**Workflow:**
|
|
140
|
+
1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
|
|
141
|
+
2. Consumer exercises right — no identity verification required beyond confirming consumer identity
|
|
142
|
+
3. Process within **15 business days**
|
|
143
|
+
4. Restrict use of SPI to only the permitted purposes listed above
|
|
144
|
+
5. Propagate limitation to service providers and contractors
|
|
145
|
+
|
|
146
|
+
---
|
|
147
|
+
|
|
148
|
+
## Right to Non-Discrimination (§1798.125)
|
|
149
|
+
|
|
150
|
+
Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
|
|
151
|
+
- Deny goods or services
|
|
152
|
+
- Charge a different price (except where directly related to value of data)
|
|
153
|
+
- Provide a different level or quality of goods/services
|
|
154
|
+
- Suggest any of the above will occur
|
|
155
|
+
|
|
156
|
+
**Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
|
|
157
|
+
- The financial incentive is reasonably related to the value of the consumer's PI
|
|
158
|
+
- Consumer provides opt-in consent with a clear description of material terms
|
|
159
|
+
- Consumer can withdraw at any time
|
|
160
|
+
|
|
161
|
+
---
|
|
162
|
+
|
|
163
|
+
## Authorized Agent Requests
|
|
164
|
+
|
|
165
|
+
Consumers may designate an authorized agent to submit requests on their behalf. Business must:
|
|
166
|
+
- Require written permission from the consumer (signed authorization)
|
|
167
|
+
- Verify the agent's identity
|
|
168
|
+
- May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
|
|
169
|
+
|
|
170
|
+
---
|
|
171
|
+
|
|
172
|
+
## Record-Keeping
|
|
173
|
+
|
|
174
|
+
**CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
|
|
175
|
+
- Consumer requests and responses for 24 months
|
|
176
|
+
- Disclosures for 24 months
|
|
177
|
+
- Training records for CCPA/CPRA compliance
|