California Adopts Regulations on Cybersecurity Audits

On July 24, 2025, the California Privacy Protection Agency (CPPA) approved new regulations requiring some companies to conduct audits of their cybersecurity programs—the policies, procedures, and practices for protecting personal information from unauthorized processing. But only certain companies subject to the California Consumer Privacy Act (CCPA) must complete an audit. The first audit certifications are due in 2028—although many companies have until 2029 or 2030 to certify their first audit. While the deadline is years away, businesses will want to start preparing now because there is a lot to operationalize.

Application

Among companies subject to the CCPA, only a subset are required to complete annual audits of their cybersecurity program. A company must complete an audit if, in the prior calendar year, it:

  • Derived more than 50% of its revenue from selling or sharing personal information; or
  • Exceeded the CCPA’s revenue threshold and either processed personal information on more than 250,000 people or sensitive personal information on more than 50,000 people.

Audit Scope

The audit must cover four topics concerning a business’s cybersecurity program: safeguards, appropriateness, implementation, and cybersecurity components.

  • Safeguards. The cybersecurity program’s protection of personal information from unauthorized processing or against unauthorized activity resulting in the loss of availability.
  • Appropriateness. The creation, implementation, and maintenance of a cybersecurity program that is appropriate to the business’s size, complexity, and scope/nature of processing activities.
  • Implementation. The business’s implementation and enforcement of its cybersecurity program.
  • Cybersecurity Components. The cybersecurity components applicable to systems that process, or provide access to, personal information. The regulation specifies 18 high-level components (such as logging, access controls, and authentication) that each have sub-considerations. 

The auditor can also examine other aspects of the cybersecurity program that they feel are appropriate. 

Auditor Qualifications

The auditor—who can be an employee of the business—must be qualified, objective, and independent. 

  • Qualified. The auditor must know cybersecurity and how to audit a cybersecurity program.
  • Objective and Independent. The auditor cannot participate in business activities they may assess (e.g., developing procedures or maintaining the cybersecurity program).

If relying on an internal auditor, the highest-ranking auditor must report directly to a member of the business’s executive management team who does not have responsibility for the cybersecurity program.

Audit Process 

The auditor must conduct the audit in line with professional standards and primarily base their findings on a review of the evidence (rather than the business’s assertions). The business must provide the auditor with information they request, so long as the information is within the business’s possession, custody, or control. Additionally, there is an argument that the CPPA also included an obligation for businesses to make certain proactive disclosures to the auditor: the business “must make good-faith efforts to” share “all facts relevant to the cybersecurity audit . . . .” But maybe that just colors the obligation to respond to requests from the auditor.

Audit Report

The auditor must write a report that describes and assesses the business’s cybersecurity program. Among other topics, the report must address: 

  • Program Description. Describe the business’s cybersecurity components and systems that process (or provide access to) personal information as well as how the business implements/enforces its policies and procedures.
  • Audit Scope and Justification. Specify the audit criteria and reviewed materials before explaining how they justify the audit findings.
  • Control Effectiveness. Explain the effectiveness of the cybersecurity components and policies/procedures in preventing unauthorized processing.
  • Gaps/Weaknesses. Discuss “in detail” the gaps/weaknesses that increase the risk of unauthorized processing and document how the business plans to address those issues (including a timeframe for resolving them).
  • Breach Notices. Describe breach notices provided to California residents (or provide an example) and share details about breach reports to California regulators who oversee privacy laws.

The auditor must deliver the report to a member of the executive management team responsible for the cybersecurity program.

Annual Certification 

A business must annually certify to the CPPA that the business completed the audit. But the business does not have to turn over the audit report to the CPPA.

  • When. The certification is due by April 1 and covers the audit for the prior calendar year.
  • Who. A member of the executive management team responsible for audit compliance and with sufficient knowledge of the audit must submit the certification.
  • What. Among other details, the executive team member must attest—under penalty of perjury—that the business completed an audit and did not attempt to influence the auditor. 

Timing

The CPPA staggered the initial audit deadlines based on businesses’ annual revenue. Upon completion of the first audit, an annual audit will be required thereafter.

  • Initial Audit. The deadline for a business to certify its first audit depends on its revenue:  
    • Exceeds $100 million. April 1, 2028
    • Between $50 and $100 million. April 1, 2029
    • Under $50 million. April 1, 2030

The audit for each business must cover the preceding calendar year. 

  • Subsequent Audits. If a business meets a trigger threshold on January 1, the business must certify an audit covering that calendar year by April 1 of the following year. For example, a business that met one of the trigger thresholds (e.g., deriving more than 50% of its revenue from sales or sharing personal information) in 2029 must complete an audit covering the 2030 calendar year and certify it by April 2031.

Next Steps

We wait for the CPPA to file the regulations with the Office of Administrative Law, which will give us a better sense of the effective date. But the effective date is not critical here because the regulations will take effect long before the audit deadline. 

While we wait, businesses should consider benchmarking their cybersecurity programs for protecting personal information against the 18 components set out in § 7023(c). Those criteria provide the clearest indication of what the CPPA considers a reasonable program.