bmad-plus 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +36 -0
  2. package/LICENSE +21 -21
  3. package/README.md +106 -86
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +23 -59
  181. package/tools/cli/commands/doctor.js +14 -0
  182. package/tools/cli/commands/install.js +29 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +44 -42
  185. package/tools/cli/commands/uninstall.js +10 -5
  186. package/tools/cli/commands/update.js +21 -3
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +16 -8
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +50 -0
@@ -1,117 +1,117 @@
1
- # CCPA/CPRA vs. GDPR — Side-by-Side Comparison
2
-
3
- For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
4
-
5
- ---
6
-
7
- ## Scope & Applicability
8
-
9
- | Dimension | CCPA/CPRA | GDPR |
10
- |---|---|---|
11
- | **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
12
- | **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
13
- | **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
14
- | **Non-profits** | Generally exempt | Covered |
15
- | **Government entities** | Exempt | Covered (public authorities have specific rules) |
16
- | **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
17
-
18
- ---
19
-
20
- ## Key Definitions
21
-
22
- | Concept | CCPA/CPRA | GDPR |
23
- |---|---|---|
24
- | **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
25
- | **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
26
- | **Controller equivalent** | "Business" | "Controller" |
27
- | **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
28
- | **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
29
- | **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
30
- | **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
31
-
32
- ---
33
-
34
- ## Lawful Basis
35
-
36
- | Aspect | CCPA/CPRA | GDPR |
37
- |---|---|---|
38
- | **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
39
- | **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
40
- | **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
41
- | **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
42
-
43
- ---
44
-
45
- ## Consumer / Data Subject Rights
46
-
47
- | Right | CCPA/CPRA | GDPR |
48
- |---|---|---|
49
- | **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
50
- | **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
51
- | **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
52
- | **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
53
- | **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
54
- | **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
55
- | **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
56
- | **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
57
- | **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
58
- | **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
59
-
60
- ---
61
-
62
- ## Privacy Notices
63
-
64
- | Requirement | CCPA/CPRA | GDPR |
65
- |---|---|---|
66
- | **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
67
- | **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
68
- | **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
69
- | **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
70
- | **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
71
-
72
- ---
73
-
74
- ## Vendor / Third-Party Management
75
-
76
- | Aspect | CCPA/CPRA | GDPR |
77
- |---|---|---|
78
- | **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
79
- | **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
80
- | **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
81
- | **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
82
-
83
- ---
84
-
85
- ## Enforcement & Penalties
86
-
87
- | Aspect | CCPA/CPRA | GDPR |
88
- |---|---|---|
89
- | **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
90
- | **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
91
- | **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
92
- | **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
93
- | **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
94
-
95
- ---
96
-
97
- ## Practical Dual-Compliance Guidance
98
-
99
- For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
100
-
101
- **What GDPR already covers:**
102
- - Privacy notices (at collection and policy)
103
- - Consumer/data subject rights processes (access, delete, correct, portability)
104
- - Processor agreements
105
- - Data minimization and purpose limitation
106
- - Retention schedules
107
- - Security measures
108
-
109
- **CCPA/CPRA-specific additions needed:**
110
- 1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
111
- 2. Honor **Global Privacy Control (GPC)** signals
112
- 3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
113
- 4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
114
- 5. Implement **minors' opt-in** consent for sale/sharing (under 16)
115
- 6. Add **financial incentive / loyalty programme** disclosures if applicable
116
- 7. Confirm business threshold compliance annually — revenues and data volume thresholds
117
- 8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
1
+ # CCPA/CPRA vs. GDPR — Side-by-Side Comparison
2
+
3
+ For organisations subject to both laws (e.g., a US company with EU customers, or an EU company with California customers), understanding the differences and overlaps is essential to building an efficient dual-compliance programme.
