Data Protection Report

On January 1, 2026, the California Privacy Protection Agency’s (“CalPrivacy”) cybersecurity audit regulations (the “Regulations”) took effect after several years of rulemaking and public comment. As previewed in the Data Protection Report, certain businesses subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act are now required to conduct comprehensive annual cybersecurity audits. The now final requirements reflect an ongoing regulatory focus on the implementation and effectiveness of security controls, rather than the mere existence of written policies and procedures.

During its most recent board meeting at the end of February 2026, CalPrivacy provided further insight into the new audit requirements and what businesses can expect in the coming year.

WHO IS COVERED

Cybersecurity audit requirements apply to a business whose processing of personal information presents “significant risk to consumers’ security.” In determining whether processing presents a “significant risk,” the Regulations contemplate factors such as the business’s size and revenue, and the volume and sensitivity of personal information it processes.[1]  

TIMING

The Regulations establish phased timing for initial compliance depending on a business’s gross revenue. A business subject to the requirements must complete a cybersecurity audit report and submit a certification to CalPrivacy by:

• April 1, 2028, if the business’s annual gross revenue for 2026 was over $100 million as of January 1, 2027. The audit would cover January 1, 2027 to January 1, 2028.
• April 1, 2029, if the business’s annual gross revenue for 2027 was between $50 million and $100 million as of January 1, 2028. The audit would cover January 1, 2028 to January 1, 2029.
• April 1, 2030, if the business’s annual gross revenue for 2028 was less than $50 million. The audit would cover January 1, 2029 to January 1, 2030.
• After April 1, 2030, if on January 1 of a given year, a business meets the general criteria discussed above in the preceding year, it will need to complete a cybersecurity audit.

SCOPE, THOROUGHNESS, AND INDEPENDENCE OF CYBERSECURITY AUDIT

Under section 7123 of the Regulations, the cybersecurity audit must evaluate “how the business’s cybersecurity program protects personal information . . . and protects against unauthorized activity affecting the availability of personal information.” It must span across “the business’s establishment, implementation, and maintenance of its cybersecurity program, including the related written documentation thereof (e.g., policies and procedures), that is appropriate to the business’s size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementing the components of a cybersecurity program.” The cybersecurity audit must also assess each of the 18 components[2] listed that the auditor deems applicable to the business’s information system, and may cover additional components of a cybersecurity program beyond those listed.

The cybersecurity audit must result in a written audit report that describes the relevant policies, procedures, and practices assessed and includes, among others, any gaps or weaknesses and documents the business’s remediation plan and timeline, any corrections to prior audit reports, and list the titles of up to three individuals responsible for the cybersecurity program.

While the Regulations do not expressly require submission of the report itself to CalPrivacy, the report must be provided to a member of the business’s executive management team responsible for the cybersecurity program, and both the business and the auditor must retain relevant audit documentation for at least five years.

The cybersecurity audit must be completed by a “qualified, objective, independent professional” auditor who has knowledge of cybersecurity and how to audit a business’s cybersecurity program. The auditor may be internal or external to the business; if they are internal, independence and objectivity must be demonstrable.

RECENT INSIGHTS FROM CALPRIVACY

CalPrivacy indicated during its February 27, 2026 board meeting that it will publish short-form overviews for businesses and more robust compliance checklists for practitioners. CalPrivacy aims to “better educate businesses” and “help practitioners assist those businesses in coming into compliance,” with materials to be made available on the CalPrivacy website and promoted in spring and summer 2026. An active and specialized CalPrivacy Audits Division is expected under the recently appointed Chief Privacy Auditor Sabrina Boyce Ross with the support of a growing number of legal specialists and technologists.

TAKEAWAYS

The Regulations provide a framework for demonstrating that a cybersecurity program is designed thoughtfully and operates effectively. As the Regulations allow leveraging existing audit, assessment, or evaluation prepared for other purposes (e.g., an audit that uses the National Institute of Standards and Technology Cybersecurity Framework 2.0), provided they meet the requirements specified, first understanding the existing resources and assessing how they map onto the requirements under the Regulations will help identify opportunities to streamline the growing list of must-haves. Inventorying the relevant documentation and evaluating potential auditors that fit the qualifications now will also help save time and headaches down the road. After all, the first auditable period begins on January 1, 2027, less than ten months from now.

[1] Specifically, businesses that meet the following criteria must complete audits: a business that derives 50% or more of its annual revenues from selling or sharing consumers’ personal information; or a business that has an annual gross revenue exceeding $25 million in the preceding calendar year; and the business processed the personal information of 250,000 or more consumers or households in the preceding calendar year; or the business processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year.

[2] (1) Authentication (including multi-factor authentication and strong password requirements); (2) encryption of personal information at rest and in transit; (3) account management and access controls; (4) inventory and management of personal information and the business’s information system; (5) secure configuration of hardware and software; (6) internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting; (7) audit-log management; (8) network monitoring and defenses; (9) antivirus and antimalware protections; (10) segmentation of information systems; (11) limitation and control of ports, services, and protocols; (12) cybersecurity awareness regarding evolving threats and countermeasures; (13) cybersecurity education and training for personnel with system access; (14) secure development and coding practices; (15) oversight of service providers, contractors, and third parties; (16) retention schedules and proper disposal of personal information; (17) security-incident response management; and (18) business-continuity and disaster-recovery planning.