Updated CPPA Rules Raise the Bar for Current Cybersecurity Audits

In a detailed update by Josh Hansen of Shook, Hardy & Bacon, California’s Privacy Protection Agency (CPPA) has finalized regulations mandating annual cybersecurity audits for certain businesses subject to the California Consumer Privacy Act (CCPA). Adopted on July 24, 2025, the rules require audits that assess how companies protect personal data from unauthorized processing, covering policies, procedures, and technical safeguards.

Only a subset of CCPA-regulated companies must comply, including those that earn over half their revenue from selling or sharing personal data, or that meet certain thresholds for data volume and revenue. These companies must complete rigorous audits examining the appropriateness, implementation, and effectiveness of their cybersecurity programs, benchmarked against 18 CPPA-defined control areas.

Auditors may be internal or external, but must be independent, qualified, and not directly involved in the systems they evaluate. Cybersecurity audits must rely on verifiable evidence, and the resulting report must detail the company’s cybersecurity program, audit scope, control effectiveness, existing vulnerabilities, and any breach disclosures to consumers or regulators. Although companies are not required to submit reports to the CPPA, they must annually certify audit completion, beginning in 2028, with deadlines phased based on annual revenue.

For compliance professionals, the key message is preparation. Businesses should begin mapping their current cybersecurity practices to the CPPA’s 18-component framework. Early action is essential to meeting future certification deadlines and demonstrating a defensible approach to personal data protection under California law.