4
+
5
+ ---
6
+
7
+ ## Scope & Applicability
8
+
9
+ | Dimension | CCPA/CPRA | GDPR |
10
+ |---|---|---|
11
+ | **Jurisdictional trigger** | Doing business in California | Processing EU/EEA/UK residents' personal data |
12
+ | **Who is covered** | For-profit businesses meeting threshold criteria | Any controller or processor, regardless of size or location |
13
+ | **Size/revenue thresholds** | Yes — $25M revenue OR 100K+ consumers OR 50%+ revenue from PI sale/sharing | No — applies to any organisation processing EU personal data |
14
+ | **Non-profits** | Generally exempt | Covered |
15
+ | **Government entities** | Exempt | Covered (public authorities have specific rules) |
16
+ | **B2B data** | Generally excluded (employee data limited exemption extended by CPRA) | Covered |
17
+
18
+ ---
19
+
20
+ ## Key Definitions
21
+
22
+ | Concept | CCPA/CPRA | GDPR |
23
+ |---|---|---|
24
+ | **Personal data/PI** | Broadly defined; includes household data | Broadly defined; personal to identified/identifiable individual only |
25
+ | **Special/sensitive categories** | CPRA SPI: SSN, precise geolocation, biometric, health, racial/ethnic, religious, union, sexual orientation, genetic, credentials, comms content | Special categories: racial/ethnic, political opinion, religious, union, genetic, biometric, health, sex life, sexual orientation |
26
+ | **Controller equivalent** | "Business" | "Controller" |
27
+ | **Processor equivalent** | "Service Provider" + "Contractor" (CPRA) | "Processor" |
28
+ | **Third party** | Entity that receives PI that is not a service provider/contractor | Not separately defined in same way |
29
+ | **Sale of data** | Broad: monetary or other valuable consideration | No equivalent concept; disclosure to third party = separate processing activity |
30
+ | **Sharing (cross-context behavioral advertising)** | CPRA-specific concept | No direct equivalent; covered under legitimate interests or consent for tracking |
31
+
32
+ ---
33
+
34
+ ## Lawful Basis
35
+
36
+ | Aspect | CCPA/CPRA | GDPR |
37
+ |---|---|---|
38
+ | **Basis for processing** | No lawful basis requirement — businesses can collect PI without consent (for most purposes) | Requires one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) |
39
+ | **Consent for sensitive data** | Right to limit SPI use (opt-out model for most businesses) | Explicit consent required for special category data (with narrow exceptions) |
40
+ | **Opt-in vs. opt-out** | Primarily opt-out model (consumers must affirmatively request opt-out) | Primarily opt-in model (consent must be freely given, specific, informed, unambiguous) |
41
+ | **Minors (under 16)** | Opt-in required for sale/sharing of PI of consumers 13–16; parental consent under 13 | GDPR age of consent varies by Member State (13–16); parental consent for under-16 processing based on consent |
42
+
43
+ ---
44
+
45
+ ## Consumer / Data Subject Rights
46
+
47
+ | Right | CCPA/CPRA | GDPR |
48
+ |---|---|---|
49
+ | **Right to access** | Yes — specific pieces + categories (12-month scope pre-CPRA, no limit post-Jan 2022) | Yes — all personal data, no 12-month limitation |
50
+ | **Right to delete** | Yes — with numerous exceptions | Yes (right to erasure) — with exceptions |
51
+ | **Right to correct** | Yes (CPRA addition) | Yes (right to rectification) |
52
+ | **Right to portability** | Yes — portable format in access request | Yes — explicitly structured, commonly used, machine-readable format |
53
+ | **Right to opt-out of sale** | Yes — "Do Not Sell or Share My Personal Information" | No direct equivalent; may be covered by withdrawal of consent or objection to legitimate interests |
54
+ | **Right to restrict processing** | Limited — SPI limitation right (CPRA) | Yes — broader right to restrict processing |
55
