- with readers working within the Aerospace & Defence industries
- within Criminal Law topic(s)
After years of development and extensive stakeholder engagement, California has finalized groundbreaking cybersecurity audit regulations under the California Consumer Privacy Act (CCPA). These new requirements may significantly impact how covered businesses protect consumer data.
The New Regulations
The California Privacy Protection Agency (CPPA) Board approved comprehensive amendments to CCPA regulations covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT), among other things. The regulations were subsequently approved by the California Office of Administrative Law on September 23, 2025, marking the completion of a rulemaking process that began in November 2024.
When Does the Audit Requirement Apply?
Not all businesses subject to the CCPA must conduct cybersecurity audits. According to the regulations, the requirement applies only to businesses whose data processing presents a "significant risk" to consumer security, defined by specific thresholds:
Businesses must conduct annual cybersecurity audits if they fall into one of two buckets:
- They derive 50% or more of their annual revenue in the preceding calendar year from selling or sharing consumers' personal information, OR
- They have over $25 million in annual gross revenue (adjusted
every two years; currently $26,625,000) AND process in the
preceding calendar year the either:
- Personal information of more than 250,000 California consumers or households, OR
- Sensitive personal information of more than 50,000 California consumers or households.
These thresholds ensure that the audit requirement focuses on businesses handling substantial volumes of consumer data or those whose business models center on data monetization.
Effective Dates and Compliance Deadlines
The regulations officially take effect on January 1, 2026. However, businesses have staggered deadlines for submitting their first cybersecurity audit certifications to the CPPA based on their revenue size:
- April 1, 2028: Businesses with annual revenues over $100 million for 2026.
- April 1, 2029: Businesses with annual revenues between $50-100 million for 2027.
- April 1, 2030: Businesses with annual revenues under $50 million for 2028.
This phased approach gives businesses time to establish robust audit processes and implement necessary cybersecurity improvements before their first submission deadline.
What the Audit Requirement Entails
The regulations establish detailed requirements for conducting comprehensive cybersecurity audits, the results of which must be provided to a member of the business's executive management team who has direct responsibility for the business's cybersecurity program. Here's a summary of what businesses must do:
Auditor Qualifications: Audits must be conducted by qualified, objective, independent professionals—either internal or external—using recognized auditing standards such as those adopted by the American Institute of CPAs. Auditors must possess expertise in cybersecurity and auditing methodologies.
Audit Scope: The cybersecurity audit must comprehensively evaluate the business's cybersecurity program across 18 key areas, including:
- Secure user authentication and access controls
- Encryption of personal information
- Account management systems
- Personal information inventory and management
- Secure hardware and software configuration
- Vulnerability scanning and penetration testing
- Audit-log management and network monitoring
- Network defenses and segmentation
- Antivirus and anti-malware protections
- Vendor and third-party risk management
- Data retention schedules and secure disposal
- Incident response capabilities
- Cybersecurity training programs
- Breach and incident review for the audit period
Even businesses not subject to the mandatory audit requirement should view the 18 standards as a framework for evaluating their own cybersecurity programs, as the CPPA may use these criteria when assessing CCPA compliance more broadly.
Documentation Requirements: Businesses must prepare detailed audit reports documenting the review scope, policies assessed, evaluation criteria, supporting documentation, identified compliance gaps, and remediation plans. All audit records must be retained for five years.
Annual Certification: Companies must submit written certifications of compliance to the CPPA on an annual basis, signed under penalty of perjury by appropriate executive leadership.
Flexibility for Existing Audits: Importantly, businesses may leverage cybersecurity audits conducted for other regulatory purposes—such as NIST Cybersecurity Framework 2.0 assessments—provided they meet all CCPA requirements. This allows companies to avoid duplicative efforts where existing audits are sufficiently comprehensive.
What This Means for Your Business
Businesses subject to the audit requirement should begin preparation now by identifying qualified audit personnel, establishing appropriate internal reporting structures, conducting comprehensive inventories of personal information processing activities, and documenting current cybersecurity practices. The clock is ticking toward those first compliance deadlines in 2028.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
