In July 2025, the California Privacy Protection Agency (CPPA) Board unanimously approved new regulations pursuant to the California Consumer Privacy Act (CCPA) that specifically address the use of automated decisionmaking technologies (ADMTs), requirements for completing risk assessments, and, for businesses processing large amounts of California resident data or engaging in the large-scale sale or sharing of data, mandatory annual cybersecurity audits. While these regulations have been in the drafting process since 2023, they reflect an ongoing trend in California and across the country in favor of heightened, proactive accountability mandates.
Quick Hits
- The CPPA Board recently approved new cybersecurity audit regulations that, pending final approval by the California Office of Administrative Law (OAL), will apply to large CCPA-covered businesses and data brokers.
- The regulations include extensive independent audit requirements that will, at a minimum, necessitate businesses evaluate their practices against eighteen different "cybersecurity components."
- Businesses subject to the cybersecurity regulations must certify compliance annually with the CPPA, underscoring the importance of proactive cybersecurity assessments and remediation efforts.
This article is the second in a three-part series exploring the new requirements. Our first article focused on the ADMT provisions, and our third article will address requirements surrounding risk assessments.
Who Must Conduct Cybersecurity Audits?
Not every CCPA-covered business will be required to complete an annual cybersecurity audit. The requirements will apply only to large businesses and data brokers whose processing of personal information "presents a significant risk to consumers' security." To fall within this scope, a business must meet at least one of the following criteria:
- it has annual gross revenues exceeding the current CCPA revenue
threshold (currently $26,625,000) and in the
preceding year processed either:
- the personal information of 250,000 or more consumers or households, or
- the sensitive personal information of 50,000 or more consumers; or
- it derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information.
These thresholds are intentionally broad. For example, manufacturers and retailers that meet the above criteria should expect to be in scope, as should healthcare providers and financial institutions that meet the CCPA's revenue threshold and process large volumes of personal information that are not subject to the CCPA's limited Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) exceptions.
What Do the Cybersecurity Audits Entail and How Can Businesses Prepare?
Businesses familiar with previous California compliance initiatives will recognize that these cybersecurity audits are far from a mere "check-the-box" exercise. Compliance requires a deep dive into the business's cybersecurity program and a detailed assessment of its effectiveness in protecting personal information. Importantly, these audits must be completed by a "qualified, objective, independent" auditor. Although auditors may be internal or external, internal auditors must report directly to a member of the business's executive management without direct responsibility for its cybersecurity program (i.e., not the organization's chief information security officer). Companies are explicitly prohibited from interfering with the audit, including by withholding or misrepresenting information, and auditors must be given full access to requested information and personnel.
The eighteen cybersecurity components against which businesses are expected to assess largely align with established frameworks such as the NIST Cybersecurity Framework, but they also include very specific requirements that are not commonly identified as explicit legal requirements. These include, for example, broader use of multifactor authentication across all classes of users and robust vulnerability disclosure procedures, such as the adoption of a "bug bounty" or other mechanisms for outsiders to the organization to report security flaws that they identify.
In practice, the cybersecurity audit is intended to assess how effectively a business's actual cybersecurity practices safeguard the information it holds. Said differently, a properly conducted audit will go well beyond an evaluation of a business's written policies and procedures and instead deeply examine the business's cybersecurity controls in action. For instance, it will not be sufficient to merely inform auditors that a business conducts security training; auditors will expect to verify that such training is widely completed and demonstrably effective.
Given the explicit identification of multiple cybersecurity components, businesses may want to treat the components as a compliance roadmap. The CPPA is more likely to deem a cybersecurity program that adopts these components as satisfying a baseline of reasonableness. Conversely, businesses lacking any one of the eighteen enumerated components may wish to either implement the missing control or document compensating controls that achieve an equivalent level of protection.
What Internal Reporting Requirements Will Businesses Have?
Following the completion of the audit, the auditor will deliver a detailed audit report to the member or members of the business's executive management team with direct responsibility for the cybersecurity program. In general, businesses should expect the report to include, among other things:
- a description of the business's systems, policies, and practices that were audited;
- thestandard, framework, or other criteria used as a benchmark for the audit, and the specific documents, interviews, and other materials the auditor reviewed;
- an explanation linking the evidence reviewed to the auditor's findings, as well as an assessment of how the company's existing cybersecurity posture aligns with the relevant criteria;
- a description of any cybersecurity gaps or weaknesses identified in the audit process;
- a plan to remediate the cybersecurity gaps or weaknesses identified, if any; and
- the names and titles of up to three individuals at the business who are responsible for the cybersecurity program.
For subsequent audits, the CPPA expects businesses to include a summary of remediation measures taken since the previous audit. Additionally, businesses that experience a data breach requiring notification to California residents or to California privacy regulators during the relevant audit period must include sample copies of the breach notices in their audit report.
Businesses already conducting comprehensive cybersecurity audits may find relief in knowing that their existing audit processes could fulfill a significant portion of the CPPA's requirements. Such businesses can leverage their current audits, supplementing their existing documentation as needed, and thereby significantly reduce their compliance burden.
What Are Businesses' External Reporting Requirements?
In addition to preparing the annual internal audit report described above, in-scope businesses must certify their compliance with the cybersecurity audit requirements to the CPPA by filing an annual "Statement of Completion" by April 1 of the year following any year in which the business is required to complete a cybersecurity audit. This is expected to take the form of a web filing through the CPPA's website and will require the business to provide its name and contact details, describe the period covered by the audit, and affirm that the audit was completed in accordance with the CPPA's requirements. The Statement of Completion must be completed by a member of the management team at the company. Failure to submit the Statement of Completion is likely to raise regulatory eyebrows and could lead to an enforcement action against the business.
Next Steps
Upon submission of the final rule package to the California OAL, the California OAL will have thirty working days to determine whether the rulemaking package complies with the California Administrative Procedure Act.
Thankfully, businesses that determine they are subject to the new cybersecurity audit requirements will have a good deal of runway to prepare for and begin completing annual audits as required by the rules. The CPPA is phasing in the audit requirement as follows, with start dates largely tied to the business's revenue:
| Business Revenue | Audit Report Deadline |
| Businesses with > $100M annual gross revenue in 2026 | First audit report must be completed by April 1, 2028 (for an audit covering January 1, 2027, to January 1, 2028), then annually thereafter. |
| Businesses with $50M–$100M annual gross revenue in 2027 | First audit report must be completed by April 1, 2029 (for an audit covering January 1, 2028, to January 1, 2029), then annually thereafter. |
| Businesses with < $50M annual revenue in 2028 | First audit report must be completed by April 1, 2030 (for an audit covering January 1, 2029, to January 1, 2030), then annually thereafter. |
The distant audit deadlines are intentional, as the schedule is intended to give companies plenty of time to improve their cybersecurity practices as needed before the audit requirement begins. But, as the scope of the CPPA's cybersecurity audits is quite broad, businesses that are in scope for the audit requirement may wish to use this lead time as an opportunity to build a robust compliance program, including by completing a gap assessment against the CPPA's cybersecurity components, remediating identified weaknesses, and developing audit procedures and documentation practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