+ | **Right to object** | Limited — opt-out of sale/sharing | Yes — right to object to processing based on legitimate interests or direct marketing |
56
+ | **Automated decision-making** | Pending CPPA rulemaking; opt-out right likely | Yes (Art. 22) — right not to be subject to solely automated decisions with significant effects |
57
+ | **Non-discrimination** | Yes (§1798.125) | No direct equivalent |
58
+ | **Response deadline** | 45 days + 45-day extension; SPI limit: 15 business days | 1 month + 2-month extension |
59
+
60
+ ---
61
+
62
+ ## Privacy Notices
63
+
64
+ | Requirement | CCPA/CPRA | GDPR |
65
+ |---|---|---|
66
+ | **At-collection notice** | Yes — categories, purposes, whether PI is sold/shared, link to privacy policy | Yes — Art. 13/14 privacy notice at collection |
67
+ | **Privacy policy** | Yes — comprehensive; updated annually | Yes — privacy notice must be accessible |
68
+ | **Retention periods** | Yes (CPRA addition) | Yes (must be specified or criteria stated) |
69
+ | **Lawful basis disclosure** | No — not applicable | Yes — must identify lawful basis for each processing purpose |
70
+ | **GPC signal** | Must honor as valid opt-out | No equivalent; but ePrivacy Directive may cover browser signals |
71
+
72
+ ---
73
+
74
+ ## Vendor / Third-Party Management
75
+
76
+ | Aspect | CCPA/CPRA | GDPR |
77
+ |---|---|---|
78
+ | **Processor agreements** | Required with service providers and contractors | Required Data Processing Agreements (Art. 28) |
79
+ | **Contract requirements** | Purpose limitation, prohibition on resale, deletion, audit rights | Detailed Art. 28 requirements: processing only on instructions, security, subprocessor rules, return/deletion |
80
+ | **Sub-processor** | Contractor / downstream service provider must also comply | Subprocessors require DPA + controller notification/approval |
81
+ | **International transfers** | No transfer restriction mechanism (CCPA does not restrict cross-border transfers) | Restricted to adequate countries or requires transfer mechanism (SCCs, BCRs, adequacy decision) |
82
+
83
+ ---
84
+
85
+ ## Enforcement & Penalties
86
+
87
+ | Aspect | CCPA/CPRA | GDPR |
88
+ |---|---|---|
89
+ | **Enforcement body** | California Privacy Protection Agency (CPPA) + California AG | Data Protection Authorities (DPAs) in each EU/EEA Member State |
90
+ | **Civil penalties** | $2,500 per unintentional / $7,500 per intentional violation | Up to €10M or 2% (lower tier) / €20M or 4% (higher tier) of global annual turnover |
91
+ | **Private right of action** | Yes — but limited to data breaches: $100–$750 per consumer per incident | Limited; EU Member States vary; class actions being developed |
92
+ | **Criminal penalties** | No direct CCPA criminal liability | Some Member States have criminal provisions |
93
+ | **Cure period** | 30-day cure notice period (for AG actions; CPPA administrative actions may differ) | No formal cure period |
94
+
95
+ ---
96
+
97
+ ## Practical Dual-Compliance Guidance
98
+
99
+ For organisations subject to both frameworks, the GDPR is generally the more demanding law. A GDPR-compliant programme will cover most CCPA/CPRA obligations with targeted additions:
100
+
101
+ **What GDPR already covers:**
102
+ - Privacy notices (at collection and policy)
103
+ - Consumer/data subject rights processes (access, delete, correct, portability)
104
+ - Processor agreements
105
+ - Data minimization and purpose limitation
106
+ - Retention schedules
107
+ - Security measures
108
+
109
+ **CCPA/CPRA-specific additions needed:**
110
+ 1. Add **"Do Not Sell or Share My Personal Information"** link and opt-out workflow
111
+ 2. Honor **Global Privacy Control (GPC)** signals
112
+ 3. Add **"Limit the Use of My Sensitive Personal Information"** link and 15-day response workflow
113
+ 4. Review vendor classification: are all "processors" actually **service providers** under CCPA (contracts may need updating)?
