The Schellman Blog

The California Consumer Privacy Act (CCPA) has fundamentally reshaped how organizations approach data protection, but the recent cybersecurity audit regulation has added a new layer of complexity to compliance obligations. For many companies, this represents both a challenge and an opportunity to build a unified compliance strategy that addresses multiple regulations, standards, and frameworks simultaneously.

Privacy is evolving as organizations now need to navigate expanding data protection laws, cross-border data transfers, and growing expectations from customers and regulators. Having a credible, internationally recognized framework to guide privacy practices is critical.

On March 23, 2026, the Global CBPR Forum announced the release of CBPR 2.0 during its biannual Forum workshop. The refresh of the original System requirements, now referred to as CBPR 1.0, is a significant step in aligning with the privacy laws in new participating economies and opening the door for other interested economies in joining as member or associate jurisdictions.

Microsoft recently provided a pre-release of v12 of their Data Protection Requirements (DPR) for suppliers required to undergo an annual security and privacy assessment through Microsoft’s Supplier Security and Privacy Assurance (SSPA) program. Microsoft DPR v12 is scheduled to refresh March 30, 2026, and features a total of 63 requirements. Notably, this is a reduced number of controls compared to v11, which featured a total of 67 requirements.

As organizations expand their digital footprints and adopt AI at scale, global privacy expectations are rising worldwide. At the same time, cyber threats are growing more sophisticated, further driving the need for more advanced, resilient privacy programs to meet both regulatory and security demands.

ISO 27701 is a globally recognized standard for establishing a privacy information management system (PIMS), outlining the requirements and supporting controls that should be fulfilled and implemented. Compliance with ISO 27701 indicates that an organization has implemented a system to manage risks related to data privacy and the processing of personally identifiable information (PII).

Many suppliers working with Microsoft are now required to complete the Microsoft Supplier Data Protection Requirements (MSDPR) Independent Assessment each year to maintain Supplier Security and Privacy Assurance (SSPA) compliance. In practice, we continue to see organizations misinformed about what’s actually required, which often leads to unnecessary costs, re-tests, or delays.

The California Consumer Privacy Act (CCPA) is reminiscent of Michael Meyers, Freddie Krueger, or Ghostface in that no matter how many times you think its presence is done, it keeps coming back with more. While privacy professionals have been tracking the slow rulemaking process for some time, the newly approved regulations may have startled others, fittingly just in time for spooky season.