On July 24, 2025, the California Privacy Protection Agency (CPPA) approved regulations that would impose a new requirement under the California Consumer Privacy Act: mandatory annual cybersecurity audits for certain businesses. These new requirements are now undergoing review by the California Office of Administrative Law (OAL). OAL can (a) approve the regulations; (b) reject the regulations; or (c) approve some portion of the regulations and reject others. If OAL approves the regulations and sends them to the California Secretary of State by August 31, 2025, the proposed regulations would go into effect on October 1, 2025. If they are sent to the Secretary of State after August 31, the effective date would be January 1, 2026.
Who must conduct a cybersecurity audit?
The audit requirement applies to businesses whose processing of personal information presents a “significant risk” to consumers’ privacy or security. Under the proposed regulation, a business’s processing of consumers’ personal information presents “significant risk” to consumers’ security if any of the following is true:
- The business derives 50 percent or more of its annual revenues from selling, or sharing consumers’ personal information in the preceding calendar year; or
- As of January 1 of the preceding year, has annual revenue of $26,625,000 [subject to annual adjustment, and refers to total annual gross revenue regardless of geographic scope]; and
- Processed the personal information of 250,000 or more consumers or households in the preceding calendar year (threshold is specific to California residents); or
- Processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year (threshold is specific to California residents).
What must the audit include?
First, it is important to understand that the scope of the cybersecurity audit applies to all systems that collect, use, disclose, retain, or otherwise process personal information of California consumers. The scope is expanded to other systems if they are integrated with or impact systems that process personal data—such as identity management platforms, network infrastructure, and backup environments. The audit must be a comprehensive, independent evaluation of the business’s cybersecurity program, focused on systems that process personal information.
In terms of requirements, the cybersecurity audit must include at a high level:
- A description of the systems being audited.
- A narrative report describing the audit process, with supporting evidence for all conclusions (e.g., logs, test results, policy documents).
- An assessment of how the business protected personal information through its cybersecurity program.
- A description of how the business followed its own cybersecurity policies and procedures (e.g., whether the policies are up-to-date, consistent with industry standard, tailored to the business, and supported by evidence showing adherence to and enforcement of the policies).
- Testing of controls to verify effectiveness (e.g., access controls, encryption, network security, vulnerability management, audit logs, data lifecycle controls), such as by conducting or reviewing results from penetration tests and vulnerability scan, and testing whether personal data is deleted or anonymized when no longer needed.
- A description of the gaps and weaknesses of the cybersecurity program, and how the business plans to address them.
- A description or sample copy of data-breach notifications that were sent to consumers or agencies, and related remediation efforts.
- The dates that the cybersecurity program was reviewed and presented to the most senior individuals in the business responsible for its cybersecurity program.
- A certification that the business did not influence the auditor’s decisions or assessments, and that the business reviewed and understood the audit findings.
The proposed regulation includes detailed descriptions of each item listed.
Each calendar year that a business is required to complete a cybersecurity audit, it must submit to the CPPA by April 1 of the following year a written certification that the business completed the cybersecurity audit as required.
When is the first audit due?
The answer depends on the business’s annual revenue (again, this is total revenue without regarding to geographic location):
- For 2026, if the business has global revenue of $100,000,000 or more, the audit Is due on April 1, 2028 for the period January 1, 2027 to January. 1, 2028
- For 2027 if the business has global revenue of $50,000,000 or more, the audit Is due on April 1, 2029 for the period January 1, 2028 to January 1, 2029
- For 2028, if the business has global revenue of less than $50,000,000, the audit Is due on April 1, 2030 for the period January 1, 2029 to January 1. 2030
Following the initial audit and submission of certification, a business would then need to complete a cybersecurity audit and submit a certification each following year.
Who can conduct the audit?
Audits must be conducted by a qualified, objective, and independent auditor. This can be:
• Internal, if the auditor reports to the board or a senior executive not responsible for cybersecurity operations.
• External, provided the auditor has appropriate credentials and experience.
All auditors must:
• Follow professional auditing standards
• Certify that the audit was conducted independently
• Provide documentation and evidence to support findings
What should businesses do now?
1. Assess Applicability: Determine whether your business meets the audit thresholds and if so, when.
2. Map Data Flows and Inventory Systems: Identify the systems that process personal information and systems that are integrated with systems that process personal data.
3. Conduct a Pre-Audit Gap Analysis: Compare current cybersecurity administrative and technical measures against the CPPA’s 18 required controls to identify gaps.
4. Prepare for the Audit: Remediate identified gaps and collect evidence of controls and policy compliance.
5. Vet and Engage Qualified Auditors: Start vetting and contracting a qualified auditor and define the audit scope.