Re: General Data Protection Regulation ( GDPR) Material
The Future of Privacy Forum, and many others like Baker Law, have published guides that compare GDPR and California Consumer Protection Act (CCPA) (SB-1121) in terms of scope, definitions, legal basis, rights, and enforcement.
I tend to focus on the provisions and privacy-preserving technical controls surrounding data subject/consumer "rights". For example take the requirement for "pseudonymization" (i.e., ensuring that PII cannot be attributable to a data subject/consumer). The big difference between the laws are that under GDPR an organization must have the technical ability to re-identify a data subject to comply with other data subject rights provisions. Under CCPA though, there must not be an ability to re-identify PII after the data has been pseudonymized. All of this comparison stuff is nice, but technical implementations are what matter, so I would be curious to see what (ISC)2 publishes as implementation guidance.