114
+ 5. Implement **minors' opt-in** consent for sale/sharing (under 16)
115
+ 6. Add **financial incentive / loyalty programme** disclosures if applicable
116
+ 7. Confirm business threshold compliance annually — revenues and data volume thresholds
117
+ 8. Prepare for **CPPA rulemaking** on automated decision-making and cybersecurity audits
@@ -1,177 +1,177 @@
1
- # CCPA/CPRA Consumer Rights — Fulfillment Workflows
2
-
3
- ## General Request Handling Principles
4
-
5
- **Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
6
-
7
- **Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
8
- - For non-sensitive requests: match 2 data points the business already holds
9
- - For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
10
- - For requests submitted through an authorized agent: require written permission + verification of agent identity
11
-
12
- **Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
13
-
14
- **Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
15
-
16
- ---
17
-
18
- ## Right to Know (§1798.110 / §1798.115)
19
-
20
- **What must be disclosed:**
21
- - Specific pieces of PI collected about the consumer
22
- - Categories of PI collected
23
- - Categories of sources from which PI was collected
24
- - Business or commercial purpose for collecting, selling, or sharing PI
25
- - Categories of third parties to whom PI was disclosed
26
- - Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
27
-
28
- **Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
29
-
30
- **Exceptions where disclosure can be refused:**
31
- - Would require disclosing third-party trade secrets
32
- - Would conflict with federal/state law
33
- - PI collected for single one-time transaction and not retained
34
- - PI solely for internal operations consistent with context of collection
35
- - Solely used to complete the transaction for which collected
36
-
37
- **Workflow:**
38
- 1. Receive and log request with timestamp
39
- 2. Verify consumer identity (2-point match for standard requests)
40
- 3. Search PI systems using identifying data
41
- 4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
42
- 5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
43
- 6. Deliver response in portable, readily usable format within 45 days
44
- 7. Provide notice if extension is needed (within original 45-day window)
45
-
46
- ---
47
-
48
- ## Right to Delete (§1798.105)
49
-
50
- **Business must:**
51
- - Delete the consumer's PI from its records
52
- - Direct service providers and contractors to delete the PI
53
-
54
- **Exceptions (business may retain PI if necessary to):**
55
- 1. Complete a transaction or perform a contract
56
- 2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
57
- 3. Fix errors that impair intended functionality
58
- 4. Exercise free speech or ensure another consumer's right to free speech
59
- 5. Comply with a legal obligation (CCPA §1798.145(a))
60
- 6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
61
- 7. Research, journalism, or statistical purposes in the public interest
62
-
63
- **Workflow:**
64
- 1. Receive and log deletion request
65
- 2. Verify consumer identity
66
- 3. Check if any exceptions apply; document reasoning if invoking an exception
67
- 4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
68
- 5. Confirm deletion to consumer (or explain exception invoked) within 45 days
69
- 6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
70
-
71
- ---
72
-
73
- ## Right to Correct (§1798.106) — CPRA Addition
74
-
75
- **What the business must do:**
76
- - Take commercially reasonable steps to correct inaccurate PI
77
- - Instruct service providers and contractors to correct the PI
78
- - Consumer must provide documentation if business contests the claimed inaccuracy
79
-
80
- **Business may decline if:**
81
- - Correction would require revealing another individual's PI
82
- - Business disagrees the PI is inaccurate and documents its decision
83
-
84
- **Workflow:**
85
- 1. Receive correction request with claimed correction details
86
- 2. Verify consumer identity
87
- 3. Evaluate accuracy of the claimed correction (may request supporting documentation)
88
- 4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
89
- 5. Notify consumer of outcome within 45 days
90
-
91
- ---
92
-
93
- ## Right to Opt-Out of Sale / Sharing (§1798.120)
94
-
95
- **Scope:** Applies to:
96
- - **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
97
- - **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
98
-
99
- **Mechanics:**
100
- - "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
101
- - Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
