The California Privacy Protection Agency (CPPA) has opened a public comment period on proposed regulations for cybersecurity audits under the California Consumer Privacy Act (CCPA). These audits are set to become mandatory for certain businesses. The CPPA is inviting feedback on modifications to these regulations, which include clarifications on when the audit requirement will take effect and which businesses will be subject to it. The agency is accepting comments until June 2, 2025.
This rulemaking process stems from a directive in the CCPA, enacted in 2018, requiring businesses that pose significant risks to consumer privacy or security to conduct annual cybersecurity audits. Initial invitations for preliminary comments were issued over two years ago, with formal rulemaking approved in November 2024 after an extended comment period.
Businesses must conduct audits if their processing of personal information presents significant security risks. Criteria include deriving at least 50% of annual revenues from selling or sharing personal information or having gross annual revenues exceeding $25 million while processing large volumes of consumer data.
The draft regulations specify staggered effective dates based on business size. Companies with over $100 million in revenue must complete their first audit by April 1, 2028, covering the previous year. Smaller businesses have later deadlines.
A key addition requires businesses to produce detailed audit reports documenting findings and plans to address any identified gaps or weaknesses. Certifications of completion must be submitted to the CPPA by April 1 following each required audit year.
Modifications also affect auditor independence requirements and documentation retention periods. Businesses may use existing audits conducted for other purposes if they meet CPPA standards.
Materials influencing these regulations include the NIST Catalog of Problematic Data Actions and Problems, highlighting potential issues such as insecurity and loss of trust.
Comments can be submitted via email or mail by including specific details in submissions addressed to the CPPA’s Legal Division – Regulations Public Comment in Sacramento.