102
- - Once opted out, the business must wait **12 months** before asking the consumer to re-consent
103
-
104
- **Impact on advertising:**
105
- - Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
106
- - Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
107
-
108
- **Workflow:**
109
- 1. Consumer submits opt-out via link, form, or GPC signal
110
- 2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
111
- 3. Update consent/preference management platform within 15 business days
112
- 4. Propagate opt-out to service providers and contractors engaged in sale/sharing
113
- 5. Do not contact consumer for 12 months to ask them to reconsider
114
-
115
- ---
116
-
117
- ## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
118
-
119
- **Sensitive Personal Information (SPI) categories:**
120
- - Social Security numbers, driver's license, passport, other government IDs
121
- - Financial account credentials (login + security code)
122
- - Precise geolocation (within 1/4 mile)
123
- - Racial/ethnic origin, religious/philosophical beliefs, union membership
124
- - Contents of consumer mail, email, or text messages (unless business is the intended recipient)
125
- - Genetic data
126
- - Biometric data for uniquely identifying a person
127
- - Health/medical information
128
- - Sexual orientation or sex life
129
-
130
- **Permitted uses without limitation right:**
131
- Business may use SPI without offering limitation if the purpose is:
132
- - Performing services or providing goods reasonably expected by a consumer
133
- - Safety, security, and integrity of services
134
- - Short-term, transient use (e.g., contextual ad based on current session)
135
- - Services on behalf of the business (service provider context)
136
- - Verifying or maintaining quality of services
137
- - Activities for which SPI was provided
138
-
139
- **Workflow:**
140
- 1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
141
- 2. Consumer exercises right — no identity verification required beyond confirming consumer identity
142
- 3. Process within **15 business days**
143
- 4. Restrict use of SPI to only the permitted purposes listed above
144
- 5. Propagate limitation to service providers and contractors
145
-
146
- ---
147
-
148
- ## Right to Non-Discrimination (§1798.125)
149
-
150
- Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
151
- - Deny goods or services
152
- - Charge a different price (except where directly related to value of data)
153
- - Provide a different level or quality of goods/services
154
- - Suggest any of the above will occur
155
-
156
- **Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
157
- - The financial incentive is reasonably related to the value of the consumer's PI
158
- - Consumer provides opt-in consent with a clear description of material terms
159
- - Consumer can withdraw at any time
160
-
161
- ---
162
-
163
- ## Authorized Agent Requests
164
-
165
- Consumers may designate an authorized agent to submit requests on their behalf. Business must:
166
- - Require written permission from the consumer (signed authorization)
167
- - Verify the agent's identity
168
- - May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
169
-
170
- ---
171
-
172
- ## Record-Keeping
173
-
174
- **CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
175
- - Consumer requests and responses for 24 months
176
- - Disclosures for 24 months
177
- - Training records for CCPA/CPRA compliance
1
+ # CCPA/CPRA Consumer Rights — Fulfillment Workflows
2
+
3
+ ## General Request Handling Principles
4
+
5
+ **Intake channels (§1798.130):** Businesses must provide at least two methods for submitting requests, including (where applicable) a toll-free phone number and a web form or email. Online-only businesses may provide an email address as one method.
6
+
7
+ **Identity verification:** Must verify consumer identity before disclosing or deleting PI. Verification requirements scale with sensitivity:
8
+ - For non-sensitive requests: match 2 data points the business already holds
9
+ - For sensitive PI / financial data: match 3 data points + signed declaration under penalty of perjury
10
+ - For requests submitted through an authorized agent: require written permission + verification of agent identity
11
+
12
+ **Response timelines:** 45 calendar days from receipt (extendable once by another 45 days with notice). For SPI limitation requests: 15 business days.
13
+
14
+ **Free of charge:** Requests must be fulfilled free of charge, twice per 12-month period. Businesses may charge a reasonable fee for additional requests within 12 months if manifestly unfounded or excessive.
15
+
16
+ ---
17
+
18
+ ## Right to Know (§1798.110 / §1798.115)
19
+
20
+ **What must be disclosed:**
21
+ - Specific pieces of PI collected about the consumer
22
+ - Categories of PI collected
23
+ - Categories of sources from which PI was collected
24
+ - Business or commercial purpose for collecting, selling, or sharing PI
25
+ - Categories of third parties to whom PI was disclosed
26
+ - Categories of PI sold or shared and the categories of third parties to whom it was sold/shared
27
+
28
+ **Scope:** Covers PI collected in the 12 months prior to request (and ongoing from January 1, 2022 under CPRA, with no 12-month limit for data collected after that date).
29
+
30
+ **Exceptions where disclosure can be refused:**
31
+ - Would require disclosing third-party trade secrets
32
+ - Would conflict with federal/state law
33
+ - PI collected for single one-time transaction and not retained
34
+ - PI solely for internal operations consistent with context of collection
35
+ - Solely used to complete the transaction for which collected
36
+
37
+ **Workflow:**
38
+ 1. Receive and log request with timestamp
39
+ 2. Verify consumer identity (2-point match for standard requests)
40
+ 3. Search PI systems using identifying data
41
+ 4. Compile responsive PI across all systems (CRM, analytics, ad tech, etc.)
42
+ 5. Apply exceptions — remove third-party trade secrets, conflicting legal holds
43
+ 6. Deliver response in portable, readily usable format within 45 days
44
+ 7. Provide notice if extension is needed (within original 45-day window)
45
+
46
+ ---
47
+
48
+ ## Right to Delete (§1798.105)
49
+
50
+ **Business must:**
51
+ - Delete the consumer's PI from its records
52
+ - Direct service providers and contractors to delete the PI
53
+
54
+ **Exceptions (business may retain PI if necessary to):**
55
+ 1. Complete a transaction or perform a contract
56
+ 2. Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity
57
+ 3. Fix errors that impair intended functionality
58
+ 4. Exercise free speech or ensure another consumer's right to free speech
59
+ 5. Comply with a legal obligation (CCPA §1798.145(a))
60
+ 6. Use PI solely for internal purposes in a manner compatible with the context of collection (limited CPRA exception)
61
+ 7. Research, journalism, or statistical purposes in the public interest
62
+
63
+ **Workflow:**
64
+ 1. Receive and log deletion request
65
+ 2. Verify consumer identity
66
+ 3. Check if any exceptions apply; document reasoning if invoking an exception
67
+ 4. If proceeding with deletion: identify all PI records, propagate deletion to service providers and contractors
68
+ 5. Confirm deletion to consumer (or explain exception invoked) within 45 days
69
+ 6. Retain deletion request records (for proof of compliance) — note: retaining the request itself is not a contradiction
70
+
71
+ ---
72
+
73
+ ## Right to Correct (§1798.106) — CPRA Addition
74
+
75
+ **What the business must do:**
76
+ - Take commercially reasonable steps to correct inaccurate PI
77
+ - Instruct service providers and contractors to correct the PI
78
+ - Consumer must provide documentation if business contests the claimed inaccuracy
79
+
80
+ **Business may decline if:**
81
+ - Correction would require revealing another individual's PI
82
+ - Business disagrees the PI is inaccurate and documents its decision
83
+
84
+ **Workflow:**
85
+ 1. Receive correction request with claimed correction details
86
+ 2. Verify consumer identity
87
+ 3. Evaluate accuracy of the claimed correction (may request supporting documentation)
88
+ 4. If agreeing to correct: update all relevant systems; instruct service providers and contractors
89
+ 5. Notify consumer of outcome within 45 days
90
+
91
+ ---
92
+
93
+ ## Right to Opt-Out of Sale / Sharing (§1798.120)
94
+
95
+ **Scope:** Applies to:
96
+ - **Sale**: disclosure of PI to a third party for monetary or other valuable consideration
97
+ - **Sharing** (CPRA): disclosure of PI to a third party for cross-context behavioral advertising
98
+
99
+ **Mechanics:**
100
+ - "Do Not Sell or Share My Personal Information" link must be prominently placed on homepage and in privacy policy
101
+ - Must honor the **Global Privacy Control (GPC)** signal as a valid opt-out — the CPPA has confirmed GPC compliance is required
102
+ - Once opted out, the business must wait **12 months** before asking the consumer to re-consent
103
+
104
+ **Impact on advertising:**
105
+ - Opt-out means the business cannot pass PI (including cookie IDs, device fingerprints) to ad tech partners, ad exchanges, or DMPs for targeting
106
+ - Analytics via first-party tools that do not involve PI disclosure to third parties are typically not affected
107
+
108
+ **Workflow:**
109
+ 1. Consumer submits opt-out via link, form, or GPC signal
110
+ 2. No identity verification required for opt-out (only reasonable verification to confirm they are the consumer)
111
+ 3. Update consent/preference management platform within 15 business days
112
+ 4. Propagate opt-out to service providers and contractors engaged in sale/sharing
113
+ 5. Do not contact consumer for 12 months to ask them to reconsider
114
+
115
+ ---
116
+
117
+ ## Right to Limit Use of Sensitive Personal Information (§1798.121) — CPRA Addition
118
+
119
+ **Sensitive Personal Information (SPI) categories:**
120
+ - Social Security numbers, driver's license, passport, other government IDs
121
+ - Financial account credentials (login + security code)
122
+ - Precise geolocation (within 1/4 mile)
123
+ - Racial/ethnic origin, religious/philosophical beliefs, union membership
124
+ - Contents of consumer mail, email, or text messages (unless business is the intended recipient)
125
+ - Genetic data
126
+ - Biometric data for uniquely identifying a person
127
+ - Health/medical information
128
+ - Sexual orientation or sex life
129
+
130
+ **Permitted uses without limitation right:**
131
+ Business may use SPI without offering limitation if the purpose is:
132
+ - Performing services or providing goods reasonably expected by a consumer
133
+ - Safety, security, and integrity of services
134
+ - Short-term, transient use (e.g., contextual ad based on current session)
135
+ - Services on behalf of the business (service provider context)
136
+ - Verifying or maintaining quality of services
137
+ - Activities for which SPI was provided
138
+
139
+ **Workflow:**
140
+ 1. Provide "Limit the Use of My Sensitive Personal Information" link on homepage (alongside or combined with "Do Not Sell or Share" link)
141
+ 2. Consumer exercises right — no identity verification required beyond confirming consumer identity
142
+ 3. Process within **15 business days**
143
+ 4. Restrict use of SPI to only the permitted purposes listed above
144
+ 5. Propagate limitation to service providers and contractors
145
+
146
+ ---
147
+
148
+ ## Right to Non-Discrimination (§1798.125)
149
+
150
+ Businesses **cannot**, because a consumer exercised a CCPA/CPRA right:
151
+ - Deny goods or services
152
+ - Charge a different price (except where directly related to value of data)
153
+ - Provide a different level or quality of goods/services
154
+ - Suggest any of the above will occur
155
+
156
+ **Exception:** Businesses may offer financial incentives (loyalty programs, discounts) in exchange for PI, provided:
157
+ - The financial incentive is reasonably related to the value of the consumer's PI
158
+ - Consumer provides opt-in consent with a clear description of material terms
159
+ - Consumer can withdraw at any time
160
+
161
+ ---
162
+
163
+ ## Authorized Agent Requests
164
+
165
+ Consumers may designate an authorized agent to submit requests on their behalf. Business must:
166
+ - Require written permission from the consumer (signed authorization)
167
+ - Verify the agent's identity
168
+ - May require direct verification with the consumer as well (except for opt-out requests where agent has power of attorney)
169
+
170
+ ---
171
+
172
+ ## Record-Keeping
173
+
174
+ **CPRA requires businesses handling PI of 10M+ consumers/households** to maintain records of:
175
+ - Consumer requests and responses for 24 months
176
+ - Disclosures for 24 months
177
+ - Training records for CCPA/CPRA compliance